Donegal Youth Service

Data Breach Frequently Asked Questions

Donegal Youth Service has been notified by our IT service providers, Evide, that they had been
subject to a cyber security incident.  Donegal Youth Service data has been accessed by a
third party. The matter is being investigated by law enforcement agencies, including the
Gardai. We have also notified the Data Protection Commission.
We know that the personal information of people who have used our service has been
accessed.  However, we have been informed that the data that has been possibly accessed
is not structured in a way that would make finding information about any individual easy
and that it is important to note that they have no evidence of further misuse of any clients’
data.

What happened?

On 29 March 2023, Evide became aware of an incident whereby unusual traffic was detected on its
network. Evide’s clients informed us that there was a message on our database that the server could
not be found. Initial investigations found that our databases had been deleted. Upon discovery of
the suspicious activity, the affected servers and systems were immediately taken offline. We have
been informed by the cyber-security specialists that in the course of the cyber security incident an
unauthorised third party gained access to our IT systems. The unauthorised party has since made
direct contact with us and provided some evidence that it has exfiltrated our clients’ data. Whilst we
cannot guarantee that all client data has been exfiltrated at this stage, we are operating on the
assumption that all of our clients’ data has been exfiltrated from our systems.

Evide immediately engaged the services of experienced cyber-security specialists to contain the
issue, assist with its recovery efforts, and conduct a thorough investigation. Evide’s cyber-security
specialists helped to restore its systems securely and mitigate the impact as far as possible.

Evide has provided notifications to its relevant stakeholders and clients and also notified the
relevant authorities, including the Police Service of Northern Ireland who notified An Garda
Síochána. The incident is now subject to a criminal investigation.

With the help of external cyber-security specialists, Evide has been monitoring for any evidence of
references to the incident emerging on the part of the internet that is not accessed through normal
search engines, which is commonly known as the dark web. Evide is not aware that any personal
data has been posted on the dark web.

When was the incident discovered?

Evide became aware of IT disruption on 29 March 2023. Upon discovery, Evide immediately
engaged the services of experienced cyber-security specialists to contain the issue, assist with its
recovery efforts and conduct a thorough investigation, which is still underway.

What data has been affected?

The unauthorised party has made direct contact with us and provided some evidence that it has
exfiltrated our clients’ data. Whilst we cannot guarantee that all client data has been exfiltrated at
this stage, we are operating on the assumption that all of our clients’ data has been exfiltrated from
our systems.

What kind of information was exposed in this event?

Whilst we cannot guarantee that all client data has been exfiltrated at this stage, we are operating
on the assumption that all of our clients’ data has been exfiltrated from our systems. Our clients are
charities and non-profit organisations and the categories of data will vary on a client by client basis.

The data is patchy in nature rather than comprising all of the data held relating to any one person.
The data in question was not structured in a way that would make finding specific information about
an individual easy, and it’s important to note that we have no evidence of further misuse of our
clients’ data.

Is this a ransomware attack?

No the data was not encrypted from our systems. In this case, the unauthorised third party gained
access to our systems and stole our database and then deleted it from our servers. The unauthorised
third party have requested a ransom payment from us in relation to the stolen data.

Would you consider paying the ransom amount?

No. We have carefully considered the impact of the data being published and determined that we
would be supporting a criminal organisation.

Why does Evide hold this type of information?

Evide help charities and non-profits manage their data and measure their impact. The charities and
non-profits use this data to monitor & evaluate their projects and report to funders.

How did the cyber criminals access the systems?

Our investigation has not conclusively identified this. We are conducting a thorough investigation
and are working extremely hard to identify how the threat actors gained access to our systems.

Why has it taken so long to notify me?

Despite the best efforts of a team of external experts, investigating a cyber-security incident is
exceedingly complex and takes significant time. As is standard practice in these situations, Evide
have waited until it has a fuller understanding of the incident before communicating with those who
may be affected. Evide has also, at all times, kept the Police Service of Northern Ireland/An Garda
Síochána updated with the approach it is taking.

Are the systems now secure?

Evide has installed sophisticated software to monitor the system and confirm that nothing of concern
has been detected to date.

Based on the above steps Evide’s and its forensic IT investigators have confirmed that, while
absolute guarantees can never be given, they are as sure as they can be that the systems are now
secure.

Who and what has been affected by the incident?

Evide have notified all clients who may be affected by the incident. The data in question was not
structured in a way that would make finding specific information about an individual easy, and it’s
important to note that we have no evidence of further misuse of our clients’ data.

The incident also does not relate to all data held relating to an individual. However, because some
personal data relating to DYS has been exfiltrated from our system, Evide have notified
us of this matter.

There has been no material disruption to Evide’s supply of services to any clients.

Who else has been notified? Have you told the police?

Evide has informed the Police Service of Northern Ireland who notified An Garda Síochána, the
National Crime Agency and other Law Enforcement agencies within the UK.

What other actions are they taking?

Evide’s team responded promptly and effectively to the situation and have been working around the
clock to address the issue and minimise disruption.

Evide have been in touch with the relevant authorities and immediately engaged specialist external
industry experts to assist with its investigation and efforts to restore its systems.
We are pleased to say that, whilst absolute guarantees can never be given, Evide’s systems have
been fully and safely restored and Evide is fully operational again.
Lessons learned from the incident will be reviewed to identify any improvements which should be
implemented to prevent recurrence of the incident.

Should I be worried about my clients’ personal details?

Whilst we cannot say for certain, we are operating on the basis that all of our data has been
taken.
However, there is no evidence of any further misuse of our data but it is possible that some
personal data relating to you could become visible to third parties.
While in no way wishing to downplay the incident, the context of the incident is relevant. The third
party was seeking to extort money from Evide. As part of this they exfiltrated some data. The data
which has been exfiltrated is of little monetary value to the third party.
The data exfiltrated is not structured in a way that would make finding information about any
individual easy. In all likelihood, a search would be needed to find the data set and then a search
within the dataset to find relevant information.

Is there any further action I need to take to protect my data?

You may choose to take the following steps in relation to your data:

• Be aware of suspicious emails and texts from unknown or untrusted senders, and never send money
to someone you don’t know via email or text.
• Do not open any attachments or click on links from unknown senders.
• Double check the email addresses from senders that present themselves as a bank or other
recognised institution. Look out for a sender’s email address that is similar to, but not the same
as their bank or card supplier’s. If in doubt, delete the email.
• Regularly review your bank account statements for any suspicious activity, and immediately alert
your bank if you notice anything that looks unusual.

• Remove your name from direct marketing lists and contact your telephone service provider in
relation to amending your directory listing in the National Directory Database (NDD) in order to
reduce the number of marketing offers you receive.
• Further helpful advice on protecting yourself from fraud can be found on an Garda Síochána’s
website (https://www.garda.ie/en/crime/fraud/).

Has any data been taken?

Whilst we cannot say for certain, we are operating on the basis that all of our data has been
taken.
However, there is no evidence of any further misuse of data. It is possible that some personal data
relating to you could become visible to third parties. We are monitoring this through external
experts.
While in no way wishing to downplay the incident the context of the incident is relevant. The third
party was seeking to extort money from Evide. As part of this they exfiltrated some data. The data
copied is of little monetary value to the third party other than to hold to ransom.
The data exfiltrated is not structured in a way that would make finding information about any
individual easy. In all likelihood a search would be needed to find the data set and then a search
within the dataset to find relevant information.

If you have any concerns or questions, please call Donegal Youth Service 074 9129630 to
speak to a member of staff.