HSE employee data stolen in recent hack. Where do I stand?

Green is Growing

I'm a HSE employee. It seems it's becoming apparent my PPSN and bank details have been compromised from the payroll system.

I think this is the most valuable information to the hackers and can/will be distributed along with thousands of other employee's info.

I feel in a pretty vulnerable place to be honest.

I even had mortgage application info on my HSE file as well as various tax schemes and HSE credit union files on my shared drive, AND I'm being put through university by the HSE so that's more info.
God knows what else is on my payroll file.

I've already changed my banking passwords.

Should I be speaking to a solicitor?

whippet

Green is Growing wrote: »

I'm a HSE employee. It seems it's becoming apparent my PPSN and bank details have been compromised from the payroll system.

I think this is the most valuable information to the hackers and can/will be distributed along with thousands of other employee's info.

I feel in a pretty vulnerable place to be honest.

I even had mortgage application info on my HSE file as well as various tax schemes and HSE credit union files on my shared drive, AND I'm being put through university by the HSE so that's more info.
God knows what else is on my payroll file.

I've already changed my banking passwords.

Should I be speaking to a solicitor?

What will a solicitor do to protect your data ?

Green is Growing

whippet wrote: »

What will a solicitor do to protect your data ?

That's the advice I'm seeking.

secman

Green is Growing wrote: »

I'm a HSE employee. It seems it's becoming apparent my PPSN and bank details have been compromised from the payroll system.

I think this is the most valuable information to the hackers and can/will be distributed along with thousands of other employee's info.

I feel in a pretty vulnerable place to be honest.

I even had mortgage application info on my HSE file as well as various tax schemes and HSE credit union files on my shared drive, AND I'm being put through university by the HSE so that's more info.
God knows what else is on my payroll file.

I've already changed my banking passwords.

Should I be speaking to a solicitor?

Smell money do we ?

whippet

whippet wrote: »

What will a solicitor do to protect your data ?

They will help them to exercise their Article 82 rights under GDPR.

Green is Growing

secman wrote: »

Smell money do we ?

No I'm asking where I stand and if I should be taking any particular steps to protect my personal which could include having my entire bank account wiped and all my financial data + PPS abused.

Solicitors aren't just for making claims. I'm not familiar with law things at all and am looking for genuine advice.
Don't appreciate smart-arse boards.ie keyboard warrior comments either.

You could be in the same boat as me.

secman

Green is Growing wrote: »

No I'm asking where I stand and if I should be taking any particular steps to protect my personal which could include having my entire bank account wiped and all my financial data + PPS stolen.

Solicitors aren't just for making claims. I'm not familiar with things at all and am looking for genuine advice.
Don't appreciate smart-arse boards.ie keyboard warrior comments either.

You could be in the same boat as me.

But you said you have changed passwords on your banking data ?

Pringles123

Green is Growing wrote: »

No I'm asking where I stand and if I should be taking any particular steps to protect my personal which could include having my entire bank account wiped and all my financial data + PPS stolen.

Solicitors aren't just for making claims. I'm not familiar with law things at all and am looking for genuine advice.
Don't appreciate smart-arse boards.ie keyboard warrior comments either.

You could be in the same boat as me.

Would you not contact your bank and perhaps the department of social protection then. You will pay through the roof for solicitors advice.

Caranica

Nobody can wipe your bank account through having the BIC and IBAN. Which is what is on payroll systems.

WRT your PPSN, it's highly likely that a flag will be put on PPSNs related to the hack to apply additional checks to any applications or claims using such ppsns.

To be honest, I don't think employees have the most at risk in terms of information being leaked from this hack.

Green is Growing

secman wrote: »

But you said you have changed passwords on your banking data ?

I did. It's still possible it's vulnerable. I don't know.

Pringles123 wrote: »

Would you not contact your bank and perhaps the department of social protection then. You will pay through the roof for solicitors advice.

I will for sure, just said I'd ask here to as somebody might know something i don't. Solicitor will be last resort and I'd rather not have to deal with one.

Caranica wrote: »

Nobody can wipe your bank account through having the BIC and IBAN. Which is what is on payroll systems.

WRT your PPSN, it's highly likely that a flag will be put on PPSNs related to the hack to apply additional checks to any applications or claims using such ppsns.

To be honest, I don't think employees have the most at risk in terms of information being leaked from this hack.

Yeah hopefully it's all okay but I need to take everything into consideration after reading todays announcement from the HSE.

