Shocking data breaches are rife in Irish public sector

8 Apr 2010

Data Protection Commissioner Billy Hawkes has hit out at the reluctance of Irish public-sector bodies to deal with data protection issues. More than 900 breaches in the private and public sector were investigated and breaches were up 50pc year-on-year.

Once again, Hawkes’ report focuses on the responsibility of private and public-sector organisations to treat the personal information of their customers and clients with respect.

During 2009, the Office of the Data Protection Commissioner opened for investigation 914 complaints. This slight decrease on the figure for 2008 (1,031) can be accounted in some respects for the almost halving over the last two years in complaints about unsolicited direct marketing text messages, phone calls, fax messages and emails.

The Data Protection Commissioner said this is attributable in part to a series of prosecutions against a number of companies operating in the premium-rate text-messaging sector.

Four firms successfully prosecuted

Successful prosecutions in 2009 included four companies operating in the premium-rate text-messaging sector, a restaurant and a gym. In all cases it was for repeat offences.

Hawkes considers that the message from his office should now be clear – entities that continue to commit offences in relation to electronic marketing face prosecution.

Hawkes also reports on efforts to minimise the number and impact of personal data security breaches and, when such breaches occur, to encourage organisations to voluntarily report the incidents to his office.

Some 119 data security breach incidents were reported to the office in 2009, a 47pc increase on the number of reports received in the previous 12 months (there were 81 reports in 2008).

Hawkes reports on high-profile data security breach incidents that occurred in 2009 involving Bord Gáis Éireann and the Health Service Executive.

The Commissioner highlighted his concerns about the current inability of his office to investigate the sending of unsolicited text messages, emails or the making of unsolicited phone calls by candidates for election or political parties.

He also outlined the outcome of an engagement with the Garda Siochana on its automatic number plate system. The report also outlines views conveyed by the commissioner on the DNA Bill, the Communications (Retention of Data) Bill and a Spent Convictions Bill.

The report also details discussions with Google in relation to Google Streetview in Ireland.

Data Protection Commissioner report

Hawkes’ report also includes case studies of a number of specific investigations including:

·        Quinn Insurance seeking excessive penalty point information from individuals seeking motor insurance quotes.

·        A paternity test result sent to the wrong address.  

·        The use of postcards to communicate with customers regarding overdue accounts.

·        An employer covertly surveilling an employee.

·        Prosecution of Jackie Skelly Fitness for unsolicited marketing text messages.

·        Prosecution of Brasserie Sixty6 for the sending of unsolicited direct marketing text messages.

·        Disclosure of personal information by an airline due to inappropriate security measures.

·        Four legal enforcement notices issued, two of which were to Iarnród Éireann.

·        Both Bord Gáis and HSE were called out has having inappropriate security measures on laptop computers.

·        Complaints about unsolicited text messages in the run-up to the local elections last year could not be investigated due to an exemption for politicians.

·        The number of requests about drivers made to motor tax offices is increasing.

Security firm Esoion’s technical director Colm Murphy said that as today’s workforce becomes more mobile, technologies such as VPNs, wireless and the ubiquitous laptop have for many, replaced the traditional desk-bound computing environment.

“As laptops, BlackBerrys and other mobile devices become defacto, data no longer just resides on secured servers located at corporate headquarters. Although this shift has advantages for companies and their employees in terms of productivity and flexibility, it presents a host of challenges as to how the data outside the four walls of the office can be adequately safeguarded.

“Whereas previously, security threats came in the form of hackers targeting the server rooms of companies, now every laptop could potentially contain confidential customer and/or corporate data that is critical to a company’s operations.

Consequences of laptop theft

The extent of the damage a laptop theft can create is limitless – no longer can the value of the laptop be based on the hardware cost, the cost of a stolen laptop could be a whole lot more.

“Beyond the Bord Gais and HSE examples, the records of over 171,000 Irish blood donors were on the a laptop that went missing in New York in February 2008, and in November 2007, two British Revenue and Customs CDs containing the personal details of 25m Britons were reported missing and to date have not been found.

“As today’s world calls for people to have access to data regardless of where they physically are, laptops and mobile devices will become more and more prevalent, not just as the means of doing business, but as a target for data thieves,” Murphy said.

By John Kennedy

Photo: The Office of the Data Protection Commissioner opened 914 complaints for investigation last year

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years