Data Security Breach – Incident Report

CONFIDENTIAL
The GDPR defines a “personal data breach” in Article 4(12) as: “a breach of security leading to the
accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
data transmitted, stored or otherwise processed”.

Breach ID:

When did the breach take place?

Where did the breach take place?

e.g. Location of breach

When was the breach discovered? e.g. Specific time & date

Who reported the breach?

Contact details of person who reported the breach?

Was the Data Protection Office immediately contacted?

Yes  No 

If YES, state by what means (e.g. phone, email etc.) and the time and date of the contact
made?

If NO, was any other senior official e.g. CE, Director etc. contacted and if so, by what means
(e.g. phone, email etc.) and the time and date of the contact made?

1
Were there any witnesses? If Yes, state Names & phone contact details

Please provide details of the breach:

What was the nature of the breach?

What categories of data subjects (e.g. students, adult learners, parents/guardians; other
vulnerable groups, employees, board members; contractors etc.) were affected and/or
potentially affected by the breach?

Approximate number of data subjects affected:

Categories of personal data/records (e.g. health data, education records, social care
information, financial details, bank account numbers, passport numbers etc):

Approximate number of personal data records concerned:

Description of the likely consequences of the personal data breach (e.g. identity theft, fraud,
financial loss, threat to professional secrecy etc.):

Description of the measures undertaken (or proposed to be undertaken) by the ETB to

address the breach (including, where appropriate, measures to mitigate its possible adverse
effects):

Important note: where the exact details of any of the above are not yet known, this shall not
delay a timely breach notification to the DPC. Further information can follow, when
available: “the information may be provided in phases without undue further delay 1”.

1 Article 33(4) GDPR.

2
Was the breached data protected through passwords, encryption etc.? Supply details below.

In your opinion, is the breach likely to be of a temporary nature? Can the personal information
exposed be recovered?

Were any IT systems involved? (e.g. email, website, school admin system, VS Ware, Facility,
apps). If so, please list them.

Is any additional material available e.g. error messages, screen shots, log files, CCTV footage?

Have you taken any action/steps so far to seek to stop/mitigate the risk either to the data
subject/s who you think have been affected OR any other additional data subjects you
consider may be affected? If YES, please describe below

Have you spoken to someone in ETB management team at administrative head office level e.g.
CE, Director, Head of IT etc?
If so, please advise whom you contacted, and a brief outline of the advice given by him/her.

3
Have you made any contact with any external agencies e.g. Insurance Company, IT provider,
Gardaí etc.? If YES, please describe below specifically whom you contacted and supply the
name and contact details of same.

Any additional comments?

Signed:
Your position in the ETB:
Name of school, office, centre:

Your contact number (ideally mobile

number):
Date:
Time of completion:

Thank you for your efforts in completing this form. The effort undertaken in its completion will
help the ETB in its further investigation/analysis of the matter.

Please ensure this is forwarded directly to the ETB Data Protection Office

Data Protection Office, KCETB, Seville Lodge, Callan Road, Kilkenny

CONFIDENTIAL - THIS FORM HAS BEEN COMPLETED IN CONTEMPLATION OF LEGAL PROCEEDINGS

4
For your reference

Breaches can be categorised according to the following three well-known information security
principles:
(a) “Confidentiality breach” - where there is an unauthorised or accidental disclosure of, or
access to, personal data.
(b) “Integrity breach” - where there is an unauthorised or accidental alteration of personal
data.
(c) “Availability breach” - where there is an accidental or unauthorised loss of access15 to, or
destruction of, personal data.
Depending on the circumstances, a breach can concern confidentiality, integrity and availability of
personal data at the same time, as well as any combination of these. Whereas determining if there
has been a breach of confidentiality or integrity is relatively clear, whether there has been an
availability breach may be less obvious. A breach will always be regarded as an availability breach
when there has been a permanent loss of, or destruction of, personal data.

Incident Response DOs and DON’Ts for IT systems

DO’S

 immediately isolate the affected system to prevent further intrusion, release of data, damage
etc.
 use the telephone to communicate. Attacker may be capable of monitoring e-mail traffic
 contact the ETB Data Protection Office without delay KCETB, Seville Lodge, Callan Road,
Kilkenny
 preserve all pertinent logs, e.g. firewall, router and intrusion detection system.
 make back-up copies of damaged or altered files and keep these backups in a secure
location.
 identify where the affected system resides within the network topology
 identify all systems and agencies that connect to the affected system
 identify the programs and processes that operate on the affected system(s), the impact of the
disruption and the maximum allowable outage time.
 in the event the affected system is collected as evidence, make arrangements to provide for
the continuity of services i.e. prepare redundant system and obtain data back-ups.

DON’Ts

 delete, move or alter files on the affected systems

 contact the suspected perpetrator
 conduct a forensic analysis.

