Dublin Data Sec 2018

9th April 2018, RDS Concert Hall, Dublin

Data including PPS numbers hacked from Irish primary school and 'held for ransom'

Data Protection Comissioner ruled the school had little training in protecting personal data


Adrian Weckler

Adrian Weckler

Photo: Getty Stock
Photo: Getty Stock

A primary school fell victim to a cyber ransomware attack, where names, dates of birth and PPSN numbers were locked until a ransom was paid.

Details of the data breach are included in the annual report of the Data Protection Comissioner today.

Commissioner Helen Dixon outlined several instances where data protection law wasn’t applied properly in Ireland last year in the report.

The Commissioner declined to say whether the school paid any ransom.

However, it did say that the school was deficient in its systems, with little or no knowledge or training as to protecting its pupils’ personal data in this context.

There was, the Commissioner said “a lack of staff training and awareness of the risks associated with opening unknown email attachments or files”. No punitive action was taken against the school, which was not named.

Other cases outlined include a care worker who was filmed sleeping on the job and banks who inappropriately shared customer information. 

In one case an online retailer exposed its customers’ credit card transactions for almost eight weeks without knowing it. The credit card transactions were recorded and stored by hackers. However, the retailer did not face punitive action.

There were also cases recorded of breaches perpetrated by Bank Of Ireland and Permanent TSB, both of which were found to have inappropriately shared customer information in individual cases. Neither faced punitive action.

The Commissioner also found that a residential care home had acted in accordance with the law when a supervisor photographed and recorded an employee sleeping on the job. The employee had been tasked with ensuring the safety and wellbeing of vulnerable adults resident in the care home.

“On the second occasion, when the supervisor discovered the complainant to be asleep, fully covered by a duvet on a recliner with the lights in the room dimmed and the television off, the supervisor had used their personal phone to take photographs of the complainant sleeping and make a sound recording of the complainant snoring.”

The employee complained to the Data Protection Commissioner that basic data privacy rights had been contravened at a subsequent disciplinary hearing by such photography and audio recording. However, the regulator found the care home’s actions to be proportionate.

Another case found that biometric information -- such as a fingerprint -- can be requested by security staff for entry into company facilities. However, it is the onus of the company requesting the biometric data to make clear what the biometric data is for and how long it will be retained. If the company does not provide that, it will fall in breach of data protection law here.

Otherwise, the Data Protection Office conducted in-depth audits of several state agencies, including An Garda Síochána, the Revenue Commissioners, the Defence Forces and the Garda Siochana Ombudsman Commission.

“Also selected for close examination was PeoplePoint on foot of the large number of data breaches being reported to the Office,” said the annual report.

PeoplePoint provides an HR and pensions shared service for public-service bodies, managing the data of over 35,000 civil servants.

“In light of the sheer volume of personal data processed via the PeoplePoint shared service centre, an audit of PeoplePoint was conducted in May 2016,” said the annual report.

“The focus of the audit centred on data breaches due to the high number of breaches notified to the DPC by PeoplePoint in 2015 and 2016. In total, 163 breaches were notified by the Data Breach Unit in comparison to 155 breaches reported in 2015.

“The inspection team concluded that the vast majority of data breaches within the organisation occurred as a result of human administrative errors. Overall, the team considered that there was not an acceptable level of awareness of data-protection principles in evidence generally within PeoplePoint in light of the number of breaches being reported by PeoplePoint to the DPC.”

Overall, nine criminal prosecutions were brought against organisations as a result of investigations from the Data Protection office, the Commissioner said.

The commissioner also ruled that Airbnb landlords who complain about errant renters’ behaviour to Airbnb can have their complaints handed over to renters.

In one case, a landlord letting out a property through the Airbnb online service made a complaint about a guest. When the guest asked to see the complaint, Airbnb refused citing customer confidentiality. However, after the guest took the matter to the Data Protection Commissioner, Airbnb was told to hand over the content of the complaint to the guest. The regulator found that there had not been a clear enough expression of expected confidentiality by the Airbnb host when making the original complaint.

“Before withholding personal data on the basis that it consists of the expression of an opinion given in confidence or on the understanding that it could be treated as confidential, a data controller must ensure that there is a solid basis for such an assertion,” said the adjudicator in the annual report. “It is not enough for a data controller to simply assume that this is the case in the absence of any indication to this effect from the person who expresses the opinion.”

In another case, Paddy Power admitted that it was converting wifi access at its store into spam marketing text messages with no ability to opt out.

The case came to light when an individual, who did not place any bet with Paddy Power, uses the company’s wifi at its Baggot Street shop. Having been asked to enter a mobile number to access the wifi, the individual then started receiving unsolicited marketing messages.

Texting ‘stop’ to the service had no effect. The betting company said that it was down to “technical issues” and removed other phone numbers it had gathered in a similar way. At Dublin Metropolitan District Court last November, Paddy Power pleaded guilty to one charge of sending an unsolicited marketing text message without consent and one charge of not providing the

recipient with a valid means of opting out of the receipt of further marketing messages. However, its only financial sanction was a €500 contribution to a charity and the prosecution costs of the case.

The data watchdog’s annual report also revealed details of a primary school that fell victim to a cyber ransomware attack, where names, dates of birth and PPSN numbers were locked until a ransom was paid. The Data Protection Commissioner declined to say whether the school paid any ransom. However, it did say that the school was deficient in its systems, with little or no knowledge or training as to protecting its pupils’ personal data in this context.