DPC (Ireland) - IN-21-2-5
| DPC - IN-21-2-5 | |
|---|---|
 | |
| Authority: | DPC (Ireland) |
| Jurisdiction: | Ireland |
| Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 100,000 EUR |
| Parties: | Virtue Integrated Elder Care Ltd |
| National Case Number/Name: | IN-21-2-5 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | DPC (in EN) |
| Initial Contributor: | PL |
The Irish DPA imposed a €100,000 fine on Virtue Integrated Elder Care Ltd for non-compliance with Articles 5(1)(f) and 32(1) GDPR by failing to implement appropriate technical and organisational security measures.
English Summary
Facts
Virtue Integrated Elder Care Ltd ("VIEC") operates and manages five nursing homes in Dublin-Ireland. The issue became known following a report to the VIEC IT helpdesk from a user indicating that they were being blocked from sending emails.
The DPC received notification of a personal data breach from VIEC. outlining that it had discovered that the email address of one of its managers had been subject to a phishing attack and that emails had been rerouted to a third party Gmail account.
Based on the analysis undertaken of the breach notification and subsequent documentation provided during the breach handling process, the DPC considered that the matter concerned a possible “breach of security potentially leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” by VIEC. Subsequently, the DPC initiated an inquiry to determine whether, in notifying the breach to the Commission, VIEC had complied with its obligations under Article 5(1)(f) GDPR, as well as with Article 32(1) GDPR. In this regard, the scope of the Inquiry was stated to include:
- the steps taken by VIEC to comply with the principle of integrity and confidentiality pursuant to Article 5(1)(f) GDPR;
- the technical and organisational measures taken by VIEC to ensure security of processing pursuant to Article 32(1) GDPR;
- the ability of VIEC to demonstrate ongoing confidentiality, integrity, availability of personal data pursuant to Article 32(1)(b) GDPR;
- the process employed by VIEC for regularly testing the effectiveness of measures for ensuring appropriate security pursuant to Article 32(1)(d) GDPR;
- the ability of VIEC to demonstrate that it had assessed the risk to processing special category information
The breach:
VIEC reported that 213 individuals had their personal data compromised and outlined that the categories of personal data disclosed as a result of the breach included special category personal data: Name, address, email address, telephone number, PPSN, employee data (probation reviews and rosters), health data, and biometric data.
Root cause:
The security provider for VIEC, indicated that the most likely root cause of the breach was that the credentials of a user account at one of the nursing homes were captured on a fake website. The link to that fake website was likely received in a phishing email. The originating email that delivered the malicious link was not identified by the security provider. The email account was accessed by an unauthorised third party, using the captured credentials. This resulted in unauthorised access to stored emails and allowed the bad actor to set up email forwarding of all inbound emails to a third party email account. The presence of the forwarding rules indicated ongoing unauthorised access to and unauthorised disclosure of personal data. The issue had been ongoing since 18 July 2020.
Holding
The DPC concluded that the processing by VIEC failed to ensure that the personal data was processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It further added that the adequate technical and organisational measures that may have been employed by VIEC could have included, among others, appropriate encryption of personal data being transferred over external networks, and provision of suitable phishing training. Regular testing of the measures employed would also go some way to ensuring the security of processing. Therefore, it held that VIEC infringed Articles 5(1)(f) and 32(1) GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data within the VIEC email system
In consequence, the DPC exercised the following corrective powers:
- An order pursuant to Article 58(2)(d) GDPR to VIEC to bring its processing operations into compliance with the GDPR.
- A reprimand to VIEC pursuant to Article 58(2)(b) GDPR;
- An administrative fine of €100,000 in respect of the infringement of Article 5(1)(f) pursuant to Article 58(2)(i) and Article 83 GDPR
Comment
Some of the failures identified by the DPC in its investigation were:
- VIEC's data protection policy appeared to be outdated since it referred to the Data Protection Acts 1988 and 2003 and did not make reference to the GDPR or the Data Protection Act 2018. Similarly, the Employee Data Policy did not refer to the GDPR. This might suggest that these policies were not reviewed or updated prior or after the GDPR came into force.
- There was no evidence that VIEC had provided phishing training to its employees prior to the data breach taking place.
- The majority of user passwords were not set to expire and VIEC did not implement multifactor authentication for users logging into accounts.
- Lack of regularly testing technical measures, lead the DPC to conclude that they did not meet the standard required by Articles 5(1)(f) and Article 32 GDPR
- There was no journaling in place for emails at the time of the breach and therefore it was unable to search for the original phishing email.
- VIEC was aware that the use of its email system for the storage and transfer of personal and special category data may present risks to the integrity of the data. This was shown in its development of policies to avoid and minimise this risk. However, no follow up action was taken to ensure that these policies were being followed or were effective.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
