HSE employee data stolen in recent hack. Where do I stand?

Green is Growing

I'm a HSE employee. It seems it's becoming apparent my PPSN and bank details have been compromised from the payroll system.

I think this is the most valuable information to the hackers and can/will be distributed along with thousands of other employee's info.

I feel in a pretty vulnerable place to be honest.

I even had mortgage application info on my HSE file as well as various tax schemes and HSE credit union files on my shared drive, AND I'm being put through university by the HSE so that's more info.
God knows what else is on my payroll file.

I've already changed my banking passwords.

Should I be speaking to a solicitor?

whippet

Green is Growing wrote: »

I'm a HSE employee. It seems it's becoming apparent my PPSN and bank details have been compromised from the payroll system.

I think this is the most valuable information to the hackers and can/will be distributed along with thousands of other employee's info.

I feel in a pretty vulnerable place to be honest.

I even had mortgage application info on my HSE file as well as various tax schemes and HSE credit union files on my shared drive, AND I'm being put through university by the HSE so that's more info.
God knows what else is on my payroll file.

I've already changed my banking passwords.

Should I be speaking to a solicitor?

What will a solicitor do to protect your data ?

Green is Growing

whippet wrote: »

What will a solicitor do to protect your data ?

That's the advice I'm seeking.

secman

Green is Growing wrote: »

I'm a HSE employee. It seems it's becoming apparent my PPSN and bank details have been compromised from the payroll system.

I think this is the most valuable information to the hackers and can/will be distributed along with thousands of other employee's info.

I feel in a pretty vulnerable place to be honest.

I even had mortgage application info on my HSE file as well as various tax schemes and HSE credit union files on my shared drive, AND I'm being put through university by the HSE so that's more info.
God knows what else is on my payroll file.

I've already changed my banking passwords.

Should I be speaking to a solicitor?

Smell money do we ?

whippet

whippet wrote: »

What will a solicitor do to protect your data ?

They will help them to exercise their Article 82 rights under GDPR.

Green is Growing

secman wrote: »

Smell money do we ?

No I'm asking where I stand and if I should be taking any particular steps to protect my personal which could include having my entire bank account wiped and all my financial data + PPS abused.

Solicitors aren't just for making claims. I'm not familiar with law things at all and am looking for genuine advice.
Don't appreciate smart-arse boards.ie keyboard warrior comments either.

You could be in the same boat as me.

secman

Green is Growing wrote: »

No I'm asking where I stand and if I should be taking any particular steps to protect my personal which could include having my entire bank account wiped and all my financial data + PPS stolen.

Solicitors aren't just for making claims. I'm not familiar with things at all and am looking for genuine advice.
Don't appreciate smart-arse boards.ie keyboard warrior comments either.

You could be in the same boat as me.

But you said you have changed passwords on your banking data ?

Pringles123

Green is Growing wrote: »

No I'm asking where I stand and if I should be taking any particular steps to protect my personal which could include having my entire bank account wiped and all my financial data + PPS stolen.

Solicitors aren't just for making claims. I'm not familiar with law things at all and am looking for genuine advice.
Don't appreciate smart-arse boards.ie keyboard warrior comments either.

You could be in the same boat as me.

Would you not contact your bank and perhaps the department of social protection then. You will pay through the roof for solicitors advice.

Caranica

Nobody can wipe your bank account through having the BIC and IBAN. Which is what is on payroll systems.

WRT your PPSN, it's highly likely that a flag will be put on PPSNs related to the hack to apply additional checks to any applications or claims using such ppsns.

To be honest, I don't think employees have the most at risk in terms of information being leaked from this hack.

Green is Growing

secman wrote: »

But you said you have changed passwords on your banking data ?

I did. It's still possible it's vulnerable. I don't know.

Pringles123 wrote: »

Would you not contact your bank and perhaps the department of social protection then. You will pay through the roof for solicitors advice.

I will for sure, just said I'd ask here to as somebody might know something i don't. Solicitor will be last resort and I'd rather not have to deal with one.

Caranica wrote: »

Nobody can wipe your bank account through having the BIC and IBAN. Which is what is on payroll systems.

WRT your PPSN, it's highly likely that a flag will be put on PPSNs related to the hack to apply additional checks to any applications or claims using such ppsns.

