Up to 8,000 An Post customers who asked the company to redirect their mail to a new address have had their details shared with a subsidiary without their knowledge.
Thousands of customers who input their new details in the company's mail re-direction service have had their data inadvertently included in a file containing details from customers who gave permission for their name and address to be used to update external databases.
Up to 8,000 people who used the re-direction service, giving permission for An Post to update their internal database but not to share with any external database, have been subject to the data breach.
The file containing this data was sent to Dublin-based Precision Marketing Information Limited which trades as Data Ireland.
Web developer Kevin Nolan (43) was one of the customers who received the letter from An Post after requesting his mail to be re-directed.
"I moved home recently, and as is the practice, I requested that An Post forward all my mail to my new address," he told Independent.ie.
Mr Nolan said he was "upset and disturbed" that his data has been shared without his explicit permission.
"I work in IT so I know how these files are sent and received," he said.
"Even if best practices are adhered to in this third party, I don't want an insurer I was with ten years ago to be contacting me at my new address. It's very frustrating".
A spokesperson for An Post told Independent.ie that no other information other than the customer's name and address was included in this file, and only where these people already listed on the database was their address updated.
When the company realised the data breach, which took place over the period from April 2016 to September 2017, they informed the Data Protection Commissioner (DPC) and an investigation was carried out.
An Post could not identify exactly how many customers were impacted but wrote out to over 8,000 people to ensure that all who may have had their data shared without their knowledge were informed.
"Your new address may have been updated on the records of companies you interact with, and you may have received letters from some companies to your new address instead of your old address," read the letter.
"Please be assured that Data Ireland never discloses names and addresses from the file they receive from An Post to direct marketing companies."
The letter also advised customers that only where their name and old address exactly matched that held by a Data Ireland business customer, were their address details updated on their database.
An Post have stated that the DPC was satisfied with their handling of the issue, their action to correct the error and to ensure it would not happen again.
"The matter is now closed...We apologise for any inconvenience or concern that this error may have caused to the customers," the spokesperson said.
Is your business GDPR ready? Find out at Dublin Data Sec 2018 on April 9th.