The Office received a notification from a data controller, in accordance with the Notification of Personal Data Breach. The notification alerted the Office to the fact that data relating to a large number of students had been discovered on a website that was unrelated to the data controller. The data related to the 2020 academic year.
The Office began an investigation of the matter. The data controller advised the investigation team that the information disclosed on the website included the name, email address and password of the student. The investigation team confirmed that there was no financial or sensitive data involved.
The data controller engaged an external security company to carry out its own investigation into the security breach.
Due to the passage of time, there were no server logs showing when or by whom the data had been uploaded to the website. However, the data controller was able to identify that the data published matched a file created for testing purposes earlier. This file was then sent to a third-party service provider who was engaged in developing a management system for the data controller. The file was sent via unsecured email.
The third-party service provider informed the data controller that while there was a relationship between their staff and the website on which the data was published, they had conducted a very thorough review of the matter and could find no evidence to show that the file had been posted onto the website due to an act of omission on their part.
Upon evaluation of the information showed that the data controller, when creating student accounts, used generic passwords when generating the student accounts. The password was the date of birth of the student. While students could change their passwords, they were never advised to change them.
While it could not be determined exactly how the data appeared on the website, it was evident that there had been a breach of the Data Protection Acts, in that appropriate security measures were not in place to prevent the unauthorised disclosure of personal data.
During investigation it was also found that the use of live data for testing purposes was not in accordance with data-protection best practices. Where live data is being used by an organisation for testing purposes, there would have to be a strong justification for such use and the ODPC was not aware of any justification applicable in this particular case.
- Identify the problem in this scenario
- What are the issues in this case?
- What action would you recommend the Commissioner to take and why?