Public concern about access to personal data on rise in Ireland

Irish Times 7th January 2014

 

Data Protection Commissioner Billy Hawkes: “One thing we certainly don’t have is a light touch. We have a very rigorous approach to oversight of organisations.”

While the revelations of whistleblower Edward Snowden about the surveillance activities of the United States National Security Agency (NSA) extended tentacles into the related area of data protection in 2013, regulators in the European Union spent most of the year wrestling with proposals to harmonise the law across 28 member states.

A new EU regulation, first tabled in a proposal by the European Commission in 2012, would place new responsibilities on the regulators and also on businesses throughout the union.

Negotiations have stalled and the regulation is now unlikely to scrape through before the European Parliament elections in May. But the proposals still on the table would, in theory, place an extra burden on Ireland’s Data Protection Commissioner, Billy Hawkes.

The so-called one-stop shop mechanism would likely see him become the lead regulator in Europe for major multinationals with head offices in Ireland, including such companies as Facebook, Google and Apple.

In comments at a privacy conference in Brussels last month, Mr Hawkes indicated he did not relish the prospect of taking on the responsibility for regulating such multinationals for all citizens of the EU.

One-stop shop
Saying he would not view the one-stop shop “with any great enthusiasm”, he suggested it would draw resources from dealing with complaints about the likes of telecommunications firms and others, which are a greater source of complaints to his office by Irish citizens.

“However, as a good European, which I try to be, I do accept the logic of the one-stop shop and I will accept the consequences and the burdens that go with it,” he said.

Speaking at his office in Portarlington before that conference, Mr Hawkes said he was already prioritising for attention those companies operating across the EU for which processing of personal data was core to their activities.

“Depending on, obviously, the number of the companies involved – and certainly if many more companies were to declare to be established in Ireland for data protection purposes – we would require more resources to be able to discharge our oversight responsibilities.”

He welcomed what he said was a clear commitment by Minister for Justice Alan Shatter to ensure he was adequately resourced for any new responsibilities – though again it remains to be seen what will emerge.

Privacy campaigners such as the Austrian-based Europe v Facebook group believe his office has not been sufficiently robust in its enforcement actions.

The group, led by Max Schrems, is seeking judicial review of Mr Hawkes’s decision not to pursue complaints made to his office about the gathering of personal data under the NSA’s Prism programme from US firms based here. Mr Hawkes is also in the process of making formal decisions on 22 earlier complaints by the group relating to the privacy policies of Facebook, which underwent a major audit by his office two years ago.

Light-touch regulation
Mr Hawkes cautiously describes the approach taken by the complainants as “forceful” and, not for the first time, rejects the suggestion of “light touch” regulation by his office.

“One thing we certainly don’t have is a light touch,” he said. “We have a very rigorous approach to oversight of organisations but we do try to use the resources that are given to us in an intelligent way. It does not necessarily involve always hiring more people on our staff. It can also involve using outside expertise to help us in particular areas.”

European Court ruling condemns mass surveillance

From Digital Rights Ireland

12th December 2013

The Advocate General of the European Court of Justice today gave an important opinion in our favour in a case brought by Digital Rights Ireland to challenge European mass surveillance law.

The challenge – which we started in 2006 – is to the Data Retention Directive. This is a law which requires ISPs and telecoms companies to record details of all your internet and telephone use – logging details of who you ring or text, where you travel and who you email – and to record that information for up to two years. We argue that this constitutes an unjustified invasion of the right to privacy and in an interim ruling the Advocate General has agreed, holding that the law is a “particularly serious” interference with individual privacy which creates a:

faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity.

The Advocate General accepted our argument that storing this information on all citizens created an “increased risk” that it could be used for unlawful, fraudulent and malicious purposes against them – something we have already seen in Ireland where a Garda sergeant has abused the system to spy on a former lover and where it has been used to spy on journalists.

The Advocate General also held that this type of surveillance would have a “chilling effect” on freedom of expression, and went on to say that the Directive failed to provide even “minimum guarantees” regarding access to or use of the information collected on all citizens. According to the Advocate General the Directive therefore “is as a whole incompatible with Article 52(1) of the Charter of Fundamental Rights of the European Union”.

