A&G Couriers Limited T/A Fastway Couriers (Ireland) – €15,000 Fine (Ireland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
This case concerns A&G Couriers, a company providing courier services, (the “Controller”) which engaged a third party IT software contractor (“Contractor”) to undertake a "Brexit project". This project was aimed at providing the UK tax authority (Her Majesty’s Revenue & Customs – HMRC) with access to their internal reporting system to facilitate declarations of duty and VAT. The Contractor immediately began facilitating access to the reports for external review and, while these changes to the system were being made, the server which housed all the data became exposed to the public internet. It was suggested by the Controller that – due to insufficient checks on security patches, user restrictions and access controls by the Contractor – the configuration of the affected server was implemented incorrectly, and the IP address of the affected server was inadvertently. For a total of two days, the servers, which housed in total, the unencrypted personal data of 446,143 data subjects, were publicly available. This included their names, home addresses, email addresses and mobile numbers. The Controller further clarified that each of these categories of personal data may not be fully present in each record affected by the personal data breach, since the data collected is client specific and not all fields are mandatory. In addition, an unknown individual gained access to the exposed server and exfiltrated the personal information pertaining to a large number of data subjects. The hacker was able to access the records of 10,000 data subjects in total. In submissions to the DPC, the Controller outlined their account of the incident and made a number of arguments in its defence. Firstly, the Controller asserted that, depending on the specific data, it was in some cases a controller, and in others a processor, and so the duty to implement appropriate measures was not placed upon them in all circumstances. Secondly, the controller stated that the servers contained some or all
GDPR Articles Cited
This case concerns A&G Couriers, a company providing courier services, (the “Controller”) which engaged a third party IT software contractor (“Contractor”) to undertake a "Brexit project". This project was aimed at providing the UK tax authority (Her Majesty’s Revenue & Customs – HMRC) with access to their internal reporting system to facilitate declarations of duty and VAT. The Contractor immediately began facilitating access to the reports for external review and, while these changes to the system were being made, the server which housed all the data became exposed to the public internet. It was suggested by the Controller that – due to insufficient checks on security patches, user restrictions and access controls by the Contractor – the configuration of the affected server was implemented incorrectly, and the IP address of the affected server was inadvertently. For a total of two days, the servers, which housed in total, the unencrypted personal data of 446,143 data subjects, were publicly available. This included their names, home addresses, email addresses and mobile numbers. The Controller further clarified that each of these categories of personal data may not be fully present in each record affected by the personal data breach, since the data collected is client specific and not all fields are mandatory. In addition, an unknown individual gained access to the exposed server and exfiltrated the personal information pertaining to a large number of data subjects. The hacker was able to access the records of 10,000 data subjects in total. In submissions to the DPC, the Controller outlined their account of the incident and made a number of arguments in its defence. Firstly, the Controller asserted that, depending on the specific data, it was in some cases a controller, and in others a processor, and so the duty to implement appropriate measures was not placed upon them in all circumstances. Secondly, the controller stated that the servers contained some or all
Related Enforcement Actions (1)
Other enforcement actions involving A&G Couriers Limited T/A Fastway Couriers (Ireland) in IE
Details
Fine Date
30 December 2022
Authority
Data Protection Commission
Fine Amount
€15,000
GDPRhub ID
gdprhub-5732About this data
Cite as: Cookie Fines. A&G Couriers Limited T/A Fastway Couriers (Ireland) - Ireland (2022). Retrieved from cookiefines.eu
Last updated: