Another week another data breach Posted by Ross on 25 September 2015


Last week a Liveline listener inadvertently stumbled across a major data protection breach by an Irish company.  The listener was searching for a friend’s phone number online and discovered a list of over 900 names, addresses, car registration numbers and personal telephone numbers.  He was also able to access the holiday calendar for the company, and was able to see who was out sick, who was on compassionate leave and all the employees’ names.  

Data Protection Rule 4 states that: “Appropriate security measures shall be taken against unauthorized access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing”.

It is clear that the web designers used by the company did not take adequate steps to secure the website or the data contained on it.  It goes without saying that personal data should be protected from unauthorized access.  This can be done using a simple login page.  As a software developer and Data Protection Officer, I have no idea how something like this got through the testing phase.  

The data was available for the entire world to see as a result of a simple Google search.  This suggests to me that the website wasn’t hacked.  Instead it suggests that this data breach was a result of carelessness of the company responsible for the website.  If you do not want search engines to index your website or folders in that website, then you should use what’s known as a robots.txt file.  This file tells search engine crawlers which directories can or cannot be crawled/indexed.  
On a positive note, it seems that the company took immediate steps to remove the publicly available personal data from the website, however it is not known how many people accessed the data before it was taken down.

The Data Protection Rules are there to protect you.  Failure to comply with these rules can result in fines and serious reputational damage.  This particular data breach could have been prevented.  However, the necessary steps to secure the website were not taken.