An Post has admitted to a data breach which resulted in the data of up to 8,000 customers being provided to a third party without their knowledge or consent. The breach took place between April 2016 and September 2017, and involves the data of customers who used An Post’s online mail redirection service. An Post discovered that it had inadvertently shared these details with a Dublin-based marketing firm, Precision Marketing Information Ltd, who updated users’ details with companies they had previously done business with.
Up to 8,000 customers’ data was sent to a third party marketing company, allowing businesses that had previously contacted them to market to them at their new addresses
The letter sent to the potentially affected customers read: “Your new address may have been updated on the records of companies you interact with, and you may have received letters from some companies to your new address instead of your old address. Please be assured that Data Ireland [Precision Marketing Information Ltd] never discloses names and addresses from the file they receive from An Post to direct marketing companies.”
A spokesperson for An Post has said that “no other information other than the customer’s name and address was included in this file, and only where these people already listed on the database was their address updated” and apologised to customers for any inconvenience or concern than the error may have caused them.
An Post have also stated that the DPC was satisfied with their handling of the breach and the steps they took to ensure it would not happen again. With the GDPR due to come into force in under two months, An Post is lucky that the breach was discovered and reported when it was, as they may have received a tougher penalty under the GDPR.
Given that no foul play was involved in this breach, we’d say it’s safe to chalk this one up to human error, as is often the case with both data breaches and indeed allowing cyber attacks to breach a network. When breaches like this one occur, one of the main steps that a company is expected to demonstrate to the data protection commissioner is how they have trained their staff in order to prevent such incidents from occurring. Companies who ensure their staff undergo ongoing security awareness training are likely to incur lower fines under the GDPR even if a breach should occur, according to the UK’s Information Commissioner’s Office.