P2019-ND-012

Institute for Supply Management

On or about January 25, 2018, an unauthorized sender caused ?phishing? emails to be sent to email addresses contained in an employee?s email contacts list, which was contained on or accessed by a mobile computing device used by that employee for exchanging emails with certain customers of the Organization. The phishing emails contained links to an apparently fake ?Docusign? website, the purpose of which was to trick recipients into clicking on a link that would have requested the recipient provide information or otherwise comply with a fraudulent request for information or transfers of funds. The Organization said it is not aware of any indication that the senders of the phishing emails tried or were able to gain access to the Organization?s computer networks or obtain the actual contents of the Organization?s customers? emails. Although the Organization said it does not have direct evidence that senders of the phishing emails caused a breach and obtained personal information, out of an abundance of caution, the Organization notified its customers because it said it could not rule out this risk at this time based on the information it currently has.

File Type: pdf
Categories: 2019
Tags: Unauthorized disclosure