Dept of Agriculture refutes data breach claim

6 Oct 2008

The Department of Agriculture has refuted claims that detailed lists of information on the beneficiaries of CAP (Common Agriculture Policy) payments below €30,000 can be accessed on its website.

Last week a security expert informed that by changing parameters on a browser’s internet options, entire lists of beneficiaries of CAP payments such as the Rural Environment Protection Scheme, the Compensatory Allowances in Less Favoured Areas Scheme and the Early Retirement Scheme could be accessed on a county-by-county basis.

By going to internet options in the browser settings, disabling the ‘active scripting’ and then refreshing the browser, entire lists of people in counties starting with first name, surname, municipality and the financial amount given up to €5,000, for example, could be revealed.

However, the Department of Agriculture & Food’s press department has said that all EU member states are required to comply with Council Regulation 1290/2005 and regulation 259/2008, which requires all CAP-paying agencies to publish on their websites certain details of CAP beneficiaries.

“The website was designed in the Department of Agriculture on the basis of the requirements of the relevant regulations,” explained press officer, Martina Kearney.

“I can assure you that this department is in full compliance with these requirements, and is not publishing any information not required under these regulations.”

She said the regulations require the department to publish the beneficiary’s name, their municipality, their postal code (where one exists) and payments data “in respect of all payments, irrespective of the amount.”

She pointed out that other than for payments that exceed €30,000, an individual requires three parameters to conduct a search.

“These are county, surname and payment range. The relevant payment ranges (eg €0-€5,000, €5,000-€10,000) are included in a drop-down box on the system.

“For example, you could search for all payments between €5,000 and €10,000 made to people with the surname ‘Byrne’ in Co Wicklow. Searches may also be narrowed down using more precise criteria. This method was decided upon largely because it produces search results with manageable volumes of data. For payments exceeding €30,000, only one criterion (payment range) is needed, because the numbers of beneficiaries is small.”

However, the method illustrated by the security expert, who wishes not to be named, allows web users to get entire lists of beneficiaries by range and by county.

Kearney said the search mechanism was designed to aid the user in retrieving manageable amounts of data per query.

“The manner in which information is retrievable on the website is, of course, under constant review and changes may be made as appropriate.

“While it is possible to bypass the designed search-query screen, and retrieve all of the records for a county at once, this approach gives access to no additional information on the beneficiaries,” Kearney said.

By John Kennedy

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years