The statutory body with responsibility for regulating teachers has been fined €60,000 after the personal data of more than 9,700 people was leaked via a phishing scam.
The Data Protection Commission delivered the fine, and a reprimand, to the Teaching Council following an investigation spanning just under two years.
The initial breach occurred when two council staff members opened a suspicious email, which facilitated the creation of an auto-forward rule allowing for emails to be forwarded from the council’s servers to a malicious Gmail address.
Some 323 emails, containing the personal data of 9,735 people and the sensitive personal data of one person, were automatically forwarded from the compromised accounts between February 17 and March 6, 2020, when the problematic rule was eventually discovered.
In addition to the fine and the official reprimand, the commission said the Teaching Council must bring its processes into line with the EU’s GDPR data protection legislation by June 2 at the latest.
The commission noted that the Teaching Council had been made aware via an alert that a forwarding rule had been created within its staff email servers. However, the council “did not discover at that time” that the breach had occurred due to “no evidence of malware” being noted. Four alerts were sent to the council’s IT section before the problem was recognised.
The commission said the precise number of affected data subjects could not be provided by the council, but that the vetting status of 9,735 teachers (including names, address, PPS numbers and clearance status) was compromised.
In terms of breaches of GDPR, the commission found that Articles 5 and 32, which provide for the confidentiality of personal data and security of data processing respectively, had been violated.
One of the emails forwarded to the malicious account was a spreadsheet containing the vetting status details of almost 10,000 teachers, the commission said, and that at the time the council was using a free version of Office 365, with lesser security functionality.
The council was asked why a shared online drive, as opposed to an offline Excel spreadsheet, was not in use for that sensitive information, but “did not provide an explanation”, the commission said.
Contacted for comment, the Teaching Council said the breach is “very much regretted”, and that while it believes there were “mitigating factors”, it is not appealing the decision.