A&G Couriers Limited T/A Fastway Couriers (Ireland) – €15,000 Fine (Ireland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A&G Couriers Limited faced a fine after a data breach exposed personal information of over 446,000 people. A third-party contractor made a mistake, leaving sensitive data publicly accessible for two days. This case is significant because it shows the importance of strong security measures when handling personal data.
What happened
A&G Couriers Limited allowed personal data to be exposed on the internet due to poor security practices by a contractor.
Who was affected
Over 446,000 individuals whose personal data was exposed, including names and contact information.
What the authority found
The data protection authority found that A&G Couriers did not implement adequate security measures to protect personal data.
Why this matters
This incident highlights the critical need for companies to ensure their contractors follow strict security protocols. It serves as a reminder that businesses are responsible for protecting personal data, even when using third-party services.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
This case concerns A&G Couriers, a company providing courier services, (the “Controller”) which engaged a third party IT software contractor (“Contractor”) to undertake a "Brexit project". This project was aimed at providing the UK tax authority (Her Majesty’s Revenue & Customs – HMRC) with access to their internal reporting system to facilitate declarations of duty and VAT. The Contractor immediately began facilitating access to the reports for external review and, while these changes to the system were being made, the server which housed all the data became exposed to the public internet. It was suggested by the Controller that – due to insufficient checks on security patches, user restrictions and access controls by the Contractor – the configuration of the affected server was implemented incorrectly, and the IP address of the affected server was inadvertently. For a total of two days, the servers, which housed in total, the unencrypted personal data of 446,143 data subjects, were publicly available. This included their names, home addresses, email addresses and mobile numbers. The Controller further clarified that each of these categories of personal data may not be fully present in each record affected by the personal data breach, since the data collected is client specific and not all fields are mandatory. In addition, an unknown individual gained access to the exposed server and exfiltrated the personal information pertaining to a large number of data subjects. The hacker was able to access the records of 10,000 data subjects in total. In submissions to the DPC, the Controller outlined their account of the incident and made a number of arguments in its defence. Firstly, the Controller asserted that, depending on the specific data, it was in some cases a controller, and in others a processor, and so the duty to implement appropriate measures was not placed upon them in all circumstances. Secondly, the controller stated that the servers contained some or all
Related Enforcement Actions (0)
No other enforcement actions found for A&G Couriers Limited T/A Fastway Couriers (Ireland) in IE
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
30 December 2022
Authority
Data Protection Commission
Fine Amount
€15,000
About this data
Cite as: Cookie Fines. A&G Couriers Limited T/A Fastway Couriers (Ireland) - Ireland (2022). Retrieved from cookiefines.eu
Last updated: