The Irish civil service is the latest public sector organization to suffer a damaging insider data breach, after sensitive personal information on over 300 government employees was accidentally emailed to other departments.
The incident, reported to the local Data Protection Commissioner last month, occurred at Irish HR and pension administrator, PeoplePoint, according to the Irish Times.
The document in question apparently contained the unencrypted details of 317 civil servants, including names, grade, department, details of overpayments and PPS numbers—similar to UK National Insurance numbers.
It was emailed to the wrong local HR departments after a “momentary lapse in concentration on the part of the officer responsible,” the report claimed.
A filing to the commissioner seen by the paper explained:
“The report was not intended for circulation by email as it is not part of the process or practice to do so. Unfortunately, as it was not meant for distribution in this way, it had not been encrypted.”
Although the mistake was apparently spotted immediately, attempts to recall the email were unsuccessful and a follow-up mail had to be sent asking the recipients to confirm they had deleted and not forwarded or copied the message.
Luke Brown, vice president at DLP firm Digital Guardian, argued that breaches such as this shouldn’t be allowed to happen.
“In this case, if the data was appropriately protected then the sender wouldn’t have been able to attach it in the first place and/or the recipients wouldn’t have been able to open the sensitive files,” he claimed.
Research by the US-based Online Trust Alliance this year found that nearly a third (29%) of breaches in the previous 12 months were down to “lack of internal controls resulting in employees’ accidental or malicious events.”
Meanwhile, globally, "current employees" were singled out as the biggest single source of security incidents (34%) last year, according to PwC.
“Organizations should be prioritizing data protection and aiming to combat human error so that simple mistakes like this don’t happen again,” argued Brown.
“This will become even more important once the proposed EU Data Protection Regulation comes into force and large fines are handed out because of careless and simple mistakes."