DPC (Ireland) - DPC ref: IN-20-4-1

From GDPRhub
Revision as of 13:07, 28 February 2022 by Czapla (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Ireland |DPA-BG-Color=background-color:#013d35; |DPAlogo=LogoIE.png |DPA_Abbrevation=DPC (Ireland) |DPA_With_Country=DPC (Ireland) |Case_Numbe...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DPC (Ireland) - DPC ref: IN-20-4-1
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1) GDPR
Article 32(1) GDPR
Article 33(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 02.12.2021
Published:
Fine: 60,000 BGN
Parties: n/a
National Case Number/Name: DPC ref: IN-20-4-1
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Irish DPC (in EN)
Initial Contributor: czapla

The Irish DPC imposed an administrative fine on the Teaching Council in the amount of €60,000 in respect of a data breach that originated from a phishing email. The fine was imposed for failures to secure processing of the personal data via appropriate technical and organisational measures and a lack of timely breach notification to the DPC.

English Summary

Facts

The Council’s IT team was first alerted on 17 February 2020 via Office 365 of suspected creation of forwarding/redirect rule in relation to an account of the staff member. Between 17 February 2020 and 6 March 2020, 4 similar alerts were triggered with severity levels varying from low to high. The Council’s IT team reacted to these alerts by changing the staff member’s password and by checking the server for virus threats. The Outlook client or user’s OWA personal access (and the forwarding rule) were not initially checked. The issue was tackled as low severity until the 6th of March, which was also the date at which the Council’s DPO was first made aware of it.

The DPC received notification of a personal data breach from the Council on 9 March 2020. The breach notification indicated a potential contravention of the data protection legislation by the Council. The breach notification stated that a phishing email had been received by two members of staff in the Council and was accessed by them.

Further investigation of the incident unveiled that two staff members responded to phishing emails by entering their passwords online. This caused a script to be activated that established an auto forwarding rule to an external Gmail account. The staff members were not aware that they entered their passwords online and perceived it to be a normal activity. In total, 323 email messages were forwarded to the external Gmail account. These emails contained the vetting status details of 9,735 teachers, including names, addresses, PPS numbers and vetting clearance status. The teachers’ personal details were shared internally via emails with unprotected excel spreadsheets.

The DPC identified, amongst others, the following shortcomings of the Council technical and organisational security measures: - the personal data was shared via excel spreadsheet generated by one staff member and sent to another via email while a shared drive should be used instead. - the Acceptable Usage Policy (‘AUP’) in place at the time of the breach contained a section on password usage, but only in respect of the circulation of external documents. The spreadsheet which was generated was therefore sent unencrypted and without password protection over an inadequately secured email system, which had allowed the creation of forwarding rules. - the Council did not have Advanced Threat Protection (‘ATP’) enabled in Office 365 due to licensing issues. Further, the Council did not implement adequate technical and organisational measures to account for human error.

With regards to delayed data breach notification, the DPC decided that the Council failed to appropriately investigate and to follow all appropriate steps, and ignored the specifics of an alert when received. In result, the Council failed in its obligation to notify the DPC of the breach within the prescribed time period of when it ought to have been aware that a data breach had occurred.

Holding

The DPC decision imposed an administrative fine on the Council in the amount of €60,000 in respect of the infringements. The decision issued the Council with a reprimand in respect of the infringements. With due regard to the measures already implemented by the Council since the personal data breach and during the inquiry, a date of 2 June 2022 was given to the Council to bring its processing operations into compliance with Articles 5(1) & 32(1) of the GDPR

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.