Recently, Prothena Corporation, PLC confirmed that certain sensitive consumer information was exposed after an unauthorized party gained access to an employee’s email account. As a result, as a result of the Prothena data breach resulted names, addresses, and social security or tax ID numbers being compromised. On June 2, 2022, Prothena Corp. filed a formal notice of breach and sent data breach letters to all affected parties.
If you have received a data breach notification, it is essential that you understand what is at risk and what you can do about it. To learn more about how to protect yourself against fraud or identity theft and what your legal options are following the Prothena Corp. data breach, please see our recent article on the subject. here.
What we know about the Prothena Corp. data breach
The information surrounding Prothena’s data breach comes primarily from the company’s filings with various state governments as required by state data breach laws. Obviously, Prothena recently learned that an unauthorized party had gained access to an employee’s email account. After this discovery, the company secured the affected email account and hired a forensic cybersecurity firm to investigate the incident. This investigation determined that the unauthorized third party accessed the employee’s compromised email account between December 20, 2021 and April 22, 2022, a period of more than four months.
Based on Prothena’s investigation, the company believes that the unauthorized party was attempting to collect information to commit wire fraud against the company. These attempts were unsuccessful. However, the files accessed by the unauthorized party also contained sensitive consumer data.
After learning that sensitive consumer data was being accessed by an unauthorized party, Prothena Corp. then examined the affected files to determine exactly what information had been compromised. On May 24, 2022, Prothena determined that while hacked information varies depending on the individual, it can include individuals’ names, addresses, and social security or tax ID numbers.
On June 2, 2022, Prothena Corp. sent data breach letters to everyone whose information was compromised as a result of the recent data security incident.
More information about Prothena Corporation
Prothena Corporation is a pharmaceutical company based in Dublin, Leinster, Ireland. Prothena is a late-stage neuroscience company focused on the discovery and development of novel therapies for rare peripheral and neurodegenerative amyloid diseases. Currently, Prothena has at least nine therapies in various stages of development. Prothena Corp. employs more than 82 people and generates approximately $199 million in annual sales.
How is an employee email account compromised?
Although Prothena provided extensive information about the recent data security incident that resulted in the leaking of consumer data, one element of the breach that the company did not elaborate on is how the unauthorized party gained access. to the employee’s email account. Email cyberattacks are increasingly common, and there are several ways hackers can gain access to an employee’s email account.
According to the Identity Theft Resource Center, in 2021, a third of all cyberattacks involved phishing. Phishing describes a type of cyberattack in which a malicious actor sends a seemingly legitimate email, usually to multiple employees of the same organization. For example, a common theme in phishing emails is that the sender asks the user to log in to change their password or confirm their identity. By sending the email, the hacker hopes to “trick” the employee into providing their login credentials or downloading malware onto their device. From there, the hacker has broad access to everything on the victim’s device and, depending on the network configuration, potentially much more.
Brute force attacks
A brute force attack occurs when hackers embed previously stolen username-password combinations into software that tries the combinations on a large number of sites on the web. For example, if your website password is leaked, hackers can put your username-password combination in a database. Then hackers use specially designed programs to try out the combinations on other sites, such as banks and loan companies. Brute force attacks are why it’s so important to change your password for all of your online accounts after a password or personal information has been compromised.
Old fashioned guesswork
Hackers also have access to databases containing the most commonly used passwords. Again, hackers have special programs that automatically try many username and password combinations in hopes of getting the right combination. These attacks are particularly alarming because it is possible for hackers to gain access to an account with little or no knowledge of the account holder.
Of course, all organizations in possession of sensitive information can (and should) have data security systems in place that prevent these types of attacks. For example, many systems lock out a user if they guess the wrong password more than twice. Companies that choose not to devote resources to a robust data security system unnecessarily expose the consumer data in their possession.