The Central Statistics Office has admitted to a data breach involving an error by a staff member, leading to a sever breach of data protection rules. Reports were made last week that a past employee for the CSO has been sent P45s of other past and present employees in error. The past employee was outraged at the time, as she believed that 1000 people’s records had been breached.
The CSO has since issued a “sincere apology” for the incident, and volunteered that the incident had not affected 1000 people, but had actually concerned 3000 former employees.
The Central Statistics Office has apologised for a staff error which sent 3000 P45s to a past employee – a catastrophic data breach
A CSO spokesperson has said “The Central Statistics Office confirms that between November 10 and 14, 2017, as a result of an administrative error, personal P45 information relating to 3,000 former employees was disclosed via email to 4 individuals, in breach of the Data Protection Acts.
Three of recipients were themselves former employees who had sought access to their P45 records; the fourth was the accountant of one of these former staff members.
The error was discovered on the 14th November and each recipient was immediately contacted and requested to provide confirmation that the emails and their contents had been deleted. These confirmations have been received. The CSO immediately notified the Office of the Data Protection Commissioner (ODPC) of the breach and the individuals affected have been informed by letter.”
The spokesman said “Confidentiality and protecting individual privacy are core values of the CSO. This incident falls well short of the high standards of confidentiality and data governance demanded by the Office and is taken extremely seriously.
A sincere apology is extended to those affected by this employee data breach. A thorough investigation of the incident is underway and additional control measures have been urgently implemented to safeguard employee data and to reinforce data governance,” he said.
A spokesperson for the Data Protection Commissioner has also released a statement “I can confirm that a breach notification, in relation to the matter referred to, was submitted by the Central Statistics Office (CSO) to the Data Protection Commissioner on 14 November 2017 under our Personal Data Security Breach Code of Practice.
The DPC is continuing to liaise with the CSO in relation to this breach.”
As is often the case with data breaches, human error was responsible for 3000 P45s being misplaced. At Tech Guard, we always recommend staff undergo data protection and cyber security awareness training so that staff are educated about online risks and aware of the gravity of how damaging a data breach can be to a company or organisation. To at least give the CSO credit where it’s due, they immediately notified the DPO and were open and forthright about the nature of the breach – a stark contrast to how Uber and Equifax handled their respective data breaches.