DPC (Ireland) - IN-21-6-2
| DPC - IN-21-6-2 | |
|---|---|
 | |
| Authority: | DPC (Ireland) |
| Jurisdiction: | Ireland |
| Relevant Law: | Article 32(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 30.12.2022 |
| Published: | 03.03.2022 |
| Fine: | 15000 EUR |
| Parties: | A&G Couriers Limited T/A Fastway Couriers (Ireland) |
| National Case Number/Name: | IN-21-6-2 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | Data Protection Commission (in EN) |
| Initial Contributor: | Sainey Belle |
A courier services company contracted an IT firm to conduct changes to its internal reporting system and provide access to the tax authorities. During this process a data breach occured and the controller was subsequently fined €15,000 for the failure to implement appropriate technical and organisational security measures.
English Summary
Facts
This case concerns A&G Couriers, a company providing courier services, (the “Controller”) which engaged a third party IT software contractor (“Contractor”) to undertake a "Brexit project". This project was aimed at providing the UK tax authority (Her Majesty’s Revenue & Customs – HMRC) with access to their internal reporting system to facilitate declarations of duty and VAT.
The Contractor immediately began facilitating access to the reports for external review and, while these changes to the system were being made, the server which housed all the data became exposed to the public internet. It was suggested by the Controller that – due to insufficient checks on security patches, user restrictions and access controls by the Contractor – the configuration of the affected server was implemented incorrectly, and the IP address of the affected server was inadvertently.
For a total of two days, the servers, which housed in total, the unencrypted personal data of 446,143 data subjects, were publicly available. This included their names, home addresses, email addresses and mobile numbers. The Controller further clarified that each of these categories of personal data may not be fully present in each record affected by the personal data breach, since the data collected is client specific and not all fields are mandatory.
In addition, an unknown individual gained access to the exposed server and exfiltrated the personal information pertaining to a large number of data subjects. The hacker was able to access the records of 10,000 data subjects in total.
In submissions to the DPC, the Controller outlined their account of the incident and made a number of arguments in its defence. Firstly, the Controller asserted that, depending on the specific data, it was in some cases a controller, and in others a processor, and so the duty to implement appropriate measures was not placed upon them in all circumstances.
Secondly, the controller stated that the servers contained some or all of the following categories of personal data: names, home addresses, email addresses and mobile numbers (as dependent on client requirements). The Controller submitted that, in an objective assessment, the risks posed by the Controller’s processing at the time of the personal data breach involved low to moderate risks, both in likelihood and severity, to the rights and freedoms of data subjects. It is admitted that there was a significant quantity of personal data related to a large number of data subjects processed and stored for a period of thirty days by the Controller, however, this personal data may be considered at the lower end of the scale in terms of sensitivity.
Holding
Issuing its final decision, the DPC addressed the two points put forward by the Controller, before setting out findings concerning the technical and organisational security measures in place at the time of the breach.
Firstly, regarding the issue of whether the Controller should be considered a controller or processor, the DPC held that the obligation to implement appropriate technical and organisational measures pursuant to Article 32(1) GDPR applies equally to controllers and processors. As the Controller identified itself as holding either of those roles in respect of the personal data, the obligation to comply with Article 32(1) GDPR applies to all of those circumstances.
Secondly, concerning the categories of personal data and risk to the rights and freedoms of data subjects, pursuant to Article 32(1)(d) GDPR and in light of the obligation to regularly evaluate the effectiveness of technical and organisational measures, it is clear the Controller should have conducted a risk assessment before initiating the process of reviewing access to its internal server in the context of the "Brexit project". This would have enabled them to identify any possible risk arising from this specific change to the system. The failure to do so aggravated the likelihood of a risk to the rights and freedoms of data subjects. Having an urgent project does not allow for any exceptions to the obligation to implement appropriate security measures, and to follow policies and procedures that have been implemented.
Third, on the issue of technical measures the DPC found that, at time of the personal data breach, the personal data stored was not encrypted and the security controls were not designed with regard to the possibility that the affected data could be viewed by an external entity. Due to the change in the parties to whom the reporting system was exposed to, the new risks associated with such a change ought to have been firstly assessed. Accordingly, risk-appropriate measures such as encryption and comprehensive access control procedures should have been implemented before the personal data breach. In that regard, the Controller confirmed that the risk assessment regarding the changes to the systems was not performed, and it failed to implement appropriate mitigating measures.
Fourth, and finally, the DPC made findings regarding the implementation of organisational measures. In doing so it was held that, contrary to the controller’s existing policies and procedures at the time of the personal data breach, the system changes were signed off verbally by a member of the Controller’s IT team and without the approval of the Data & Information Security representative. Moreover, the lack of the risk assessment negatively impacted the Controller’s ability to identify and recognise the risks associated with this change. Therefore, the DPC considered that the organisational measures implemented by the Controller were not appropriate as they did not follow its own Data Protection Policies and Procedures. The DPC also observed a lack of any "checks and balances" to ensure that these policies and procedures were fully followed by their staff.
In light of the above, the Controller was issued with a reprimand in respect of the infringement, emphasising the requirement to take all relevant steps to ensure continuous and future compliance with Article 32 GDPR. The DPC also issued an administrative fine on the Controller in the amount of €15,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Inquiry into A&G Couriers Limited T/A Fastway Couriers (Ireland) - December 2022 Inquiry into A&G Couriers Limited T/A Fastway Couriers (Ireland) - December 2022 Final Decision: A&G Couriers Limited T/A Fastway Couriers (Ireland) - December 2022
