Liquor store chain’s breach of data law exposed in hack

| 22/03/2021 | 28 Comments
Cayman News Service
Jacques Scott branch in Savannah

(CNS): Personal data belonging to around 150 employees of the Jacques Scott Group Ltd (JCG) that was exposed during a ransomware attack last year also exposed the company’s own breaches of the Data Protection Law. The Office of the Ombudsman has found that the company failed to take adequate technical and organisational measures to protect employees’, shareholders’ and pension account members’ personal data. An agreement with its IT provider also failed to incorporate certain mandatory provisions, which constituted a separate violation and resulted in an order from the watchdog and a list of recommendations to be put in place to protect staff data and to prevent further breaches of the law.

According to a redacted enforcement order, the liquor store’s workers learned that the company’s online system had been hacked when they were denied access to the enterprise network and other systems. Jacques Scott notified the ombudsman and the workers impacted, which triggered an inquiry by the office, which is now responsible for data protection. JCG also engaged Deloitte and SigNus Technologies to investigate the breach and undertake mitigating action.

Although it is believed that the ransomware attack did not breach passwords or access financial data because critical system logs were not available, a number of questions could not be answered. Ombudsman Sandy Hermione did find that the liquor retailer violated two separate parts of the seventh data protection principle of the law.

As a result, a long list of recommendations were made as part of the order, which requires the liquor store chain to ensure that any current and future agreements with its data processors meet the requirements of the law and the company implement the recommendations made by Deloitte in the security and compromise assessment report. The office also stated that JCG must develop appropriate information security and related policies and procedures to ensure that business operations are conducted in line with its information security governance and information risk profile.

The office directed Jacques Scott to provide cybersecurity awareness training at least annually to improve their ability to identify and prevent phishing and other malicious attacks and how to respond in the event that employees fall victim to an attack, as well as on data handling practices. The ombudsman also ordered that the retailer employ threat detection and prevention in real time and a number of other technical measures and testing, as well as security patches to keep abreast of any potential security weakness.

Hermiston said that this case reflected the challenges that employers must address before a breach occurs.

“This situation is a good representation of the serious data protection concerns now facing both private and public sector organisations in Cayman,” she stated. “Mitigation after the fact is simply not enough. All of these entities must proactively take security precautions with their computerized record-keeping systems – the Data Protection Law makes it their responsibility.”

See the executive summary of the order here.


Share your vote!


How do you feel after reading this?
  • Fascinated
  • Happy
  • Sad
  • Angry
  • Bored
  • Afraid

Tags: , ,

Category: Business, Politics, Private Sector Oversight, Retail

Comments (28)

Trackback URL | Comments RSS Feed

  1. Anonymous says:

    No surprise here. Look at how many companies post pictures and info on websites about their employees often without their consent. Social engineering dream for hackers to get personal identifiable information, the rest is easy.

  2. Bertie : B says:

    That is the final straw for me . time to close up everything and get out Cayman . Lord knows the Panama papers nearly destroyed me , Now this Major Hack ? Everyone will know my drinking Habits. God help us , All my info for foreign gov. to read !!! My Gone .

  3. Anonymous says:

    You get hacked. You know you need to improve your systems. You report the breach. You get told to improve your systems. And pilloried in public. Not even a ‘thanks for trying’. Sound like the moral of the story is’ don’t report to the ombudsman’. Seems an own-goal by the ombudsman’s office and clearly they need to be doing a lot more and more useful education rather than these scolding attacks on already victimised businesses. Shameful.

    • Anonymous says:

      Spot on. They are headline seekers with little to no interest in actually helping hacked companies. The attitude of all the staff in that office is toxic.

    • Anonymous says:

      until it is discovered by the real victims, which are not the one that had shoddy technology and practices. Then you’re just another dishonest business person exploiting your staff and customers all the while gambling that your cover-up won’t be discovered, as unlikely as that is.

  4. Anonymous says:

    Its called avast free. if your too cheap to buy avast.

    excellent antivirus/anti phishing software.

    will even prevent your users from going to malicious websites before they go to the site.

  5. Anonymous says:

    Why is not the website of the elections office a breach of data protection? Personal data is posted there. Why should someone know my profession and the house number and street where my family lives. The data could simply show that name of the electoral district

    That is why many refuse to register to vote.

  6. Anonymous says:

    How could this happen in the private sector?

    From the posts I have been reading I was lead to belive that something like this could only happen in the Government and that the private sector was perfect.

    I guess the private sector might need some cyber security training from the Government.

    • Anonymous says:

      Do you get paid to post this stuff every time or are you acting busy while not serving the public at one of the millions of government offices? Customs, police clearances, dvl, etc….

  7. Anonymous says:

    So a good reputable company is subjected to a ransom ware attack, you know a crime. And the authorities response is to investigate and fine the victim. Yup, makes perfect sense.

    Btw, what did they do to the hackers.

    • Anonymous says:

      If the victim had proper logs and other information for law enforcement to work with there may have been a chance to identify them.

      The reality is criminals are coming for you. If you want to continue walking down a dark alley and risk your own self that is fine. Keep my information and you better not have it with you when you get mugged.

      • Anonymous says:

        News flash for you. Every computer system linked to the web can be hacked or has been hacked.

        You seem so worried about a small retail company getting hit but bet you randomly post personal shit on social media all day long!

  8. Anonymous says:

    The vast majority of businesses in the Cayman Islands have no clue about data protection (or their obligations under the applicable laws) and most couldn’t secure the simplest of computer systems if their businesses short or long term viability depended on it. You can’t even talk to the executives in most of the local businesses about data protection as most don’t have the ability to understand even the basics of what you are saying. You might as well be talking about puppies and kittens.

  9. Anonymous says:

    Price of Bud just went up.

  10. Anonymous says:

    Hey Ombudsman, does the constitution bind the government? Asking for a friend.

  11. Anonymous says:

    “We got the group that allowed the breach and failed to report it, to investigate the breach” seems super logical.

  12. Anonymous says:

    How much million dollars was their fine??

  13. Anonymous says:

    If the Ombudsman could ever get around to doing some high profile proactive work and get the word out then these types of breaches could very well be prevented. Education and proactive work is key…sitting around and waiting for things to come to you is the lazy way.

  14. Anonymous says:

    And the fines and penalties are ??????

    Guaranteed a big fat zero.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.