HEA Data Breach: Lessons to Learn
The Sunday Business Post carries a story today of a data security breach in the Higher Education Authority’s Springboard Courses website that has potentially put the personal data of over 45,000 people at risk of unauthorised access.
The Office of the Data Protection Commission is investigating and I have no desire to prejudge the DPC’s inquiry, but this incident highlights the importance of data protection fundamentals and data protection by design and by default in organisations of all kinds.
What GDPR requires
In the context of the type of processing being undertaken by the HEA (a searchable database of people who have done courses), the GDPR requirements are simple:
- Access to the searchable database must be limited to authorised persons
- The information made available to those people should be the minimum necessary to perform the function for which they are searching the database.
Ultimately, there needs to be appropriate organisational and technical controls to prevent unauthorised access to personal data (Article 32 GDPR).
Article 25 of GDPR also requires that data protection principles must be considered and applied in the design of processing activities.
Control over access
The HEA portal could be accessed by anyone who registered as an employer. There was no validation or verification process in place, other than to prevent the use of email addresses from free email services like Outlook.com. The requirement to enter details of a company registration number and company details was not supported by any validation or verification process.
However, I’m sceptical as to what validation process would actually work in this context, without a properly defined and implemented process by HEA for employers to register and be validated. CRO numbers are publicly available, company address details don’t have to match the registered address of the company, and the email domain used by a company isn’t associated with their CRO number.
Control over disclosure
The HEA portal provided any registered “employer” with access to the name, email address, mobile number, landline number, and course of study for any learner who has undertaken a Springboard course. Once the “employer” accessed the portal, they could save these details to a contact list.
The question to be asked in a DPIA would be “Is it necessary for employers to be able to access contact information directly or is there an alternative mechanism that allows for contact without disclosure of details?“.
If there is a way of achieving the objective with less processing of or disclosure of data, then that approach should be considered.
HEA will argue that the disclosure of data is based on consent. However, the information provided to learners doesn’t state that any one who has registered as an employer would have direct access to contact information, including personal email addresses and mobile phone numbers. Therefore, it is difficult to argue that the consent was specific, informed, and unambiguous. Individuals should have had the choice to limit or restrict access to some or all of their contact information.
Also, as the site contains profiles for learners who undertook courses back in 2011, it’s also questionable if any consent obtained at that time would be valid under GDPR. I’d also question if over 45000 people actually gave consent. That number is impressively high. One must assume that HEA have evidence of how and when that consent was obtained in each case.
Controls over Retention
The HEA Springboard Portal allow(ed) employers to search for people who had undertaken courses as far back as 2011. Putting it bluntly: how likely is it that is data is accurate, up-to-date, or relevant for the purposes of any potential employer?
A fundamental principle of data protection law for the past 40 years has been that data should not be retained in a way that allows the identification of individuals once the purpose for which it was obtained has ended. A DPIA should have considered whether the disclosure of data retained by HEA in this way was compatible with the purposes for which data was being retained.
Risk Profile and Potential for Abuse
The potential for abuse of this information is obvious to anyone who works in data protection or information security. A scammer could use this information to send a phishing email purporting to be from an academic institute claiming an issue with the learner’s paperwork that requires a fee to be paid, or a refund that needs to be processed which requires bank account details to be provided.
There is also the potential for people who work in roles relating to security or law enforcement to have undertaken courses and to now have their mobile numbers and email addresses potentially exposed, as reported by the Business Post.
Again – these are risk factors that should be considered in the DPIA for any sort of process such as this, and which should result in a process being designed that does not expose personal data of 45000 people.
Lessons to Learn
- Data Protection Impact Assessments are an invaluable risk management tool that inform the design of policies, processes, and services. They should be kept under review as technology, processes, legislation, or regulatory guidance evolve.
- It is ESSENTIAL that organisations engage supports in doing DPIAs that ensure that the potential risks of unauthorised access or disclosure are identified and understood. It’s also important that any assumptions around security controls are tested during the design of processes. For example, requiring a CRO number for a business is a questionable control to prevent unauthorised access.
- It is also important when making data available in a searchable format that you consider the age of data, the accuracy of data, and whether there is a legal basis for your retention of the data for a searchable database
- A guiding principle should always be whether the objective can be met with the disclosure of less data or the provision of an alternative mechanism that doesn’t require the disclosure of data at all.
How Castlebridge can help?
Castlebridge has been helping public bodies with their data protection compliance for almost a decade and a half.
We can provide organisations with training on data protection obligations, data protection impact assessment methods, and data security breach incident response.
We can also support organisations by carrying out data protection compliance reviews and DPIAs for your organisation.