A breach notification by Meridian Community College demonstrates once again, why entities should make determined efforts not to leave emails in employee accounts that may have personally identifiable information in attachments or the emails themselves.
In this case, the types of personal information included name, Social Security number, driver’s license number, passport number, date of birth, username or email and password, medical treatment information or health insurance information. Not all data types were involved for all individuals.
Consider this chronology, based on their notification:
Late January — MCC becomes aware of a phishing incident that resulted in the compromise of certain user credentials, commences investigation, and works with third-party forensics firm.
April 12, 2019 — Investigators cannot rule out access to certain employee email accounts, so MCC begins manually reviewing all emails and attachments in compromised email accounts.
June 25, 2019 — Manual review concluded, MCC begins trying to track down contact information for those who need to be notified.
September 5 — MCC issues press release.
That’s a lot of time and personnel resources and cost for an incident in which you don’t even have any clear evidence as to what – if anything – was accessed. Suppose there had been less emails in those accounts? How much time and money could MCC have saved?