Civil servant jailed in Ireland for selling citizens’ data

26 Jan 20181.21k Views

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Image: Andriano.cz/Shutterstock

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Case stands as one of the most serious data breaches ever uncovered in Ireland.

A civil servant who sold personal data of citizens to private investigators working for insurance companies has been jailed.

It is understood that Rory Lenihan, a former civil servant at the Department of Social Protection in Letterkenny, was paid close to €22,000 by private investigators over a three-year period in exchange for the data.

‘Today’s court outcome should serve as a very clear warning to employees in all sectors against snooping’
– TONY DELANEY

Lenihan was convicted this week at Letterkenny Circuit Court after pleading guilty to 12 sample charges out of 41 charges.

The charges relate to breaches of section 1(1) and (4) of the Prevention of Corruption Act, 1906 as inserted by section 2 of the Prevention of Corruption Act, 2001.

Penalty for snooping should be a warning to workers everywhere

Today (26 January) the court sentenced Lenihan to two years’ imprisonment on each of the 12 counts, to run concurrently with the final year suspended. In plain English, Lenihan will serve a full year in prison for his actions.

The defendant was accused of a number of charges of receiving corrupt payments between 2008 and 2010 from two private investigators in exchange for supplying them with personal information held on the computer databases of his then employer, the Department of Employment Affairs and Social Protection.

Lenihan was prosecuted by An Garda Síochána following an investigation by the Data Protection Commissioner into three companies in the insurance sector between 2010 and 2011.

That investigation – into Zurich Insurance Plc, FBD Insurance Plc and Travelers Insurance Company Limited – resulted in successful prosecutions under the Data Protection Acts at Dublin Metropolitan District Court in February 2012.

Tony Delaney, assistant commissioner at the Data Protection Commission, said that the investigation into Lenihan followed the receipt of a formal breach report from the Department of Employment Affairs and Social Protection of suspected leaking of personal data held on the Department’s computer systems to third parties by one of its officials.

“Our investigation found evidence on claims files in the insurance companies concerned of social welfare information concerning a number of insurance claimants. We established that the social welfare information had been supplied to the insurance companies by a firm of private investigators, having been disclosed to them by the defendant in today’s proceedings, Rory Lenihan.

“The form and scale of the offending behaviour which came to light in the investigation of this case was shocking. This case stands out as one of the most serious data breaches ever uncovered in this State.

“That a civil servant, who had ready access for the performance of his official duties to the social welfare records of every customer of the Department, abused his position and trawled through those records and passed on personal information from them to private investigators in exchange for corrupt payments is scandalous and appalling,” Delaney said.

Delaney said that five private investigation firms have been prosecuted since 2014 on charges of having obtained personal data on citizens from State databases without authority and passing it on to insurance and finance firms.

“Today’s court outcome should serve as a very clear warning to employees in all sectors against snooping through or disclosing to unauthorised third parties personal data that may be at their disposal in their workplace for the performance of their duties.

“Employees are given access to records of personal data for work-related purposes. Any deviation by employees from those official purposes, such as accessing records to obtain information on behalf of family, friends or others, constitutes a breach of data protection legislation which could result in serious consequences for the employees concerned,” said Delaney.

Editor John Kennedy is an award-winning technology journalist.

editorial@siliconrepublic.com