Case Study

FTI Technology Provides Personal Information Assessment, Investigation and Notifications Following Data Incident at a Global Corporation

A global corporation headquartered in Europe experienced a data incident with potential exposure of sensitive and personal information. With multiple global regulators on alert for privacy breaches, FTI Technology helped the client assess large volumes of data to quickly understand the extent of the data exposure and support the notification process.

Situation

The client became aware of an incident involving a former employee that resulted in sensitive and personal information within the company’s systems being transferred to a personal online storage location outside of the approved IT enterprise. At the time the client discovered what had happened, multiple years’ worth of information had been transmitted to the unauthorized storage location.

Pre-existing crisis response plans were triggered and the organisation’s crisis management team was assembled to conduct a full assessment of the situation. Due to the highly sensitive nature of the information involved, the organization proactively notified multiple local and global regulators while they assessed if the incident qualified as a reportable data breach under applicable requirements. This resulted in a series of urgent and detailed questions from authorities seeking to analyse the severity of the breach from the outset of the matter.

Additionally, contractual obligations with the organisation’s clients prompted issuance of numerous proactive notifications to end clients, spurring further questioning even before the incident had been fully assessed. Many of the organisation’s end clients sought to obtain copies of everything that had been exposed, adding an additional element to the matter, in which custom bundles of information were needed for each end client, with any internal conversations filtered out and personal information fully redacted.

Adding to the complexity was that a large portion of the data involved was encrypted, further complicating whether that disqualified it as exposed, or whether decryption information had also been transferred to the external storage account.

Our Role

FTI Technology was engaged to preserve evidence of the incident, contain and remediate data exposure and assess the quantity and nature of personal information that had been exposed. The expert team delivered the following solutions:

Quickly established and managed a highly flexible managed review team of qualified lawyers who could scale up and contract in resources each day to meet the changing circumstances of the review.
Searched relevant email accounts and company backups to establish a fulsome review set.
Conducted rapid review of the impacted data to determine the extent of sensitive and personal information contained within it. This included narrowing the dataset to a subset of only personal information, so that the client would be prepared to issue specific notifications to impacted individuals and end clients as needed.
Developed a bespoke decryption workflow to create large password dictionaries from the exposed data content and use that password dictionary to attempt password cracking of encrypted items within the exposed data set.
Created tailored notification bundles unique to the requirements of multiple stakeholders and regulators within tight timeframes to meet contractual obligations.
Helped the client defensibly confirm that the incident did not qualify as a reportable data breach.
Delivered detailed reports to demonstrate the completeness and defensibility of the workflow, which the client could produce as needed to regulators and end clients.

Our Impact

Alleviated the concerns of regulators and end clients with timely and factual updates, reducing the risk of downstream disputes and secondary investigations.

Helped the client defensibly confirm that the incident did not qualify as a reportable data breach.

Delivered detailed reports to demonstrate the completeness and defensibility of the workflow, which the client could produce as needed to regulators and end clients.