BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

Irish Data Protection Commission Case Studies
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> CASE STUDIES 2013 - Data Protection Commissioner - Ireland [2013] IEDPC 19 (2013)
URL: http://www.bailii.org/ie/cases/IEDPC/2013/2013IEDPC19.html
Cite as: [2013] IEDPC 19

[New search] [Contents list] [Help]

Case Study 19: Customer had on-line access to third party telephone bill details.

The Office received a breach notification from a telecommunications provider notifying us of a personal data security breach under the provisions of Commission Regulation (EU) No 611/2013 of 2013.

This Regulation imposes a legal obligation on providers of publicly available electronic communications networks or services to notify this Office of a personal data security breach, no later than 24 hours after the detection of the breach, where feasible.

The Service Provider informed us that one of its customers, who was a member of an organisation, while reviewing his telephone bill via the Provider's on-line facility, noticed that he had access to the details of bills of over 400 other members of the same organisation.  On becoming aware of the incident, the Service Provider quickly removed a shared billing code that linked a limited number of accounts related to members of the organisation on the Service Provider's billing system.

The Service Provider informed us that it was able to confirm from the customer's log-in details that he had access only to customers' name, surname, mobile number and six months call records. We were informed that the customer did not have access to the individuals' financial details or address details.

The root cause of the incident was identified as being a customer service agent applying a shared billing code via the administration systems. We were informed that the agent incorrectly set up the shared billing code resulting in the accounts being linked in error and making the individual who accessed the data the master account holder.

The Service Provider confirmed that it was informing all individuals affected by the incident. The Service Provider also informed the individuals that the matter had been rectified and had ensured that a similar incident would not occur again.

This case demonstrates how the speed at which a breach is identified and dealt with may assist in minimising the overall security risk of the breach.  Informing the affected individuals of the matter permits them to consider the consequences for each of them individually and to take appropriate measures as they see fit. The reporting of the matter to us by Data Controllers as speedily as possible, as per the above legislation, also assists in our role of trying to improve compliance with Data Protection legislation.

BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/ie/cases/IEDPC/2013/2013IEDPC19.html