Case Studies Data Breach Notification
Digital File Storage Breach
A third level institution reported a data breach to the DPC relating to the storage of student medical certificates for a particular course. A student had discovered medical certificates relating to other students when attempting to upload their own certificate to the institutions Virtual Learning Environment (VLE). The institution immediately informed the DPO and their IT department removed the files.
See More InformationPersonal Data Accidentally Disclosed Online
A third level institution reported a data breach to the DPC that related to a survey, it had carried out on former students. Each year recently graduated students were surveyed with a focus on their further studies and employment and this data was then used to publish a report on graduate outcomes. The summary statistics, which were not anonymised in this instance and included personal data, were published on the institution’s website.
See More InformationPhishing Email Attack in the Broadcasting Sector
An organisation operating in the broadcasting sector notified a data breach to the DPC relating to an employee who had fallen victim to a phishing email. The email, purporting to be an advertisement for an internal vacancy, requested that the employee input their email and data storage platform credentials as well as their Multifactor Authentication (MFA) Authenticator Prompt. Having obtained this information from the employee, the bad actor who sent the phishing email was then able to gain access to this employee’s email and data storage platform account.
See More InformationBreach Complaint related to employment information
The DPC received a complaint from an individual against their employer relating to a data breach. The breach occurred when a HR folder, which contained the individual’s personal data, was placed on an open drive that was accessible to third party individuals.
See More InformationCCTV policies and procedures
A customer of a restaurant lost their belongings while in the premises. They then requested that a staff member provide them with access to the restaurant CCTV footage to assist in finding out what happened to their belongings.
See More InformationData Processor in the Charity Sector Breach
The DPC became aware of a breach which had occurred at a data processor when eighteen (18) organisations (data controllers) operating in the charities sector used a data processor based outside of the DPC’s jurisdiction. The organisations provided services largely aimed at supporting vulnerable individuals and are not for profit with many of their personnel working on a volunteer basis.
See More InformationRisks posed by users of video conferencing
The DPC received a notification from a statutory body tasked with investigating complaints about the professional conduct of experts. The breach occurred during the course of a public hearing, which was held remotely, when access permissions were incorrectly provided to attendees including journalists.
See More InformationSecond level school a victim of a whale phishing attack
The DPC received a breach notification from a school in relation to a bad actor who accessed and infiltrated a school’s ICT systems, including the email system, for an unknown length of time. The bad actor gathered information before sending a phishing email and tricked the administrator for financial accounts into directing payments into a fraudulent account.
See More InformationTransfer of hard copy paper documents
The breach concerned an organisation who has a function in conducting independent reviews. The organisation was returning documents following the completion of their review process. The organisation normally encourages the use of a file transfer system for the transfer of subject records but also facilitates the sending of hard copies. In this instance, the sending organisation requested that the copies of records it had sent in hard copy be returned to it. The organisation returned these documents by post and the envelope was reinforced and secure when it left the organisation. However, it was stated that it was not sent by registered post, which was the normal policy for the organisation when requesting hard copies from organisations to support the appeal / assessment process. When the envelope arrived back to the sending organisation the envelope had all of the seams split and badly torn and three pages were missing from the package.
See More InformationTransfer of hard copy paper documents while moving premises
A medical General Practitioner (‘GP’) who operated his practice from his own home was moving work premises. The GP stated they had 4000 patients attending the practice over time and operated both digital storage and paper files. The GP engaged a local delivery van to transport the paper medical files connected with the practise. The medical files were put into boxes and placed in the private delivery van.
See More InformationBreach Notification (Financial Sector) Bank Details sent by WhatsApp
A private financial sector organisation notified the DPC that a customer had made a request to obtain their IBAN and BIC numbers, which were held on file. The customer making the request was personally known to the member of staff dealing with the request. The member of staff, deviating from approved practices, used their personal mobile phone to send a picture of what they believed to be the requested information over a messaging platform (WhatsApp). However, the staff member erroneously sent details pertaining to another customer to the requesting customer.