To be honest, I don't think employees have the most at risk in terms of information being leaked from this hack.

Yeah hopefully it's all okay but I need to take everything into consideration after reading todays announcement from the HSE.

Every staff member will have their medical info leaked as well. But my financial info can hurt me more than my medical imo.
Bad situation for everyone.

Ms. Newbie18

Green is Growing wrote: »

I'm a HSE employee. It seems it's becoming apparent my PPSN and bank details have been compromised from the payroll system.

I think this is the most valuable information to the hackers and can/will be distributed along with thousands of other employee's info.

I feel in a pretty vulnerable place to be honest.

I even had mortgage application info on my HSE file as well as various tax schemes and HSE credit union files on my shared drive, AND I'm being put through university by the HSE so that's more info.
God knows what else is on my payroll file.

I've already changed my banking passwords.

Should I be speaking to a solicitor?

Hi OP,

I am not really sure what a solicitor can do for you in this instance, getting advice alone could cost you €€, unless you are looking sue.

As well as changing your banking passwords, I could contact my bank to let them know my details are comprised and they should be extra vigilant over the next 2 years.. do the same with your credit union.

I'd change all my email passwords to.

You could contact citizens advise or the department of social protection and see what they say about your PPSN.

Caranica

Caranica wrote: »

Nobody can wipe your bank account through having the BIC and IBAN. Which is what is on payroll systems.

https://www.theguardian.com/money/2008/jan/07/personalfinancenews.scamsandfraud

kravmaga

@ OP,

Your 1st port of call should be to inform your Employer who is the HSE, HR department or your direct line Supervisor/ Manager.

2nd port of call should be to inform the authorities, e.g. An Garda Siochana , Data Protection Commissioner office, GDPR issues, your bank who you have the mortgage with, your credit union.

You have already changed all of your passwords I presume.

How is a solicitor going to help you? Don't get the thought process on that one?

kravmaga

kravmaga wrote: »

How is a solicitor going to help you? Don't get the thought process on that one?

There is an entitlement to compensation under Article 82 of GDPR which I mentioned previously. There will be a class action against the HSE though, so I'd hang tough for now.

SortingYouOut

What can they do with your BIC or IBAN? You may be at risk of them sending you money, but your own funds are safe. Is there anything else that's there that really buts you in any kind of risk, that can't be solved yourself?

whippet

[Deleted User] wrote: »

There is an entitlement to compensation under Article 82 of GDPR which I mentioned previously. There will be a class action against the HSE though, so I'd hang tough for now.

No such thing as a class action in Ireland

SortingYouOut

Jeremy Beagle wrote: »

https://www.theguardian.com/money/2008/jan/07/personalfinancenews.scamsandfraud

2008 article, this cannot be done anymore.

whippet

whippet wrote: »

No such thing as a class action in Ireland

There is under GDPR. Article 80 refers.

Alun

If you've ever written a cheque, there's enough information on there, NSC and account number, to generate the IBAN and BIC. Plus, in some countries like Germany, firms display their bank information in full view on all correspondence as it's common there to pay bills by bank transfer. You never hear of them having their bank accounts emptied.

Green is Growing

kravmaga wrote: »

@ OP,

Your 1st port of call should be to inform your Employer who is the HSE, HR department or your direct line Supervisor/ Manager.

2nd port of call should be to inform the authorities, e.g. An Garda Siochana , Data Protection Commissioner office, GDPR issues, your bank who you have the mortgage with, your credit union.

You have already changed all of your passwords I presume.

How is a solicitor going to help you? Don't get the thought process on that one?

I iimagine the HSE are well aware and their legal team is probably working in overtime.

I spoke to the bank and they said they have no guidelines yet. I think I'll probably be fine but still want to be sure.
all passwords changed.

The solicitor thought process is worst case scenario and also me asking if there are any mitigation they could do if I do become a victim but hopefully not.

Jeremy Beagle wrote: »

There is an entitlement to compensation under Article 82 of GDPR which I mentioned previously. There will be a class action against the HSE though, so I'd hang tough for now.

What does a class action involve? I imagine this is going to be a huge legal ordeal for years to come considering the entire country may be effected.

Dempo1

Green is Growing wrote: »

No I'm asking where I stand and if I should be taking any particular steps to protect my personal which could include having my entire bank account wiped and all my financial data + PPS abused.