Every staff member will have their medical info leaked as well. But my financial info can hurt me more than my medical imo.
Bad situation for everyone.

Ms. Newbie18

Green is Growing wrote: »

I'm a HSE employee. It seems it's becoming apparent my PPSN and bank details have been compromised from the payroll system.

I think this is the most valuable information to the hackers and can/will be distributed along with thousands of other employee's info.

I feel in a pretty vulnerable place to be honest.

I even had mortgage application info on my HSE file as well as various tax schemes and HSE credit union files on my shared drive, AND I'm being put through university by the HSE so that's more info.
God knows what else is on my payroll file.

I've already changed my banking passwords.

Should I be speaking to a solicitor?

Hi OP,

I am not really sure what a solicitor can do for you in this instance, getting advice alone could cost you €€, unless you are looking sue.

As well as changing your banking passwords, I could contact my bank to let them know my details are comprised and they should be extra vigilant over the next 2 years.. do the same with your credit union.

I'd change all my email passwords to.

You could contact citizens advise or the department of social protection and see what they say about your PPSN.

Caranica

Caranica wrote: »

Nobody can wipe your bank account through having the BIC and IBAN. Which is what is on payroll systems.

https://www.theguardian.com/money/2008/jan/07/personalfinancenews.scamsandfraud

kravmaga

@ OP,

Your 1st port of call should be to inform your Employer who is the HSE, HR department or your direct line Supervisor/ Manager.

2nd port of call should be to inform the authorities, e.g. An Garda Siochana , Data Protection Commissioner office, GDPR issues, your bank who you have the mortgage with, your credit union.

You have already changed all of your passwords I presume.

How is a solicitor going to help you? Don't get the thought process on that one?

kravmaga

kravmaga wrote: »

How is a solicitor going to help you? Don't get the thought process on that one?

There is an entitlement to compensation under Article 82 of GDPR which I mentioned previously. There will be a class action against the HSE though, so I'd hang tough for now.

SortingYouOut

What can they do with your BIC or IBAN? You may be at risk of them sending you money, but your own funds are safe. Is there anything else that's there that really buts you in any kind of risk, that can't be solved yourself?

whippet

[Deleted User] wrote: »

There is an entitlement to compensation under Article 82 of GDPR which I mentioned previously. There will be a class action against the HSE though, so I'd hang tough for now.

No such thing as a class action in Ireland

SortingYouOut

Jeremy Beagle wrote: »

https://www.theguardian.com/money/2008/jan/07/personalfinancenews.scamsandfraud

2008 article, this cannot be done anymore.

whippet

whippet wrote: »

No such thing as a class action in Ireland

There is under GDPR. Article 80 refers.

Alun

If you've ever written a cheque, there's enough information on there, NSC and account number, to generate the IBAN and BIC. Plus, in some countries like Germany, firms display their bank information in full view on all correspondence as it's common there to pay bills by bank transfer. You never hear of them having their bank accounts emptied.

Green is Growing

kravmaga wrote: »

@ OP,

Your 1st port of call should be to inform your Employer who is the HSE, HR department or your direct line Supervisor/ Manager.

2nd port of call should be to inform the authorities, e.g. An Garda Siochana , Data Protection Commissioner office, GDPR issues, your bank who you have the mortgage with, your credit union.

You have already changed all of your passwords I presume.

How is a solicitor going to help you? Don't get the thought process on that one?

I iimagine the HSE are well aware and their legal team is probably working in overtime.

I spoke to the bank and they said they have no guidelines yet. I think I'll probably be fine but still want to be sure.
all passwords changed.

The solicitor thought process is worst case scenario and also me asking if there are any mitigation they could do if I do become a victim but hopefully not.

Jeremy Beagle wrote: »

There is an entitlement to compensation under Article 82 of GDPR which I mentioned previously. There will be a class action against the HSE though, so I'd hang tough for now.

What does a class action involve? I imagine this is going to be a huge legal ordeal for years to come considering the entire country may be effected.

Dempo1

Green is Growing wrote: »

No I'm asking where I stand and if I should be taking any particular steps to protect my personal which could include having my entire bank account wiped and all my financial data + PPS abused.

Solicitors aren't just for making claims. I'm not familiar with law things at all and am looking for genuine advice.
Don't appreciate smart-arse boards.ie keyboard warrior comments either.

You could be in the same boat as me.

We are in the same Boat as you, awaiting news if our data leaked online, but a little more concerning will be personal medical data being released.

If your payroll data has been leaked, presumably you weren't alone in being picked on, one would assume, confirm it, speak to colleagues, speak to your employer and go from there. The leak will (if confirmed) have to be shared (not the info) but leak with DPC, who no doubt will make recommendations you can watch out for, like the rest of us. Getting in touch with a solicitor at present a little premature.

Jim2007

Jeremy Beagle wrote: »

They will help them to exercise their Article 82 rights under GDPR.

No they will help themselves to a large fee and fail in the process.

wandererz

You need to sue.

Jerry Attrick

wandererz wrote: »

You need to sue.

Yep - we all should sue.

That way, we'd all get loads of free compo from the magic money tree and the lawyers would grow fat from all of the fees generated.

My main worry is that if, say, three million of us sue, how long will it take for my case to come to court? Because I want my compo now - while I'm young enough to enjoy it and before the State goes bankrupt.

NewbridgeIR

Jeremy Beagle wrote: »

https://www.theguardian.com/money/2008/jan/07/personalfinancenews.scamsandfraud

Poor argument.
Under SEPA rules you can get a refund of a direct debit up to eight weeks later.
In your example, the beneficiary of that action was the British Diabetic Association.

Dempo1

Jerry Attrick wrote: »

Yep - we all should sue.

That way, we'd all get loads of free compo from the magic money tree and the lawyers would grow fat from all of the fees generated.

My main worry is that if, say, three million of us sue, how long will it take for my case to come to court? Because I want my compo now - while I'm young enough to enjoy it and before the State goes bankrupt.

I think the state is technically bankrupt now

Jim2007

Green is Growing wrote: »

I think this is the most valuable information to the hackers and can/will be distributed along with thousands of other employee's info.

This information is common knowledge and worthless hackers. For example, every time you make or receive a bank payment your banking details are flashed around the SEPA payment system.

I've already changed my banking passwords.

Why? The hacking of your employers system should have no impact on your passwords unless you decided to store them on the work computer.

Should I be speaking to a solicitor?

You started out talking about a payroll system, then file sharing and finally your bank password... do you know what was actually hacked?

Do you have evidence that the company were aware of a vulnerability in their system that they failed to address or some data protection process they failed to follow.

Have you suffered a demonstrable material loss as a result of this incident?

Beyond a very small possibility of some personal embarrassment if your files were published I don’t see much you can make a case out of. So if you do decide to consult a solicitor be aware it might be expensive.

Jim2007

wandererz wrote: »

You need to sue.

You can take an action against anyone, whether you’d get a hearing and actually win is another thing.

For a start you’d need to be able to show that the data collector was in some way responsible for the hacking. So long as the company can show that it kept its security patches etc up to date, that will be difficult. So you are talking about paying expertise fees up front.

You also need some kind of quantifiable loss to ensure you won’t end up with some kind of token compensation.

Then there are the barrister consultation fees etc before it even goes to court...

And all because the OP is just concerned at what happened... circumstances might change and action might be warranted down the line. But right now it’s a long shot to go pumping money into.

Hurrache

The HSE wouldn't have had your banking passwords anyway, unless you yourself saved it on a file on the network.

coylemj

[Deleted User] wrote: »

https://www.theguardian.com/money/2008/jan/07/personalfinancenews.scamsandfraud

Clarkson was the victim of a prank whereby a bona fide charity accepted a mandate from someone who quoted his IBAN and, having been presented to his bank, they paid out. All of the money was refunded.

This actually proves nothing and note that if you sign a personal cheque and hand it to someone, all of the details (branch sort code and your account number) required to generate your IBAN are printed on it.

So if a would-be fraudster gets your IBAN, there's very little they can do with it. Why the OP changed his login details for online banking is beyond me.

Green is Growing

coylemj wrote: »

Why the OP changed his login details for online banking is beyond me.

It's a basic security measure. You should probably be doing at the least every year.
I'd rather do that than nothing after all my employee and medical records are potentially leaked.

Green is Growing

sugarman wrote: »

...it still has absolutely nothing to do with it though and there's no need to be constantly changing your password when all banks now require 2FA for every login.

Good to know.

3DataModem

If there's a data leak, you need to be notified.

If they were negligent, you may be able to make a claim. Because entire country would be the claimant AND the (in legal vernacular) the "mark", then it is unlikely to be an action that will ever see court or settlement.

jumbone

coylemj wrote: »

Clarkson was the victim of a prank whereby a bona fide charity accepted a mandate from someone who quoted his IBAN and, having been presented to his bank, they paid out. All of the money was refunded.

This actually proves nothing and note that if you sign a personal cheque and hand it to someone, all of the details (branch sort code and your account number) required to generate your IBAN are printed on it.

So if a would-be fraudster gets your IBAN, there's very little they can do with it. Why the OP changed his login details for online banking is beyond me.

Would have been sort code & account number not IBAN and I don't believe the payments were refunded as he was a good sport about it and let it stand - that said he could have easily done so had he wished.

UK Direct Debit Guarantee wrote:

https://www.directdebit.co.uk/DirectDebitExplained/pages/directdebitguarantee.aspx

If an error is made in the payment of your Direct Debit, by the organisation or your bank or building society, you are entitled to a full and immediate refund of the amount paid from your bank or building society

SEPA DD Rights wrote:

https://www.europeanpaymentscouncil.eu/what-we-do/sepa-direct-debit#par-426Payers can get their money back: in the

scheme, a refund is possible up to eight weeks after the transaction without supplying any justification; in the case of an unauthorised direct debit, a refund request can be made up to 13 months after the transaction.

If a DD is presented and paid and the customer disputes the validity of the mandate, their bank can reverse it instantly as soon as they are contacted.

When I worked in a bank we would do this without question - only quoting a disclaimer that if the originator deems them to be responsible for the DD(i.e. the mandate was not faulty/the amount was correct etc) they can re-present it and the originator may apply a charge for an unpaid DD (dependent on the Ts&Cs agreed to on the DD mandate)

This happens every time somebody is worried about their 'bank details' - somebody says "sure all that info is on a cheque that you write" and then somebody else posts the Clarkson story to get a load of likes. It gets old

Chavez.

Call me an idiot but I still don't understand this Identity theft thing

Like what can thieves do with basic info

coylemj

Green is Growing wrote: »

It's a basic security measure. You should probably be doing at the least every year.
I'd rather do that than nothing after all my employee and medical records are potentially leaked.

You never gave your login details for online banking to the HSE so changing the password or login PIN makes no sense.

All the payroll system had was your IBAN number, the only thing that hackers can do with that is transfer money to you.

flask_fan

Where did you see this?
Not disputing the assertion just wondering were you sa it.

Green is Growing wrote: »

I'm a HSE employee. It seems it's becoming apparent my PPSN and bank details have been compromised from the payroll system.

I think this is the most valuable information to the hackers and can/will be distributed along with thousands of other employee's info.

I feel in a pretty vulnerable place to be honest.

I even had mortgage application info on my HSE file as well as various tax schemes and HSE credit union files on my shared drive, AND I'm being put through university by the HSE so that's more info.
God knows what else is on my payroll file.

I've already changed my banking passwords.

Should I be speaking to a solicitor?

oisinog

Green is Growing wrote: »

No I'm asking where I stand and if I should be taking any particular steps to protect my personal which could include having my entire bank account wiped and all my financial data + PPS abused.

Solicitors aren't just for making claims. I'm not familiar with law things at all and am looking for genuine advice.
Don't appreciate smart-arse boards.ie keyboard warrior comments either.

You could be in the same boat as me.

Well unless you gave your employer your card number there is very little you can do with an account number. If you ever hand someone a cheque you are giving them your account number

GerardKeating

Chavez. wrote: »

Call me an idiot but I still don't understand this Identity theft thing

Like what can thieves do with basic info

• Open a Credit Card in your name, but have it sent to their address
• Get a Bank loan in your name, and it paid to them
• You would be amazed how many people us "Basic Details" for online password.

Chavez.

GerardKeating wrote: »

• Open a Credit Card in your name, but have it sent to their address
• Get a Bank loan in your name, and it paid to them
• You would be amazed how many people us "Basic Details" for online password.

Ok but I thought the basic fraud 1+2 above had been stopped by the systems

GerardKeating

Chavez. wrote: »

Ok but I thought the basic fraud 1+2 above had been stopped by the systems

Given the effort that fraudsters put into it, i assume there is a way...

Jim2007

Jeremy Beagle wrote: »

There is an entitlement to compensation under Article 82 of GDPR which I mentioned previously. There will be a class action against the HSE though, so I'd hang tough for now.

There is no such thing as a class action in Irish law as yet and there is only an entitlement to bring an action under A82 within a limited criteria.

Jim2007

GerardKeating wrote: »

Given the effort that fraudsters put into it, i assume there is a way...

Hackers are lazy by nature, they don’t want put a lot of effort into getting a single physical card when there are plenty of easier targets around and collecting a physical card puts them at risk of exposure.