Students at a Carlow school may have had their personal data compromised.
Parents of students at St Leo’s College in County Carlow last week received a letter from the secondary school, notifying them of an attack on the IT system.
According to local radio station KCLR, the school administration was notified of the data breach on 4 April.
An extensive investigation has been launched, and the objective of the hackers seems to have been to glean money from the school, but there were controls in place to prevent such an incident.
Although the main financially motivated aim of the perpetrators was not fulfilled, certain personally identifiable information about both staff and the student body may have been compromised, including names, PPS numbers and dates of birth.
Both the Gardaí and Data Protection Commissioner (DPC) Helen Dixon have been informed of the breach. The principal of the school, Clare Ryan, informed parents that preventative action would be taken in order to prevent such a breach occurring in the future.
“Upon discovery, a thorough investigation was undertaken and we have taken immediate and appropriate steps to contain and remedy the breach and to prevent any reocurrence [sic]. The Data [Protection] Commissioner has been informed and the matter has been reported to An Garda Síochána,” Ryan said.
GDPR will see breach notifications become the norm
With GDPR a month away, more data breach reports such as the one at St Leo’s College are likely to emerge.
Article 33 of the regulation outlines the process for bodies to report a personal data breach to those affected no later than 72 hours after becoming aware of it, unless the data breach is unlikely to result in a risk to that person’s individual rights or freedoms. Organisations must also report to the relevant supervisory authority (Office of the DPC) within the same timeframe.
The notifications will have to describe measures taken, or to be taken, by the organisation to address the breach, including mitigation strategies. The consequences of the breach will have to be explained, and disclosure of the nature of the breach will also be a requirement under the new EU rules.