Background Facts:

• Do Good, Inc. owns and operates a church in West Palm Beach, Florida. The church is called the Do Good Church; and the year is 2023.
• Do Good is in the midst of a multi-year redevelopment project in which it has hired construction contractors to build 3 new state of the art buildings and renovate the organization's existing business office. The Construction Company hired by Do Good is called Delayed Construction. The construction project is managed by Do Good's director of operations, Violet, and her team which includes: an in-house attorney who specializes in contracts, an accountant, named Mary, who manages Do Good's books, and Do Good's head of IT.
• Do Good is governed by a Board of Directors that serves on a volunteer basis and oversees Do Good's business operations and its budget. There are currently 5 people on the Board.
• Do Good has 100 employees and 1,000 regular attendees, with a regular annual budget of $5 million. Do Good has a special budget for the construction project of $12 million per year, with payments of $1 million per month. The construction project is going perfectlythe renovations are lovely and 2 out of 3 of the new buildings are nearly complete, ahead of schedule.

In January 2023:

• At 5 a.m. on January 11, 2023, Do Good's accountant, Mary, received an email from Delayed Construction advising Mary that Delayed has moved its accounts to a new bank and that Delayed had updated wire instructions for receipt of its monthly payments from Do Good. Specifically, the email said "We are changing bankx and hav updated our wire inform. The new wire nomber information is beleaux."
• When Mary checked her email that morning at 8 a.m., she noted the changes to the wire number in Do Good's records and continued with her day. On the last Friday of January, Mary sent Delayed's monthly $1 million payment to the new wire account number and promptly received a receipt for the payment. The receipt stated "Payment Receaved." Mary saved the receipt in her records and left for the weekend.
• A few weeks later, on or about January 31, 2023, the President of Delayed called Violet to check on the status of last month's $1 million payment, as it was very unusual for Do Good to miss a payment, especially given how well the project is going and that Delayed is working ahead of schedule. Violet promised to check on it and immediately sent a text message to Mary, who confirmed she sent the wire on the last Friday of the month to Delayed's new wire number. Violet relayed this message to Delayed's President who confirmed that: (1) Delayed has not changed its bank or wire number and (2) that Delayed had not contacted Mary about any changes to its account the prior month.
• Mary and Violet are crushed by this news and quite concerned. They contact Do Good's IT director who advises them that Do Good may have been hacked.
• Throughout the construction project, Do Good consistently posted online pictures of the progress of the renovations and building erection; and received glowing reviews in local media about its annual $12 million construction budget and state-of-the-art plans for its new facilities.
• A criminal organization based in Europe saw the local press stories and had been tracking Do Good and Mary on Facebook for months.

In May 2023:

• In another turn of bad luck for Do Good, on May 10, 2023, just when the church thought that it had resolved its issues with the payment to Delayed, Do Good's pastor attempted to log into her church laptop and was greeted by the following image:
• She immediately contacted the IT department which, in attempting to log in, was greeted by the same image. To be sure, the image is displayed on every Do Good employee's laptop. They are locked out of their files, including HR and personnel files and the monthly tithing records of church members and guests.
• After clicking on the image, Do Good's head of IT is taken to a screen where he is invited to chat with an unidentified individual who advises him that Do Good's files have been encrypted and it will cost them dearly to have the files unlocked.

Additional Background for the Semester-Long Assignment:

• Do Good's Board of Directors formed a special committee (the "Do Better Committee") to assist the consulting firm initially hired to respond to the January cyber incident.
• The criminal organization responsible for the January and May incidents goes by the name "No Name" and employs hackers and money launderers throughout the world, including in West Palm Beach. One of No Name's employees, John Oh, met Mary at a Do Good church service and the two started casually dating back in 2019. From time to time, Mary left her Do Good laptop in her apartment unattended while John O. was visiting and he accessed her laptop to learn the details of Do Good's construction plans, banking patterns, and the method by which Do Good paid Delayed Construction for its work.
• Leaving her work laptop unlocked and unattended violated Mary's employment contract with Do Good and her duties as an employee of Do Good.
• Do Good has cyber insurance that will pay for it to engage professionals to investigate and attempt to remediate the January and May incidents.

Understanding Cyber Incidents and the Basics of Incident Response. The memo should use a subheading for each of the topics.

1. Based on the fact pattern, identify the nature of the May 10, 2023 incident.
   1. In addition, discuss the history of this type of incident, including when it was founded and details regarding its spread.
   2. How are these types of incidents funded and what makes them profitable for perpetrators?
   3. In responding, share 2 lessons learned from Jordan Rae Kelly.
2. What kind of threat is Mary to Do Good? Explain why you identified her as such, and why you did not select one of the other forms of "threats."
3. What actions by John O. can be identified using the Social Engineering Life Cycle?
4. Because of what you've learned during this course, after the January incident, you explained to Do Good that they MUST assemble an incident response team. When the May incident occurred, you were asked by the pastor to activate the Team.
   1. To do so, you scheduled a meeting What are your directives for the Team?
   2. What are the key elements of the incident response plan that will be employed in response to the May incident?
5. As described above, the team has acted quickly. You now need to make decisions about reporting to law enforcement and the press:
   1. What law enforcement agencies are the best fit for this type of incident?
   2. Analyze Do Good's considerations for reporting to the media that it is now the victim of a 2nd incident in less than 6 months.