An interesting twist regarding GDPR
Employee gets sued after she falls for £200K CEO Fraud Scam
Ithought you would find this an interesting and educational story relating to cybersecurity. Apologies if this is of no interest to you.
This is quite a historical case because if the company wins, we could see a lot more court cases against employees for clicking on links they shouldn't which then harm their organisation.What happened?
A woman is being sued for sending approx. 200K of her employer's money to an online fraudster. Patricia Reilly, from UK Peebles Media Group, fell for a CEO fraud scam where the criminals sent her emails pretending to be her boss (Mrs. Bremner) who was on vacation at the time.
The lawsuit alleges that Mrs Reilly ignored a warning from their bank about this type of fraud and made the payment of £193,250 to the fraudsters. The case is being heard at the highest civil court in Edinburgh.
The issue came to light a few days later when a colleague logged onto the firm's online bank account and noticed a fraud warning.
Company Lawyers accuse Mrs Reilly of being negligent
The Bank refunded the firm £85,268.28 and Peebles is suing the former employee for the remaining sum of 107,984 pounds. Mrs Reilly was fired from the firm for her actions.
They have described her actions as "careless and in breach of the duties - including the duty to exercise reasonable care in the course of the performance of her duties as an employee which she owed to her employer."
Peebles has claimed that she should have realized the emails were suspicious.
The fraudsters appeared to have some knowledge of Peebles Media’s operations, sending Reilly emails impersonating Bremner during a week in which the managing director and Reilly’s line manager were on holidays. BEC scammers are known to intensively study targets, including compromising email accounts to monitor communications between employees, suppliers, and partners.
She did not receive any training on how to spot online fraud
Mrs Reilly's legal team said that she did not receive any training on how to spot online fraud and have called for the case to be dismissed.
This actually breaks GDPR law, where companies need to provide cyber awareness training for their staff. So Peebles could find themselves in more hot water from the ICO