According to the Advocate General:

the collection and, above all, the retention, in huge databases, of the large quantities of data generated or processed in connection with most of the everyday electronic communications of citizens of the Union constitute a serious interference with the privacy of those individuals, even if they only establish the conditions allowing retrospective scrutiny of their personal and professional activities. The collection of such data establishes the conditions for surveillance which, although carried out only retrospectively when the data are used, none the less constitutes a permanent threat throughout the data retention period to the right of citizens of the Union to confidentiality in their private lives. The vague feeling of surveillance created raises very acutely the question of the data retention period…

the effects of that interference are multiplied by the importance acquired in modern societies by electronic means of communication, whether digital mobile networks or the Internet, and their massive and intensive use by a very significant proportion of European citizens in all areas of their private or professional activities. [emphasis added]

A final judgment on our case will be delivered next year. In approximately 80% of cases the European Court of Justice follows the opinion of the Advocate General. Even pending the full judgment, however, this is already a significant step forward in the very first case of this nature to be brought to the ECJ and confirms the importance of our case.

Users of public wi-fi may have had personal details stolen

The Journal

11th December 2013

PEOPLE WHO USED wi-fi in public areas such as hotels may have had their details stolen due to security flaws, an Irish firm has warned.

Cork-based IT firm Smarttech.ie said that they had discovered “serious flaws” in cyber security measures after visiting 10 hotels in October and November.

They say that finding the flaws took “minimal” effort.

Smarttech say that they “wanted to demonstrate just how dangerous using unencrypted logins and passwords across a public network can be”.

Over the course of these security tests however, Smarttech.ie soon realised that the level of security being provided was a serious problem. In addition, they say that users seemed “completely oblivious to the dangers of using public wi-fi”.

The company carried out tests on public wi-fi systems and spotted flaws within 20 minutes.

They were then able to access users’ information, including email logins, credit card details, social media passwords and banking information.

In some cases, networks were accessed from outside the hotels.

Smart-tech says that they informed all of the hotels and made recommendations on how to close the gaps.

They added that anyone who operates a network should be aware of the security on their network. Under EU law, it is the duty of the premises supplying the network to ensure that the network is secure.

According to Ronan Murphy, CEO of Smarttech.ie, “Consumers need to be aware that if you are accessing public wi-fi there are serious security challenges. The tests we carried out prove that these risks affect anyone using public Wi-Fi. However there are steps that hotels and restaurants can take to secure their Wi-Fi service and therefore protect their customers”.

Data Breach at Loyaltybuild: Update 22 November 2013

Following the data breach which occurred at Loyaltybuild in October resulting in the breach of personal data of some 1.5 million individuals (including 376,000 individuals whose full credit card data was compromised), the investigation of the ODPC has been continuing.

The ODPC received a full client company list from Loyaltybuild in respect of those client companies whose customer data was exposed during the data breach. The ODPC immediately instructed Loyaltybuild to notify these client companies of the breach of their customer’s data and received confirmation from Loyaltybuild that this has taken place.

The ODPC also made contact with the client companies of Loyaltybuild based in this jurisdiction and instructed them to inform their customers of the breach of their data in accordance with our data security breach code of practice. The focus of our investigation to date has been uncovering the extent and nature of the personal data involved in the breach and ensuring that affected individuals have been duly notified. It is our understanding that this notification process is nearing completion.

Given the transborder nature of this data breach, the ODPC has taken the important measure of notifying relevant European colleague data protection authorities providing them with relevant information for any follow up action they may need to take.

The ODPC investigation is continuing with the focus now on security practices and procedures employed by the company. Part of this phase of the investigation will also involve the carrying out of a follow up inspection. The company has ceased its processing of personal data until such time as it can satisfy this Office that adequate security measures are in place.

Criminal Involvement in Super Valu Customer Breaches

A criminal attack is behind the data breach affecting customers of SuperValu and Axa Insurance, the data protection commissioner said today

Billy Hawkes also said warned that the criminals involved have the information needed to use the credit cards of people affected by the data breach.

“We were told about the original issue last week, last Monday, but we were updated and told the situation was more serious because we now know the criminals involved have all the information needed to use the credit cards of the people concerned to make purchases,” he told RTE’s Morning Ireland.

As a result, the Consumers Association of Ireland (CAI) is advising affected customers to cancel their credit cards.

"We’re suggesting that customers certainly get in contact with their credit card providers immediately," said Dermott Jewell, Policy and Council Advisor at the CAI.

"In light of what the Data Commissioner has announced this morning - that criminals have full access to confidential bank details – we would advise those affected to contact their credit providers and get advice on how to proceed."

Mr Hawkes said today a team of investigators is to enter Loyaltybuild in Clare- the company operating the loyalty holiday scheme on behalf of the companies.

The company operates loyalty schemes for a number of European companies, he told RTE radio’s Morning Ireland.

“That is why we need to send in our inspection team,” Mr Hawkes said.

“We need to find out for ourselves if more action is needed to be taken.”

