ALG's Risk Team in action.
A&L Goodbody falsely informed its staff that they had been in close contact with someone with Covid.
A number of people in the leading Irish firm, which employs over 800 people, received an email on Wednesday morning purporting to have been sent by the Health Service Executive, Ireland's NHS, warning them that they were a "close contact of a positive Covid case".
After allowing a decent interval for staff to panic, withdraw their children from school, cancel deliveries and arrange for emergency Covid tests, the firm revealed that it was behind the messages, and that they were false.
In a penitent email sent on Wednesday afternoon and leaked to RollOnFriday, ALG General Counsel Liam Kennedy confessed to staff that "this was a fake email designed as a phishing test" as part of the firm's "information security awareness programme".
Kennedy said the stunt was engineered by the firm's Risk Team, and conceded, "It was a clear error of judgement to have used Covid as a way of carrying out a phishing test and realise [sic] it will have caused unnecessary distress and concern".
"On behalf of the Risk Team, I apologise sincerely", he added, inviting anyone upset that their own firm punked them about a deadly disease to "feel free to contact me directly if you have any questions or if you'd like to voice any concerns". Which no doubt quite a few have.
GC's not happy.
The firm did not respond to requests for comment.
Comments
Utter demonstration of appalling judgment
HSE in Ireland = Irish NHS (Health Service Executive).
That being said, oof.
Thanks anon 08:44 - updated.
That no-one thought this through is...surprising.
Never heard of this firm before but when covid can be life or death - imagine if you are living with a relative who is shielding or if you are vulnerable yourself - this was beyond crass especially as it was sent during the working day - what about the impact on client work? It shows appalling judgment and a total lack of pastoral care at this time of crisis and one wonders what other poor decisions this team is making in other areas if this is its level of analysis and risk assessment. Hopefully it’s just a one off and at least there was an apology - albeit one that was on behalf of the team generally rather than coming direct from the GC on his own part which it should have been given he must be responsible for it rather than suggesting the whole team was culpable.
Is this also a potential offence to be impersonating a public authority like this??? Did they clear the email with the HSE?
> Did they clear the email with the HSE?
Of course they didn’t. If we had to clear our phishing training/emulation emails with the companies that were pretending to be, no one would be able to do them.
It is a funny story and a lesson to InfoSec/IT teams but it is not one for the “I think you will find that this is in breach of regulation 76.9.1a subsection b” geeks to foam at the mouth at.
I deem this to be a funny anecdote.
@Bob, not really a funny anecdote though is it?
Staff may be able to claim damages for costs incurred never mind mental damage!
April fools... surely?
This is a gentle reminder to everyone to stop being such losers.
Bob, there's nothing funny about this. It was so ill judged given the current climate of hyper anxiety 're this dreadful pandemic. What if a staff member had visited their parents the weekend before or had recently lost someone through covid? Or staff with kids. There are a multitude of other subject matters they could have 'tested' their staff with. It's beyond repulsive. And what will be the end result of all this? Probably a pay rise to the IT boss in his ivory tower and a training course for staff. Disgusting
Just me or is this actually a clever tactic from the IT department as this is exactly the tactic a scammer might use in a phishing attempt?
It is - that is obviously the point. The criticism is that it caused real distress to people (whether you clicked on the email and the fake link or not) for the reasons above. Many other options could have been used to test a response - like EVERY other firm that does similar testing but doesn’t manage to make a total hash of it like this.
Rubbish firm poor judgement.
Good phishing test. Demonstrates to the staff one of the key points about phsishing emails - they will try to break through your normal scepticism and defences by choosing an emotive, hot button issue. Bet the moaning came mainly from people who fell for it.
Je suis - you’re missing the point which is that staff wellbeing comes ahead of a covid phishing test when an alternative scam could have been used without the need to upset and scare staff at such a time.
800 people had close contact with a COVID carrier?
Unless it was the tea lady that was an all too obvious stretch.