See More InformationDisclosure of CCTV footage via social media
A commercial and residential property management company notified the DPC that an employee of a security company whose services they retained had used their personal mobile phone to record CCTV footage of two members of the public engaged in an intimate act, which had been captured by the management company’s security cameras.
See More InformationFailure to implement the data protection policies in place
An employee of the data controller, a public-sector body, lost an unencrypted USB device containing personal information belonging to a number of colleagues and service users.
See More InformationLoss of control of paper files
A public sector health service provider notified the DPC that a number of files containing patient medical information had been found in a storage cabinet on a hospital premises which was no longer occupied.
See More InformationLoss of paper files in transit
The data controller, a public body, notified the Data Protection Commission (DPC) about an incident involving the transportation of hard-copy legal files containing special-category personal data and risked the personal data falling into the hands of unauthorised individuals..
See More InformationWebsite phishing
A private sector (educational) data controller reported an incident of phishing, where a staff member had clicked on a suspicious website link and entered their credentials resulting in their email account becoming compromised.
See More InformationBreach Notification (12 Credit Unions) Processor Coding Error
The DPC received separate breach reports from 12 credit unions that employed the services of the same processor, which was based in the UK. The breach by the processor arose from a coding error made by the processor when implementing measures introduced in response to the Covid-19 pandemic.
See More InformationDisclosure due to misdirected email
A notification was received from a statutory body whose functions include the investigation of complaints concerning experts’ professional conduct, training or competence. The personal data breach occurred when a letter concerning a complaint against a specialist was attached to an email and sent to an incorrect address. The attachment contained personal data of several persons, including health data, and was encrypted. However, the password for the encrypted letter was issued in a separate email to the same incorrect address.
See More InformationEmail addresses disclosed via group mail
The DPC received a breach notification from a charity that supports people with intellectual disabilities. The breach occurred when an email newsletter was addressed to recipients using the Carbon Copy (CC) field rather than the Blind Carbon Copy (BCC) field. The result was that the email addresses of all recipients were disclosed to those who read the email. This is a common type of personal data breach that is often the result of simple human error and that usually poses low risks. While the risks posed in this instance may not have been significant, further inquiries and an analysis of previous submissions to the DPC indicated poor awareness of data protection issues and responsibilities among the charity’s staff and volunteers.
See More InformationInaccurate data leading to potential high risk resulting from inaccurate Central Credit Register data
The DPC received a notification from a financial sector data controller concerning an individual whose account had been incorrectly reported to the Central Credit Registrar (CCR). The controller had purchased the individual’s account as part of a portfolio sale in 2015 and was not aware that the individual had been adjudicated bankrupt in 2014. Individuals who have been declared bankrupt fall outside the scope of reporting obligations to the CCR. In addition, accounts with returns prior to the commencement of the CCR on the 30 June 2017 are not reportable to it.
See More InformationInappropriate disposal of materials by an educational institution
A health science focused university notified the DPC of a breach arising from inappropriate disposal of materials containing personal data. An employee worked from home on a recruitment project. The employee worked on printed copies of a number of job applications and accompanying CVs. The organisation had instructed employees working from home to minimise printing and to destroy documents before disposal. However, the employee placed the recruitment documents intact into a domestic recycling bin. High winds caused contents of the bin, including the recruitment documents, to be dispersed.
See More InformationRepeated similar breaches
Over a period of 12 months, the DPC received notifications of a series of similar breaches from a data controller involved in financial matters. The controller sold services through a nationwide retail network owned and operated by a third party, which acted as its processor. The breaches occurred when existing customers of the controller made purchases at the processor’s outlets, but used an address different from the address they had previously registered with the controller.
See More InformationSocial Engineering Attack
A medium-sized law firm reported that it was the victim of a social engineering attack. A staff member opened an email from a malicious third party that secretly installed malware on their computer. The malware enabled monitoring email communications and permitted the bad actor to defraud a client of a sum of money. The firm reported the breach to the DPC.
See More InformationBreach Notification (Voluntary Sector) — Ransomware Attack
In May 2020, the DPC received a breach notification from an Irish data processor and subsequently a notification from an Irish data controller operating in the voluntary sector who had engaged this processor to provide webhosting and data management services.
See More Information