Irish political party, Fine Gael, has hit the headlines in Ireland recently due to a series of data protection incidents.
In anticipation of Ireland’s imminent election, likely to be held in March, Fine Gael embarked on what it is terming “the biggest consultation exercise to date with the Irish electorate”. Fine Gael shut down its primary website, replacing it with a single page site containing its party leader’s video message inviting “complaints, ideas and proposals”. The purpose behind the website was to try and replicate, in an Irish context, the online political engagement and resultant momentum which propelled Barack Obama to power. With nearly 1,000 responses in its first day live, the site started strongly, although by the later part of last week, concerns had been raised regarding data protection and privacy issues.
In particular, the Office of the Data Protection Commissioner (‘ODPC’) was notified that the website did not have a privacy statement. Under Irish law, a privacy statement must be available on all websites where personal data is being collected, detailing how personal data collected via the website is collected and used.
The ODPC made contact with Fine Gael and Fine Gael sought to remedy the issue by putting a privacy statement on the website. However, the statement used was the privacy statement from the old Fine Gael site. Given the fully interactive nature of the new site, the old privacy statement was arguably not sufficient to cover data collected through the new website.
A further issue arose as the site is being hosted in the US. As Datonomy readers are aware, personal data cannot be transferred outside the European Economic Area unless one of a number of conditions is met. These include that the recipient is safe harbour certified (for US companies). Fine Gael has indicated that the US hosting provider is safe harbour certified.
Unfortunately for Fine Gael, its new website also became the subject of a number of hacking attempts. The first of these was a failed attempt on Thursday, 6 January.
The site was then the subject of a sustained denial of service attack on Sunday, 9 January during which the personal details of up to 2,000 users of the site were compromised.
The hackers than reportedly sent a file to the media, containing the personal information (including IP addresses, mobile phone numbers, location and email addresses) of the members of the public whom had utilised the site.
The hackers claim to be members of the Anonymous Group. This is a loose alliance of WikiLeaks supporters and perpetrators of a number of recent attacks on sites such as Visa, MasterCard and Amazon. However, given the loose nature of the Anonymous Group and the ability of anyone to attribute responsibility for an attack to the group, it is difficult to know for certain whether the Anonymous Group were in fact behind the attacks.
Fine Gael notified both the ODPC and the Gardaí (Police) following the discovery, who are both investigating the incident. Given the US dimension the FBI may also investigate the breach.
The fact that Fine Gael immediately notified the ODPC is notable as it suggests that Fine Gael has been acting in accordance with the relatively new Personal Data Security Breach Code which was published last year by the ODPC (http://www.dataprotection.ie/viewdoc.asp?DocID=1082&m=f). The Code makes notification of a data security breach to the ODPC mandatory where the breach relates to the data of more than 100 people and/or where sensitive data or personal financial data is compromised. In Fine Gael’s case, the information of up to 2000 people may have been compromised, which would require notification to the ODPC under the Code.
Fine Gael has indicated that it is attempting to make contact with all those persons whose data had been compromised. This again is in line with the Code requirements which effectively mandate notification of affected individuals whose data has been compromised except in very limited circumstances (generally where the data is encrypted).
With thanks to Peter O’Neill