Wellcome Trust lost sensitive data to two phishing attacks in 2018
19 December 2018
Wellcome Trust, the UK’s largest charity organisation with an investment portfolio exceeding £25 billion, suffered two successful phishing attacks this year that resulted in the unauthorised access to systems by hackers and the loss of commercially sensitive data.
In its annual report for the year 2017-18, Wellcome Trust revealed that in 2018, there were two successful phishing attacks that prompted management within Finance and Investments to carry out a detailed review of existing controls to measure their effectiveness against phishing attacks.
Phishing attacks targeted senior management staff
Even though the phishing attacks in question compromised commercially sensitive data and gave hackers unauthorised access to systems and data, the management opined that existing controls were sufficient to address all significant fraud risk of theft of assets or financial misstatement as the two attacks did not result in any financial loss.
One of the two phishing attacks was particularly severe as it involved fraudsters tricking four senior management employees into revealing their passwords, following which the fraudsters gained access to their devices and stole commercially-sensitive data.
“As referred to within the Risk Management section on page 41 and Audit and Risk Committee report on page 48 of the Annual Report, during the year, the Group was exposed to a cyber breach as a result of a targeted phishing attack on senior management personnel that resulted in unauthorised access to systems and sensitive information.
“Following the identification of the breach, the Group investigated the potential exposure and took remedial actions including reporting the matter to the Information Commission Officer, the Charities Commission and the police. We identified a risk and a key audit matter that the Group could be exposed to financial loss as a result of external
parties having access to information and systems,” the Trust said.
Following the discovery of the phishing attacks, the Trust included a key audit matter that would relate to data breach arising from targeted phishing attacks. This would ensure that the firm’s resilience against such attacks would be continually reviewed and monitored.
“As per the Audit and Risk Committee report, management is taking a number of mitigating actions with respect to this and other kinds of cyber threats: awareness and education for all employees, putting in place a managed security service provider to provide 24-hour event collection, monitoring and escalation services, and a gap analysis of the current security measures and capabilities, which may highlight opportunities for improvement.
“D&T is developing a future technology roadmap that will articulate the technology and required external service providers to ensure appropriate digital provision and resilience for its evolving business needs. It is also continuing the phased transition of its team to ensure that it will have the required skills, knowledge and competencies,” the Trust added.
Charities not prepared to prevent phishing attacks
Wellcome Trust’s announcement of the two successful phishing attacks comes not long after Save the Children Foundation, a well-known U.S.-based charity organisation, suffered a loss of around £800,000 after a hacker gained access to an emplooyee’s mail account and created false invoices and fake documents to convince the foundation to release funds for the procurement of solar panels for health centres in Pakistan.
In January this year, the government’s Cyber Security Breaches Survey revealed that 62 percent of businesses and 56 percent of charities in the UK were unaware about GDPR even though the legislation was only a few months away.
To make things even worse, just over a quarter of businesses and charities had actually taken steps to prepare themselves for the upcoming legislation. Among those who made changes, just under half of businesses, and just over one third of charities made changes to their cyber security practices.