Dirty tricks at centre of credit union snooping
Published 16/08/2014 | 11:04
Sensitive personal data, including addresses and job details, was handed over by the Department of Social Protection after just one phone call from private investigators pretending to be State officials.
The underhand tactics used to extract confidential information from a leading State agency is revealed in an Irish Independent investigation.
The investigators, acting on behalf of at least a dozen credit unions, were able to get reams of personal data from officials in the country's biggest-spending department without having to prove who they were.
All the private investigators had to do was ring up and say they were State officials.
As reported yesterday, the Irish League of Credit Unions (ILCU) said that credit unions were not aware that the companies they hired were using illegal tactics.
In one case, a private investigator didn't even give a surname, just a Christian name.
And in another instance, the welfare official struck up a friendly relationship with the investigator who obtained stolen data.
But two department officials who handed over confidential information got off with just a written warning.
The officials in question were at the centre of a major investigation by the Data Protection Commissioner which established that details belonging to at least 78 credit union customers were handed over to two private investigators.
Documents obtained by this newspaper today show both officials expressed shock and disgust after being told they had been duped by so-called tracing agents.
The staff, who received written warnings (see letter), insisted that they were betrayed and would never have handed over data if they had known who they were dealing with.
But the fact that personal data was so easily obtained from a leading government agency will spark serious concerns about the systems in place within the department.
The department deals with 1.5 million payments per week and possesses a large amount of personal data.
Despite the clear questions now surrounding its data protection procedures, a spokesperson claimed that staff members are "regularly reminded of their obligations".
In cases brought to the attention of the Assistant Data Protection Commissioner Tony Delaney, the private investigators had been phoning the same civil servants for years.
In one scenario, the agent said he worked for a state agency in Northern Ireland. In another example, an agent phoned the same civil servant on a regular basis and requested the addresses of customers and their spouses. She only offered her first name and said she was working on behalf of a state body involved in the education sector.
In both cases, the private investigators managed to convince the department officials that they were legitimate agents of the State. Armed with the information they required, the investigators provided it to at least 12 credit unions in return for a sizeable fee.
The Irish Independent has learned that neither civil servant involved in providing the data to private investigators has faced sanctions. The latest breach within the department comes despite a lengthy warning, specifically about bogus calls, issued to staff in 2009.
The warning by senior department staff at the time said: "It should be stressed bogus callers are very adept in 'social engineering' techniques and how to 'phish' for customer data, etc. It is important, therefore, that staff are familiar with procedures for dealing with requests for personal information, many of which will be from legitimate sources, eg gardai, etc.
In a statement, the department said data breaches occur in only "a small number of instances".
"The policies, procedures and guidelines are kept under constant review and are updated as appropriate. Staff members are regularly reminded of their obligations under these policies and of the penalties that are applicable in respect of any breach of them.
"Staff members are required, on an annual basis, to sign undertakings that they have read and will act in accordance with data protection guidelines and policies," a spokesperson said.
"The department ensures oversight in relation to data protection by keeping records of data accesses which are then subject to audit."
Editorial: Ireland can't afford to be lax on data laws
The spokesperson said all cases of suspected data breaches were investigated and in "the small number of instances where data breaches have been substantiated, sanctions up to and including dismissal have been applied".
The spokesperson also said the department assists the Office of the Data Protection Commissioner in all cases of suspected breaches