DPC (Ireland) - IN-21-2-5
DPC - IN-21-2-5 | |
---|---|
Authority: | DPC (Ireland) |
Jurisdiction: | Ireland |
Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 19/08/2022 |
Decided: | 20/12/2022 |
Published: | 20/12/2022 |
Fine: | 100,000 EUR |
Parties: | Virtue Integrated Elder Care Ltd |
National Case Number/Name: | IN-21-2-5 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | DPC (in EN) |
Initial Contributor: | PL |
The Irish DPA fined a company, which manages nursing homes, €100,000 following a data breach. The company had failed to implement appropriate technical and organisational security measures, in violation of Articles 5(1)(f) and 32(1) GDPR.
English Summary
Facts
Virtue Integrated Elder Care Ltd ("VIEC"), the controller, operates and manages five nursing homes in Dublin, Ireland. On 15 August 2020, VIEC became aware through a report to their IT helpdesk that one of their "users" was being blocked from sending emails.
The DPC received notification of a personal data breach from VIEC on 19 August 2020. The controller explained that it had discovered that the email address of one of its managers had been subject to a phishing attack and that emails had been rerouted to a third party Gmail account.
According to a report conducted by Ortus, the security provider for VIEC, the most likely root cause of the breach was that the credentials of a user account at one of the nursing homes were captured on a fake website. The link to that fake website was likely received in a phishing email. The original email that delivered the malicious link in question was not identified by the security provider. The email account was thereby accessed by an unauthorised third party, using the captured credentials. This resulted in unauthorised access to stored emails, and allowed the bad actor to set up email forwarding of all inbound emails to a third party email account. This issue had been ongoing since 18 July 2020.
VIEC reported that 213 data subjects had their personal data compromised, and outlined that the categories of personal data disclosed as a result of the breach included special category personal data, such as: names; addresses; email addresses; telephone numbers; PPSNs; employee data (probation reviews and rosters); health data; and biometric data.
Based on the analysis undertaken of the breach notification, and subsequent documentation provided during the breach handling process, the DPC commenced an investigation.
Holding
The DPC's investigation sought to determine whether, in notifying the breach to the Commission, VIEC had complied with the principle of integrity and confidentiality (Article 5(1)(f) GDPR), as well as with its obligations to implement appropriate technical and organisational safeguards in accordance with Article 32(1) GDPR.
In the course of its inquiry, the DPC took into account the steps taken by VIEC to comply with the principle of integrity and confidentiality pursuant to Article 5(1)(f) GDPR; the technical and organisational measures taken to ensure security of processing pursuant to Article 32(1) GDPR; the ability of the controller to demonstrate ongoing confidentiality, integrity, availability of personal data pursuant to Article 32(1)(b) GDPR; the process employed for regularly testing the effectiveness of measures for ensuring appropriate security pursuant to Article 32(1)(d) GDPR; and finally, the ability of VIEC to demonstrate that it had assessed the risk to processing special category information
The DPC concluded that the processing by VIEC failed to ensure that the personal data was processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It further added that the adequate technical and organisational measures that may have been employed by VIEC could have included, among others, appropriate encryption of personal data being transferred over external networks, and provision of suitable phishing training. Regular testing of the measures employed would also go some way to ensuring the security of processing. Therefore, it held that VIEC infringed Articles 5(1)(f) and 32(1) GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data within the VIEC email system
In light of the above, the DPC made an order pursuant to Article 58(2)(d) GDPR, obliging VIEC to bring its processing operations into compliance with the GDPR; and also issued a reprimand upon the controller pursuant to Article 58(2)(b) GDPR. In accordance with article 83 GDPR, and taking into account the factors outlined in Article 58(2)(i) GDPR, the DPC also imposed an administrative fine of €100,000.
Comment
Some of the failures identified by the DPC in its investigation were:
- VIEC's data protection policy appeared to be outdated since it referred to the Data Protection Acts 1988 and 2003 and did not make reference to the GDPR or the Data Protection Act 2018. Similarly, the Employee Data Policy did not refer to the GDPR. This might suggest that these policies were not reviewed or updated prior or after the GDPR came into force.
- There was no evidence that VIEC had provided phishing training to its employees prior to the data breach taking place.
- The majority of user passwords were not set to expire and VIEC did not implement multifactor authentication for users logging into accounts.
- Lack of regularly testing technical measures, lead the DPC to conclude that they did not meet the standard required by Articles 5(1)(f) and Article 32 GDPR
- There was no journaling in place for emails at the time of the breach and therefore it was unable to search for the original phishing email.
- VIEC was aware that the use of its email system for the storage and transfer of personal and special category data may present risks to the integrity of the data. This was shown in its development of policies to avoid and minimise this risk. However, no follow up action was taken to ensure that these policies were being followed or were effective.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.