UCD fined €70k by data watchdog after email accounts' log-in details posted online

UCD fined €70k by data watchdog after email accounts' log-in details posted online

The investigation stemmed from the college self-reporting that email accounts had been compromised and were found to have been sending spam.

Mon, 08 Feb, 2021 - 20:00
Cianan Brennan & Daniel McConnell

One of the country’s leading universities has been fined €70,000 by the Data Protection Commission (DPC) after log-in details for some of its email accounts were posted online.

University College Dublin has been officially reprimanded and ordered to bring its processes up to General Data Protection Regulation (GDPR) standard, together with the fine, for seven separate personal data breaches dating between August 2018 and January 2019.

The DPC said the breaches concerned “instances where unauthorised third parties accessed UCD email accounts, or where the log-in credentials for UCD email accounts were posted online”, while the college had further infringed the GDPR by failing to notify the commission without undue delay – the notification having occurred 13 days after UCD became aware of it.

The investigation, which began in July 2019 and involved an on-site inspection, stemmed from the college self-reporting that email accounts across multiple of its schools had been compromised and were found to have been sending spam.

Some of the breaches related to individual users “furnishing their credentials” on external websites, the DPC said, while in other cases the college was unable to identify how its systems had been compromised.

The account details were either posted publicly online or were identified via the website haveibeenpwned.com, which allows people to see if their email has been compromised by searching across known data breaches.

UCD, asked whether or not its systems have now been brought in line with GDPR standards, said: “The university has addressed the decision ordered by the DPC with a programme of action.”

“Some elements of which are completed and others are in process,” a spokesperson added.

They said the college “accepts” the DPC’s decision together with the €70,000 fine.

The DPC said UCD had infringed GDPR by failing to “process personal data on its email service in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures”.

The commission added that the college had further infringed the regulation by “storing certain personal data in an email account in a form which permitted the identification of data subjects for longer than necessary for the purpose for which the personal data were processed”.

The ruling is the first such against an Irish third-level institution using the powers of the 2018 Data Protection Act, the legislation used to enact the GDPR in Irish law.

Separate inquiries remain outstanding concerning the University of Limerick and Maynooth University.

Read More

GDPR has made it harder to catch illegal dumpers, Eamon Ryan says

x
WhatsApp logo

Irish Examiner’s WhatsApp channel

More in this section

Irish presidential election Dublin and Cork city councils opt not to nominate presidential candidate
Social Democrats TD Eoin Hayes apologises for 'blackface' Halloween costume  Social Democrats TD Eoin Hayes apologises for 'blackface' Halloween costume 
Police Stock Police launch murder probe after man found with fatal injuries in Lisburn
GDPROrganisation: UCDOrganisation: Data Protection Commission
<p>Justice Minister Jim O’Callaghan said on Monday that the procurement process for the complex had entered its final stage.</p>

Building due to start on new Family Law Court Complex in 2027

READ NOW

Lunchtime News

Newsletter

Keep up with stories of the day with our lunchtime news wrap and important breaking news alerts.

Latest

Most Read

Cookie Policy Privacy Policy Brand Safety FAQ Help Contact Us Terms and Conditions

© Examiner Echo Group Limited