DPC: Tusla breach let imprisoned father contact children in foster care

20 Feb 2020

Image: © WhataWin/Stock.adobe.com

The DPC’s annual report has highlighted a number of data breaches over the course of 2019, including some that may have put children at risk.

The Irish Data Protection Commission (DPC) has released its 2019 report, charting the first full calendar year since the introduction of GDPR.

Detailed in the report are a number of examples of some of the major cases taken on by the DPC over the year, including dozens from child and family agency Tusla. A total of 75 breaches were identified at the agency between 2018 and 2019, of which 72 were self-reported and three were found through further investigations by the DPC.

Among the most stand-out examples of breaches, the DPC said that the address of children in foster care was accidentally leaked to their imprisoned father, who used it to correspond with his children.

In another breach, Tusla accidentally revealed contact and location data of a mother and child victim to an alleged abuser. A third breach occurred when the agency revealed contact, location and school details of foster parents and children to a grandparent. The grandparent then tried to make contact with the children.

An inquiry into the breaches began in October of last year, with a draft inquiry already issued to Tulsa by the DPC.

An investigation from November 2018 involved 71 instances of personal data disclosure breaches by Tusla, which included people being given inappropriate access to private systems as well as the disclosure of information by email and post.

An inspection of Tusla offices across the country revealed a number of other data breaches. A breach reported in November of last year also involved the disclosure of sensitive data to an individual against whom an allegation of abuse had been made. The disclosed data was subsequently posted on social media.

From banking errors to malware

Elsewhere, an inquiry into 22 breaches at Bank of Ireland began in November 2019 after it was found the bank was, in some instances, sending inaccurate data to the Central Credit Register. This meant that the credit rating of certain bank customers was incorrect. The investigation is still ongoing.

Maynooth University also reported an employee’s email account being hacked with hidden forwarding rules set. Unbeknown to the affected account holder, correspondence between them and another staff member was intercepted and bogus bank account details substituted.

This saw a lump sum of almost €29,000 diverted to the hacker, but an investigation has found no indication the email account holder fell for a phishing attempt. However, the employee’s personal computer did have Trojan malware on it since 2017.

A total of six Maynooth University accounts were found to have been potentially accessed, but no evidence of exploitation has been found on the other five accounts.

As part of the overall report, the DPC said there were 7,215 complaints received in 2019, marking a 75pc increase on the number of complaints in 2018. Just under 5,500 of these were concluded last year.

Colm Gorey was a senior journalist with Silicon Republic