After Phishing, Treat the Situation as a Legal Incident
- First stop access: email, CRM, online banking, website, accounting portals, cloud folders.
- Preserve evidence before cleanup: emails, links, IPs, logs, messages, login history, payment traces.
- Quickly identify the affected data: clients, employees, IDNP, addresses, contracts, payroll or banking data.
- Decide separately whether individuals, CNPDCP, the bank, the IT provider or the police need to be informed.
Phishing is not only an IT problem. If attackers accessed a client database, personnel files, website forms or accounting email, personal data protection becomes an issue. In Moldova, a data controller must ensure confidentiality and apply technical and organizational security measures appropriate to the processing risk.
Stop Access Before Engaging With Attackers
In the first hours, the goal is to limit damage. Do not spend time messaging attackers, do not pay for "unlocking", and do not delete emails. Appoint one person to coordinate the incident and divide tasks between IT, management, accounting and legal.
Minimum steps:
- disable compromised accounts and force password changes;
- enable or rebuild two-factor authentication;
- check email forwarding, new filtering rules, unknown devices and active sessions;
- temporarily restrict access to CRM, website, payment portals and cloud folders;
- warn employees not to open further messages from the same chain;
- if banking or payment data is affected, contact the bank through an official channel.
If access is managed by an external provider, request written confirmation of what was blocked, which logs were preserved, which accounts were checked and when the last suspicious login occurred.
Identify Which Data May Have Left the Company
Not every phishing attempt means the whole database has leaked. But the company must quickly understand which categories of data may have been viewed, copied, changed or sent to third parties.
Check separately:
- client data: name, phone, email, delivery address, order history, complaints;
- employee data: employment contracts, IDNP, address, sick leave documents, payroll files;
- candidate data: CVs, contacts, documents, interview notes;
- counterparty data: contracts, bank details, powers of attorney, contact persons;
- payment information: invoices, IBAN, banking emails, payment instructions.
The more the data can identify a person or cause harm, the higher the legal risk. A leaked mailing list and leaked copies of identity documents are different situations. The latter can enable credit, banking or fraud schemes against specific individuals.
Evidence Is Needed Before System Cleanup
The instinctive reaction is to delete everything suspicious. That is a mistake. For the bank, police, CNPDCP, provider and a possible court, the timeline matters: how the attacker entered, what they saw, what they did and who inside the company made decisions.
Create an incident file:
- the original phishing email or message, with technical headers if available;
- links, domains, phone numbers, messenger accounts;
- screenshots of logins, warnings, forwarding rules and account changes;
- access logs for email, CRM, website, admin panels and cloud services;
- a list of people who had access to the affected systems;
- internal decisions: who blocked access, notified the bank or contacted the provider, and when.
A good incident file does not need to be long. A table with date, time, event, evidence and responsible person is enough. The point is to avoid reconstructing everything from memory a week later.
Should Clients, Employees or CNPDCP Be Informed?
There is no universal answer: "always notify" or "stay silent". The decision depends on the affected data, the risk to individuals and whether the company can confirm that data was not copied or disclosed.
As of 17 June 2026, CNPDCP lists Law 133/2011 as the current basic personal data law. Law 195/2024 is listed as entering into force 24 months after publication in the Official Monitor on 23 August 2024, meaning 23 August 2026. Until then, GDPR-style breach notification formulas should not be mechanically applied to Moldova without checking the applicable regime.
In practice, the company should do three things:
- assess the risk to individuals: fraud, credit, pressure, discrimination, access to accounts;
- document the decision: whom to inform, why, with what text and through which channel;
- if notification is needed, write clearly: what happened, which data is affected, what the company has done and what the person should do.
Do not send a panic message saying "all data leaked" if that is not confirmed. But do not hide an incident when people really need to change passwords, check bank operations or be alert to follow-up scam calls.
Mistakes That Make the Incident More Expensive
The most expensive mistake is treating phishing as a minor technical issue. After the first access, a second wave often follows: fraudsters write to clients in the company's name, change bank details in invoices, request documents or try to access personal accounts.
Avoid these actions:
- deleting emails, logs and accounts without copies of evidence;
- publicly blaming an IT provider before technical verification;
- sending overly broad or contradictory client notices;
- continuing to work from compromised email;
- keeping old passwords for former employees or external contractors;
- failing to check whether invoice templates or bank details were changed.
After stabilization, run a short review: which accesses were unnecessary, where two-factor authentication was missing, who could export data, and which provider contracts fail to cover security and liability.
Conclusion
After phishing, a company in Moldova should act quickly but in order: stop access, preserve evidence, identify affected data and make a legally sound decision on communications. Colenco Legal can help assess the incident risk, prepare messages for clients or employees, requests to providers and the position for the regulator or bank.
Read also: personal data in Moldova and online fraud in Moldova.