ANGRY Southsiders have demanded answers after their
personal details held by South Dublin County Council were accessed without
authorisation.
The matter is being investigated by the Office of the
Data Protection Commissioner.
Some 595 social housing tenants received letters from
the council last week informing them that their personal details had been
accessed without required authorisation in October of last year.
The letter informed them that an
“unauthorised breach
?
of their personal data had occurred between September 27 and October 9, 2011.
The correspondence states that the council became
aware of the security breach on October 10 and that it reported the matter to
the Office of the Data Protection Commissioner the following day.
It added that the breach occurred because of the
“misconfiguration
? of one of the council’s computers.
“This permitted a very limited number of persons using
the council’s website to gain unauthorised access to your personal data,
? the
letter states.
“The council reviewed all previous access to the data stored
?¦and
has established that the access was very limited, for a very short period, and
appears to have been random in nature.
?
The Office of the Data Protection Commissioner
confirmed that it is currently investigating the matter.
A spokesperson said it had been formally notified by
the local authority of the data security breach on October 11 last.
“The breach occurred because a web server used by
South Dublin County Council had not been properly configured, which allowed
access to certain files stored on the server,
? the spokesperson said.
A council tenant who received one of the letters has
called on the council to provide him with specific details on how the breach
occurred and which details were accessed.
“I am concerned for my safety and about other aspects
of my records like bank details,
? he said.
“I pay my rent through my bank by
direct debit.
“The council is not handling this very well,
? he
added.
“I just got the letter and when I rang up I wasn’t told anything really.
They just said there was an error. I want to know what is going on. I am not
going to sit down and take this.
?
Another resident added:
“I don’t want people using my
name and address and my PPS number, if it was accessed. It is just a horrible
feeling. I have no confidence in the council now.
“There are another two tenants besides me that got
these letters. One of them went down to the council and was told not to worry
about it. The other one’s nerves are gone because she has things to hide about
why she had to move from her old address.
?
Cllr Maire Devine (SF) said some residents who
contacted her had expressed concerns that the database containing their
personal details may have been hacked into.
She said a number people were worried that the case
histories of some council tenants, who had previously been forced to move homes
because they were the victims of intimidation and anti-social behaviour, could
possibly have been accessed.
Cllr Devine was concerned that such information could
potentially be used to further intimidate and harass residents who had already
suffered as a result of anti-social behaviour.
“The council has broken their contract with the public
in my opinion,
? she stated.
“Their ability to maintain confidentiality with the
public has been undermined.
“This data could be used in 10 years’ time against
people. Some residents are terrified because the people who accessed the data
might be able to catch up with them.
?
However, a spokesperson for the council insisted that
the security breach did not involve the database being hacked.
She said the breaches that occurred involved nine
individual Internet Protocol (IP) addresses.
“These addresses can be identified but the persons
using the computers are not identifiable,
? the spokesperson said.
She added that the council has now engaged an external
security authority to review the network of its public servers.
She said the council had not notified the gardai about
the security breach because under the existing legislation it was only required
to notify the Office of the Data Protection Commissioner about the incident.
She added that there was no evidence to suggest that the details had been used
for unlawful purposes.