Wednesday, 21 November 2012

Inquiry into breaches of Experian's databases

Experian, a credit-reporting service with financial information on more than 740 million consumers, is being investigated by Irish regulators following breaches of the company’s databases. 

The Office of the Data Protection Commissioner has opened a preliminary inquiry into the security practices of Dublin-based Experian, said Gary Davis, the agency’s deputy commissioner. He said the move was prompted by reports that Experian’s database was invaded at least 80 times, leading to the theft of almost 15,500 credit reports since 2006. Hackers infiltrated Experian using passwords stolen from its customers, and invasions were not immediately detected. Mr Davis said regulators have asked Experian whether breaches have affected Irish consumers or businesses, and requested information on what steps the company was taking to prevent unauthorized access to its databases and safeguard records.

Gerry Tschopp, a spokesman for Experian, declined to comment directly on the Irish inquiry. The breaches were “isolated security issues experienced by a small number of our clients in North America involving US consumers under US data-protection jurisdiction”, he said in an emailed statement.

Thursday, 15 November 2012

Data Protection Commissioner investigating secondary schools’ security flaw

The data watchdog has asked the manufacturer of potentially vulnerable software to provide a full list of affected schools. The DPC is now investigating a security vulnerability with software used by hundreds of Irish schools. The DPC has contacted the manufacturer of a popular school management software product, asking for a list of the schools which run the software. 

The contact comes after it was revealed that the ePortal software, manufactured by Serco, was vulnerable to exploitation because of the existence of a username-and-password combination which would allow access to almost every Irish machine running the software. The issue is made particularly sensitive by the fact that many schools running the software have their systems set up so that they can be accessed remotely, from any internet-connected device. While this makes it more convenient for teachers to log in and update pupils’ records from home, it also means that school’s records are vulnerable to access by anyone who has the ‘master key’ combination of username and passwords.

The Department of Education has contacted school patrons asking them to advise their schools about the issue, but the Data Protection Commissioner is now also taking action to resolve the problem. Deputy data protection commissioner Gary Davis said last night the issue was “of huge interest of us” and that the office had been in contact with Serco seeking documentation about the product and the nature of the vulnerability. “We’re asking them for a copy of their client list, and then what we’ll probably do is approach the schools directly,” he said.

Thousands of pupils may be affected. While Davis said the fact that the ePortal software runs on servers physically housed within each school, the DPC was also keen to ensure that no similar difficulties arose with rival products where pupils’ data is stored ‘in the cloud’ - and therefore accessible to any internet user with the right password. Davis said such products “give rise to some concerns” about potential a similar vulnerability, if it existed, could leave pupils’ data open to access from inappropriate parties.

There are 722 second-level schools in the country, with a combined student body of 323,000 pupils. While each school is responsible for choosing and maintaining its own data products, it is thought that several hundred schools use the ePortal offering - suggesting that data of tens of thousands of pupils could be at risk. Though a minority of those schools have set up their systems to be accessible through the internet, most schools would make the system available to any computers on the network within their buildings, so the records would still be vulnerable to use by anyone within the school. Fianna Fáíl last night asked education minister Ruairí Quinn to clarify the details of the threat, after the Department of Education wrote to schools to warn them of the problem. “Parents across the country will be extremely worried to learn that the private and personal information of their children may have been accessed by unauthorised individuals,” the party’s education spokesman Charlie McConalogue said. “It is incumbent on Minister Quinn to explain how exactly this happened and what is being done now to rectify the situation.”

The ‘master key’ credentials, which were discovered last week, by a pupil in one school running the software, could allow anyone to access sensitive personal data - possibly including medical records - of thousands of Irish second-level pupils.

Thursday, 27 September 2012

EU to unveil plans for cloud ‘boost’

EU telecoms regulators will spell out today how they want to accelerate the use of ‘cloud’ computing by public bodies and companies, in the hope of boosting the region’s GDP by nearly €1 trillion through the next eight years. Concerns about privacy and data loss have hampered the take-up in Europe of cloud computing, where customers’ data is stored on remote servers that can be accessed from anywhere over the internet.

The European Commission wants to address such worries by getting experts to clarify tricky legal questions on data protection and to develop a global privacy standard, it says in a draft of the strategy to be announced today and seen by Reuters. European customers complain that many cloud contracts do not specify who is liable when data is lost. And a proliferation of different standards for privacy and security can confuse prospective customers, though some companies have begun updating the commonly used global information security standard - ISO 27001 - to the cloud era. Commission research shows cloud computing can cut companies' costs by up to 20 per cent and groups like Amazon, Microsoft, Google and have been developing new products and services to attract business "in the cloud".

EU Telecoms Commissioner Neelie Kroes will detail the strategy, which the Commission says could yield €957 billion in increased EU GDP in the years through 2020, creating 3.8 million jobs. Servers in the EU's public sector are up to 90 per cent under-used, commission research shows. Optimising their use would mean they were being accessed by clients in all time zones, so that when one region goes to sleep another wakes up and the server works around the clock.

For more information on Data Protection see our website at

Monday, 24 September 2012

Data Protection Commissioner - Facebook

The office of the Data Protection Commissioner has given Facebook four weeks to fully comply with its recommendations on improving user privacy, or it will face enforcement action. The company still has work to do on a "small number" of issues, the Data Protection Commissioner said, and EU regulators would continue to watch the firm closely.

The commissioner said it was satisfied the dominant internet firm had already implemented many of the best practice recommendations regulators made following an audit last year.

Facebook Ireland is responsible for users of the site outside the US and as a result the State's Data Protection Commissioner is responsible for ensuring the company complies with EU and Irish Law. The commissioner said the company had made satisfactory progress on a number of issues, including giving users access to data they placed on the site, the deletion of such data from Facebook when it was no longer required, and the adequate resourcing of compliance functions in Ireland.

Outstanding issues include better education for existing users and avoiding using sensitive data to target online advertising at users. The company could face fines of up to €100,000 if it fails to meet the deadline.

Compliance with EU Law

What's been done
* For EU-based users, Facebook has disabled its tag suggestion feature for photographs. It will delete data generated by this by October 15th
* Users can see what data Facebook holds on them more easily
* Data can be deleted by users from profiles more easily
* Data collected by Facebook is not retained after the purpose for which it is collected has ended

What's left to do
* Changing use of data considered sensitive under European law to target ads at users
* Better education for existing users