We believe that they have suffered an intrusion. This is because a large amount of data
has been found by a third party on a web forum accessed via I2P (Invisible Internet Project).
The third party has reported this to us via anonymous email. The data is reported as
containing a substantial amount of personal and payroll data for many (but not all) external
client companies, which is not compliant with the GDPR. There are also a small number of
detailed occupational health reports on external client employees.
You have been brought in as an external security specialist.