Banner2.png

DPC (Ireland) - IN-19-9-3

From GDPRhub
DPC - IN-19-9-3
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Article 33(1) GDPR
Type: Investigation
Outcome: Violation Found
Started: 07.11.2019
Decided: 22.11.2024
Published: 20.02.2025
Fine: 40000 EUR
Parties: n/a
National Case Number/Name: IN-19-9-3
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: DPC (in EN)
Initial Contributor: cwa

The DPA fined a university €40,000 for failing to implement adequate security measures and not notifying them in time of a data breach after a compromised email account resulted in an employee falling victim to financial fraud.

English Summary

Facts

In September 2018, a Maynooth University (data controller) staff member’s email address was compromised while they were in the process of handling a financial payment, and email “rules” set up to hide future received emails from the victim. This allowed the attacker to trick a University staff member into transferring a sum of money to a fraudulent account, believing it to be being paid into their pension pot. The email addresses of five other staff members were also compromised.

In October 2018, the victim of the financial fraud became aware of what had happened and reported it to the controller. The controller responded by resetting the user’s password and hiring an external cybersecurity firm to investigate the incident. The incident was not reported to the data protection authority (Data Protection Commission (DPC)) until November 2018, the following month. The controller's DPO reported the incident to the DPC within 72 hours of being notified by the controller. The controller had delayed alerting the DPO to conduct an external investigation instead.

The University identified that the personal data of 653 data subjects (of which it was possible to identify 463), consisting of their identity, personal public services number (PPSN), contact details, economic/financial data and location data was breached.

On the 7th November 2019, the DPC initiated an inquiry into the incident.

Holding

The DPC found that the controller failed to ensure the security of personal data, violating Article 5(1)(f) & 32(1) GDPR. The DPC found that although there were some security measures in place in respect of the email system, such as password protection, perimeter monitoring and encryption (both at rest and in transit), the DPC found these to be insufficient to discharge the controller’s obligation, given the nature and type of processing in question.

In particular, the DPC was critical of the lack of multi-factor authentication (as opposed to two-factor), inadequate anti-spam configuration, a lack of rules regarding password expiring and requiring to be changed, the lack of controls preventing the automatic forwarding of emails to external email addresses and the absence of a policy prohibiting the creation of email forwarding rules.

Secondly, in relation to Article 33 GDPR, the DPC held that the controller failed to meet their obligation to report the breach within 72 hours of having become aware of it. The DPC was critical of the controller’s delaying of notification them of the breach pending the outcome of the cybersecurity report, and held that notification should have occurred within 72 hours of having become aware of the breach, in October 2018.

The DPC issued a fine of €40,000, €25,000 for infringing Articles 5(1) & 32(1), and €15,000 for infringing Article 33. The DPC also made an order requiring the controller to implement a list of enhanced security measures.

Comment

Share your comments here!

Further Resource

Data Protection Commission Report:

https://www.dataprotection.ie/sites/default/files/uploads/2025-02/MU%20Final%20Decision%20IN-19-9-3_Redacted.pdf

Share

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.