A primary school’s computer system was encrypted by hackers who demanded a ransom to release the personal details of its pupils.

The case is outlined in the Data Protection Commissioner’s annual report for 2016 published on Tuesday.

In October last year, the commissioner’s office received a data breach report from a primary school that had been the victim of a so-called crypto-ransomware attack, whereby parts of the school’s information systems had been encrypted by a third party.

The hack rendered the school’s files, which included children’s names, dates of birth and PPS numbers, inaccessible.

A ransom was demanded from the school to release the encrypted files.

The commissioner’s experts said they found the school had deficiencies in the measures it had taken to secure pupils’ personal data, including the fact that no polices or procedures were in place to maintain adequate back-ups.

It had no procedures or policy documents focusing on system attacks such as ransomware or viruses and had no contracts in place with its ICT services providers, the data processors, as required by law.

‘Inadequate’ response

As a result, the actions taken by the ICT suppliers were “inadequate in response to the attack”.

There was also a lack of staff training and awareness of the risks associated with opening unknown email attachments or files.

Commissioner Helen Dixon found the school had broken the law by failing to ensure that adequate security measures were in place to protect the student data. Her office recommended to the school that it take steps “to mitigate the risks identified”.

The school implemented staff training on the risks associated with email and the use of personal USB keys and also reviewed its procedures to ensure appropriate contracts were in place with its ICT providers.

“This case demonstrates that schools, like any other organisation (commercial, public sector or private) operating electronic data-storage systems and interacting online must ensure that they have appropriate technical security and organisational measures in place to prevent loss of personal data, and to ensure that they can restore data in the event of crypto-ransomware attacks,” the commissioner said.

In a separate case, the office received a complaint from an individual about an alleged breach of their rights by an insurance company.

An insurer from which the person had obtained a quote in the past had transferred its business to another insurance company and had failed to delete the quotation even though the individual had never taken out a policy.

Identity mistake

A claim file that mistakenly included the complainant’s name as a claimant was transferred by mistake to the new company as part of the transfer of business.

It emerged the complainant had the same name as a person who had made a claim that subsequently turned out to be fraudulent. The new insurance company threatened the person with court action over the claim, which related to another individual.

In her report, the commissioner said the case concerned “sloppy handling of personal data”.

“Many people in Ireland have the same name and there was no reason why the complainant’s personal details, collected when the complainant obtained a quotation, should have been added to an insurance-claim file,” the DPC said.

The more significant issue for the complainant was that they were unable to ascertain, prior to the commissioner’s involvement, how their details came to be in the possession of the second company and how the issue had come about.

A number of contraventions of the law had occurred in the case, including the fact that the first insurer held on to the quotation data longer than necessary.

The DPC said the complainant in the case had suffered “particularly serious consequences as they incurred significant legal costs in defending the accusation of making a fraudulent claim” and the threat by the second insurance company of taking court proceedings against them.