[BreachExchange] Data of 9, 735 teachers shared after 'phishing' email breach

Mon Mar 30 10:16:57 EDT 2020

https://www.independent.ie/irish-news/education/data-of-9735-teachers-shared-after-phishing-email-breach-39083093.html

A data breach at the Teaching Council has led to personal information
relating to 9,735 teachers being shared.

The council, which holds personal data on 104,000 serving and retired
teachers, has alerted those affected and said it was "not likely to
result in any real risk to you in circumstances where limited personal
data was disclosed".

The data included name, address, PPS number, Teaching Council
registration number, the month they joined the register and their
renewal date.

Certain information relating to vetting, including the clearance data,
status and reference number was also disclosed.

However, no financial or criminal conviction data was included, nor
was the teacher's email address.

In an email to affected teachers on Thursday, the council said it had
recently become aware of the incident.

In a statement yesterday, Teaching Council director Tomás Ó Ruairc
said they had identified that there was an unauthorised attempt by an
external source to access a small number of email accounts on the
council's servers.

A 'phishing' email, sent to a small number of its staff, caused a
script to be activated that established an auto-forwarding rule for
subsequent emails being sent to the staff members concerned.

"This meant that emails received from those staff members were
automatically forwarded to an external Gmail account for a short
period of time," he said.

Included as an attachment to one of the emails that was forwarded was
a spreadsheet containing the registration details of a number of
registered teachers, including data relating to some teachers.

Mr Ó Ruairc said the Teaching Council took the matter and the security
of data very seriously and apologised for any inconvenience caused.

"The circulation of such attachments in the council is not normal
practice and steps have been taken to ensure that this does not happen
again."

He said it was a strictly isolated incident and the wider systems or
databases of the Teaching Council had not been affected.

The council notified to the Data Protection Commissioner (DPC) and,
following its own investigation into the matter, has provided updates
to the DPC.

Although a teacher's email address was not disclosed, and those
affected have been told that the risk of a security threat was not
likely, the council has advised that they remain vigilant.