Earlier it emerged that the breach was worse than expected - over 60,000 SuperValu customers may have had their financial data stolen after the retailer announced a data breach is more extensive than first thought.

Axa Insurance said about 8,000 customers had been affected.

Last week, Super Valu warned customers of its loyalty holiday scheme that their banking information may have been accessed by a third party.

The programme has since been suspended and the data protection commissioner was informed of the leak - but at the time SuperValu said it was not aware of any breaches of financial information

But tonight a statement by SuperValu warns customers that Loyaltybuild had advised the Data Protection Commissioner that the security breach of its system “is more extensive than it first anticipated”.

“Based on this latest information from Loyalty Build, SuperValu are tonight contacting Getaway Breaks customers that there is a high risk that an unauthorised third party accessed the details of payment cards used to pay for Getaway Breaks between January 2011 and February 2012,” the statement read.

It said that 62,500 customers who made bookings during this period have been told to contact their bank or financial institution as soon as possible.

They have also been advised to immediately check the transactions on their payment cards for any suspicious activity.

Customers of the scheme have also been advised to treat any unsolicited communication they receive claiming to represent SuperValu Getaway Breaks or Loyalty Build with extreme caution.

Super Valu and Loyaltybuild are continuing to investigate the matter which is affecting customers of the holiday scheme only.

Irish Indepenent 12th November 2013

Super Valu breach customers' data protection rights

Irish Times

Supervalu has been forced to contact thousands of customers who have bought its “getaway breaks” after a security breach at the company that oversees the scheme left sensitive financial data potentially compromised.

The “getaway breaks” vouchers are a key loyalty reward programme run by the US-owned company Loyaltybuild, which is based in Co Clare. It is reviewing the security of the personal and payment card information held on its booking system.

“This review is necessary as Loyaltybuild has advised its client base in Ireland that its system may have been compromised by a third party,” said Supervalu in a statement.

‘Precautionary measure’
He said that there was no information to suggest that any sensitive customer data had been obtained “as yet”, and said that “as a precautionary measure” it was urging customers who had booked a getaway break recently to review their accounts and report any unusual activity or unsolicited communication connected with the deal to their bank.

Supervalu apologised to its customers for any unnecessary concern that details of the breach may have caused and said the “Getaway Breaks” booking system will remain temporarily suspended until the Loyaltybuild system has been given the all clear.

Encrypted
The company managing the rewards programme has informed the Data Protection Commissioner of the potential breach, which was uncovered on October 25th, and it stressed that all payment card information it holds is encrypted.

“We immediately engaged the services of a firm of leading, international, online security experts,” a spokeswoman said. “They are conducting a forensic investigation to help us identify whether any of our stored data was compromised, and, if so, to what extent.”

She said that as of 5pm yesterday, the forensics team reported there had been no signs of personal or financial details data being extracted or compromised but added that the examination is ongoing.

She said that the company was “working around the clock with our security experts to get to the bottom of this and to further enhance our security”.

Company convicted of sending spam email to former swimmer Michelle Smith de Bruin

Two companies have been convicted of sending spam email or text messages, including one sent to barrister and former Olympic swimmer Michelle Smith de Bruin.

Lex Software Ltd, trading as Legal and General Software, pleaded guilty before the Dublin District Court to two charges of sending unsolicited email messages – one to Ms Smith de Bruin and another to Patrick Wilkinson.

In evidence, assistant data protection commissioner Tony Delaney told the court the defendant company had admitted sending the spam email after a formal warning had previously been issued by the Data Protection Commissioner following an earlier complaint by Ms Smith de Bruin.

He said it had also confirmed having sent a spam email to Mr Wilkinson without providing a means of allowing him opt out of receiving further marketing emails. The company pleaded guilty to both charges.

Operations director of Lex Software, John Gilmartin, submitted that Ms Smith de Bruin’s details had been removed from the company’s list at her request but when a new list of contacts had been created using the updated legal directory, her details had been included in error.

The company had engaged an external provider to ensure all future marketing emails would contain a means of opting out.

Judge William Hamill imposed convictions on both charges and fined the company €200 in respect of each one.

Separately, Judge Hamill convicted Hanford Commercial Ltd, trading as the Maldron Hotel, Wexford, on a charge of sending an unsolicited marketing message by text, where a complainant had previously opted out of receiving such messages. The company pleaded guilty to the charge. Judge Hamill imposed a fine of €200.

Mr Delaney told the court the complainant, Robert Gogan, had previously sought the assistance of the Data Protection Commissioner to ensure his details were removed from the company’s database and that a formal warning had been issued to it in February of last year.

Sean McKeon, of the hotel group, told the court steps had been taken to ensure compliance with the regulations on sending such material.