Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Breach of GDPR by the Teaching Council

Options
  • 29-03-2020 6:02pm
    #1
    s1ippy
    Banned (with Prison Access) Posts: 2,980 ✭✭✭


    Did anyone else receive the email stating that an email containing a spreadsheet with information including:

    Full Name
    PPSN
    Home Address

    has been sent to an email address after a phishing scam targeting the Teaching Council admin staff went unnoticed for several days?

    Have no fear, the email I replied with sent an FAQ about the incident which completely put my mind at ease -
    1. What Happened?
    As previously outlined, a phishing email was sent to a small number of Teaching Council staff. The phishing email caused a script to be activated that established an auto forwarding rule for all subsequent emails being sent to the staff members concerned. This meant that emails received from those staff members were automatically forwarded to an external Gmail account for a short period of time. The address of the Gmail account is *redacted* This was detected as a result of the security procedures in place across our IT systems.

    The Council carried out a detailed and complete analysis of any emails which may potentially have been forwarded and their contents. On foot of that, we have outlined to you what personal data has been impacted in our previous notification.

    The Council has engaged IT consultants to investigate the matter thoroughly. They have confirmed that there have been no further unauthorised access attempts since this occurrence was detected.

    While any such occurrence is regrettable, the actions taken ensure that the issue has been confined and isolated appropriately.

    2. How many people were affected by this?
    The personal data of approximately 9,735 individuals were affected. This data was contained in two spreadsheets that were circulated internally within the Council systems. The circulation of such attachments in the Council is not normal practice and steps have been taken to ensure that this does not happen again.

    3. Was any special category data disclosed?

    No special category data was disclosed. Special Category data, as defined in the General Data Protection Regulation (GDPR), is personal data revealing:

    Race and/or ethnic origin
    Religious or philosophical beliefs
    Political opinions
    Trade union memberships
    Biometric data used to identify an individual
    Genetic data
    Health data
    Data related to sexual preferences, sex life, and/or sexual orientation
    While PPS numbers are important data, they do not fall within the definition of special category data.

    4. Has the Data Protection Commission been notified?

    The Data Protection Commissioner (DPC) was notified of the incident within the 72 hours, which is the required period for notification. We also consulted with them on the notification which you received.


    5. Have other relevant authorities been notified?

    An Garda Síochána have been notified of the incident and Google were also notified of the details of the mailbox.

    6. What steps should I take?

    While it is good practice generally to be vigilant for any suspicious activity, the risk of any malicious activity associated with your personal information (and in particular PPS numbers) is low in circumstances where the majority of security protocols for public and private organisations require multi-factor authenticity. The ability to misuse your data is restricted in circumstances where the data disclosed did not include your date or birth, email address or any financial information.

    In basic terms, this means that any attempts at fraudulent use of the disclosed data would be difficult without other verifying data, which was not disclosed.

    If you have any concerns whatsoever, you may of course report the disclosure of your PPS number to the Department of Employment Affairs and Social Protection using the numbers available at the following link https://www.gov.ie/en/publication/fd52ab-public-services-card/

    Please be assured that the Teaching Council takes this matter and the security of data very seriously. This was strictly an isolated incident and the wider systems or databases of The Teaching Council have not been affected.

    Actually it really didn't.

    They seem to think that it's not a big deal that they've given up three pieces of crucial information about thousands of people which can be used to defraud them.

    They also bizarrely provide the link for the Public Services Card instead of the link to tell the DSP your information has been compromised. The fecklessness is staggering.


Advertisement