Revenue Service email data breach was one of several

The service has been reprimanded by the Data Protection Authority following the incident in April. It has found that the service ‘failed to appropriately ensure that adequate security safeguards were in place’.

It had a system where emails containing personal data should have been sent using a specialised secure platform. To help employees to comply with the policy, the Revenue Service had implemented an enhanced version of the platform which displayed a pop-up when sending e-mails to external parties, requiring the user to select whether the platform should be used.

But in this case neither was the policy followed, nor the enhanced version installed.

A member of staff had wrongly sent an email to the wrong person in similar circumstances in July 2022. At this time, the Revenue Service discovered that not all employee accounts were configured with the enhanced version of the software and committed to take further steps to ensure that this was done in future. But despite this, the enhanced version had not been installed for the member of staff involved.

An ODPA inquiry also found that there were several other breaches where the Revenue Service had failed to send e-mails in line with this policy. And an internal log of breaches between July 2022 and 2024 suggested that staff were not using the secure platform in line with policy and that should have raised questions, including whether the right software was installed.

The ODPA said: ‘Due to the sensitive nature of personal data processed by the Revenue Service, it was reasonable for e-mails to be sent using the specialised secure platform. Among other benefits, this platform allowed for access to email content to be controlled and revoked. Had the e-mail been sent using this platform, the unintended recipient’s access could have been immediately revoked, upon notification that it had been sent to the incorrect e-mail address.’

It said that had the Revenue Service acted properly on earlier breaches, additional measures would have been in place to mitigate the impact of the data breach.

It welcomed the fact that the Revenue Service had since implemented more robust measures to ensure that the enhanced version of the secure software platform was installed and the email policy was respected and followed.

‘While the Revenue Service had previously taken several steps towards ensuring the security of personal data, security safeguards against breaches are a dynamic rather than static responsibility. It is not sufficient to just have policies and procedures in place, they must be followed, monitored and updated as new security risks are revealed. This is especially relevant in the digital era where technological risks are a persistent and continuously evolving reality.’

It said that policies and technical measures were needed to minimise security failings due to human error.