Solicitors aren't just for making claims. I'm not familiar with law things at all and am looking for genuine advice.
Don't appreciate smart-arse boards.ie keyboard warrior comments either.

You could be in the same boat as me.

We are in the same Boat as you, awaiting news if our data leaked online, but a little more concerning will be personal medical data being released.

If your payroll data has been leaked, presumably you weren't alone in being picked on, one would assume, confirm it, speak to colleagues, speak to your employer and go from there. The leak will (if confirmed) have to be shared (not the info) but leak with DPC, who no doubt will make recommendations you can watch out for, like the rest of us. Getting in touch with a solicitor at present a little premature.

Jim2007

Jeremy Beagle wrote: »

They will help them to exercise their Article 82 rights under GDPR.

No they will help themselves to a large fee and fail in the process.

wandererz

You need to sue.

Jerry Attrick

wandererz wrote: »

You need to sue.

Yep - we all should sue.

That way, we'd all get loads of free compo from the magic money tree and the lawyers would grow fat from all of the fees generated.

My main worry is that if, say, three million of us sue, how long will it take for my case to come to court? Because I want my compo now - while I'm young enough to enjoy it and before the State goes bankrupt.

NewbridgeIR

Jeremy Beagle wrote: »

https://www.theguardian.com/money/2008/jan/07/personalfinancenews.scamsandfraud

Poor argument.
Under SEPA rules you can get a refund of a direct debit up to eight weeks later.
In your example, the beneficiary of that action was the British Diabetic Association.

Dempo1

Jerry Attrick wrote: »

Yep - we all should sue.

That way, we'd all get loads of free compo from the magic money tree and the lawyers would grow fat from all of the fees generated.

My main worry is that if, say, three million of us sue, how long will it take for my case to come to court? Because I want my compo now - while I'm young enough to enjoy it and before the State goes bankrupt.

I think the state is technically bankrupt now

Jim2007

Green is Growing wrote: »

I think this is the most valuable information to the hackers and can/will be distributed along with thousands of other employee's info.

This information is common knowledge and worthless hackers. For example, every time you make or receive a bank payment your banking details are flashed around the SEPA payment system.

I've already changed my banking passwords.

Why? The hacking of your employers system should have no impact on your passwords unless you decided to store them on the work computer.

Should I be speaking to a solicitor?

You started out talking about a payroll system, then file sharing and finally your bank password... do you know what was actually hacked?

Do you have evidence that the company were aware of a vulnerability in their system that they failed to address or some data protection process they failed to follow.

Have you suffered a demonstrable material loss as a result of this incident?

Beyond a very small possibility of some personal embarrassment if your files were published I don’t see much you can make a case out of. So if you do decide to consult a solicitor be aware it might be expensive.

Jim2007

wandererz wrote: »

You need to sue.

You can take an action against anyone, whether you’d get a hearing and actually win is another thing.

For a start you’d need to be able to show that the data collector was in some way responsible for the hacking. So long as the company can show that it kept its security patches etc up to date, that will be difficult. So you are talking about paying expertise fees up front.

You also need some kind of quantifiable loss to ensure you won’t end up with some kind of token compensation.

Then there are the barrister consultation fees etc before it even goes to court...

And all because the OP is just concerned at what happened... circumstances might change and action might be warranted down the line. But right now it’s a long shot to go pumping money into.

Hurrache

The HSE wouldn't have had your banking passwords anyway, unless you yourself saved it on a file on the network.

coylemj

[Deleted User] wrote: »

https://www.theguardian.com/money/2008/jan/07/personalfinancenews.scamsandfraud

Clarkson was the victim of a prank whereby a bona fide charity accepted a mandate from someone who quoted his IBAN and, having been presented to his bank, they paid out. All of the money was refunded.

This actually proves nothing and note that if you sign a personal cheque and hand it to someone, all of the details (branch sort code and your account number) required to generate your IBAN are printed on it.

So if a would-be fraudster gets your IBAN, there's very little they can do with it. Why the OP changed his login details for online banking is beyond me.

Green is Growing

coylemj wrote: »

Why the OP changed his login details for online banking is beyond me.

It's a basic security measure. You should probably be doing at the least every year.
I'd rather do that than nothing after all my employee and medical records are potentially leaked.