Recently, Prothena Corporation, PLC confirmed that certain sensitive consumer information was exposed after an unauthorized party gained access to an employee's email account. Accordingly, as a result of the Prothena data breach resulted in the names, addresses, and Social Security or tax identification numbers being compromised. On June 2, 2022, Prothena Corp. filed official notice of the breach and sent out data breach letters to all affected parties.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Prothena Corp. data breach, please see our recent piece on the topic here.

What We Know About the Prothena Corp. Data Breach

The information surrounding the Prothena data breach comes primarily from the company’s filings with various state governments, as required by state data breach laws. Evidently, Prothena recently learned that an unauthorized party was able to access an employee email account. After this discovery, the company secured the affected email account and engaged the assistance of a cybersecurity forensic firm to investigate the incident. This investigation determined that the unauthorized third party accessed the compromised employee email account between December 20, 2021 and April 22, 2022—a span of more than four months.

Based on Prothena’s investigation, the company believes that the unauthorized party was attempting to gather information to commit wire fraud against the company. Those attempts were unsuccessful. However, the files accessible to the unauthorized party also contained sensitive consumer data.

Upon learning that sensitive consumer data was accessible to an unauthorized party, Prothena Corp. then reviewed the affected files to determine exactly what information was compromised. On May 24, 2022, Prothena determined that, while the breached information varies depending on the individual, it may include individuals’ names, addresses, and Social Security or tax identification numbers.

On June 2, 2022, Prothena Corp. sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

More Information About Prothena Corporation

Prothena Corporation is a pharmaceutical company based in Dublin, Leinster, Ireland. Prothena is a late-stage neuroscience company focused on discovering and developing novel therapies for rare peripheral amyloid and neurodegenerative diseases. Currently, Prothena has at least nine therapies in various stages of development. Prothena Corp. employs more than 82 people and generates approximately $199 million in annual sales.

How Does an Employee Email Account Become Compromised?

While Prothena provided ample information about the recent data security incident resulting in the leaked consumer data, one element of the breach the company did not elaborate on is how the unauthorized party gained access to the employee’s email account. Email-based cyber attacks are becoming more common, and there are several ways in which hackers can gain access to an employee's email account.

Phishing

According to the Identity Theft Resource Center, in 2021, a third of all cyberattacks involved phishing. Phishing describes a type of cyberattack in which a malicious actor sends a seemingly legitimate email, usually to multiple employees within the same organization. For example, a common theme in phishing emails is that the sender requests the user log in to change their password or confirm their identity. By sending the email, the hacker hopes to “trick” the employee into either providing them with their login credentials or downloading malware onto their device. From there, the hacker has broad access to everything on the victim’s device and, depending on the network’s setup, potentially much more.

Brute Force Attacks

A brute force attack is when hackers plug in previously stolen username-password combinations into software that tries the combinations on a large number of sites across the web. For example, if your password to one website is leaked, hackers can put your username-password combination into a database. Then, hackers use specially built programs to try the combinations on other sites, such as banks and lending companies. Brute force attacks are why it is so important to change your password to all your online accounts after any password or personal information is compromised.

Old-Fashioned Guesswork

Hackers also have access to databases containing the most commonly used passwords. Again, hackers have special programs that automatically attempt many combinations of usernames and passwords in hopes of getting the correct combination. These attacks are especially alarming because it is possible for hackers to access an account with little to no knowledge of the account holder.

Of course, all organizations in possession of sensitive information can—and should—implement data security systems that prevent these types of attacks. For example, many systems will lock a user out if they guess the incorrect password more than two times. Companies that choose not to spend the resources on a robust data security system put the consumer data in their possession at unnecessary risk of exposure.