5
For Breach Management Team Use Insert details in column below
Only
Details logged by:

Data Protection Office Name:

Time & date of receipt by ETB of this form

Type of personal data breach e.g.

Confidentiality breach; integrity breach;
availability breach (see examples)

Numbers of likely people affected by the Estimated number of data subjects affected?
breach Types of data affected?

Were special categories (e.g. sensitive Yes  No 

personal data) compromised in the breach? Insert any relevant information below e.g. How
Special categories i.e. many data subject(s) sensitive personal data has
Racial or ethnic origin been affected?
Political opionions What type of sensitive personal data was
Religious or philosophical beliefs breached?
Membership of a trade union
biometric and genetic data,
health
sex life or sexual orientation.

Severity of the breach

A breach of security leading to the accidental or
unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal
data transmitted, stored or otherwise processed.

Rate the breach opposite in terms of its likely

severity on the rights and freedoms of
affected or potentially affected data subject/s
i.e.
High Risk
Medium Risk
Low / No Risk*
* If it is assessed that there is “no risk”, the
reasons for that decision must be recorded.

6
CE and or members of the senior Yes No
management team to be notified

IT Service Providers / IT support to be notified Yes No

Insurance Company to be notified Yes No

Gardaí to be notified Yes No

Legal advisors to be notified (including LSSU Yes No

as determined by ETB)

Data Subjects to be notified? Yes  No 

How many?
Is there a list of contact details for data subjects?
If not, can we recover?

Supervisory Authority to be notified? Yes  No 

Contact details for Supervisory Authority If YES, list date and time of notification and any
advice/instruction given by the Supervisory
Data Protection Commission Authority:
Telephone: +353 57 8684800
+353 (0)761 104 800
Lo Call Number: 1890 252 231
Fax: +353 57 868 4757
E-mail: [email protected]
Postal:
Data Protection Commission
Canal House
Station Road
Portarlington
R32 AP23
Co. Laois

Any additional relevant additional details

Signed by DATA PROTECTION OFFICE:

Signed by CE / nominee:

Date:

CONFIDENTIAL - THIS FORM HAS BEEN COMPLETED IN CONTEMPLATION OF LEGAL

PROCEEDINGS

7
Appendix 2 - Guidelines on Personal data breach notification under Regulation 2016/679

Source: file:///C:/Users/d.keogh/Downloads/wp250rev01_enpdf%20(2).pdf

Examples of personal data breaches and who to notify

The following non-exhaustive examples will assist controllers in determining whether they need to
notify in different personal data breach scenarios. These examples may also help to distinguish
between risk and high risk to the rights and freedoms of individuals.

Example Notify the Notify the data Notes/recommendations

supervisory subject?
authority?
i. A controller stored No. No. As long as the data are
a backup of an encrypted with a state of
archive of the art algorithm, backups
personal data of the data exist the
encrypted on a unique key is not
USB key. The key compromised, and the
is stolen during a data can be restored in
break-in. good time, this may not
be a reportable breach.
However, if it is later
compromised, notification
is required.
ii. A controller Yes, report to the Yes, report to
maintains an supervisory authority if individuals depending
online service. As there are likely on the nature of the
a result of a consequences to personal data affected
cyber-attack on individuals. and if the severity of
that service, the likely
personal data of consequences to
individuals are individuals is high.
exfiltrated.

The controller has

customers in a single
Member State.
iii. A brief power No. No. This is not a notifiable
outage lasting breach, but still a
several minutes at recordable incident under
a controller’s call Article 33(5).
centre meaning
customers are Appropriate records
unable to call the should be maintained by
controller and the controller.
access their
records.
iv. A controller Yes, report to the Yes, report to If there was a backup
suffers a supervisory authority, individuals, depending available and data could
ransomware if there are likely on the nature of the be restored in good time,
attack which consequences to personal data affected this would not need to be
results in all data individuals as this is a and the possible effect reported to the
being encrypted. loss of availability. of the lack of supervisory authority or to
No back-ups are availability of the data, individuals as there would
available and the as well as other likely have been no permanent
data cannot be consequences. loss of availability or
restored. On confidentiality. However, if
investigation, it the supervisory authority
becomes clear became aware of the

8
 that the incident by other means,
ransomware’s it may consider an
only functionality investigation to assess
was to encrypt the compliance with the
data, and that broader security
there was no requirements of Article
other malware 32.
present in the
system.
v. An individual Yes. Only the individuals If, after further
phones a bank’s affected are notified if investigation, it is
call centre to there is high risk and it identified that more
report a data is clear that others individuals are affected,
breach. The were not affected. an update to the
individual has supervisory authority
received a must be made and the
monthly statement controller takes the
for someone else. additional step of notifying
other individuals if there is
The controller high risk to them.
undertakes a
short investigation
(i.e. completed
within 24 hours)
and establishes
with a reasonable
confidence that a
personal data
breach has
occurred and
whether it has a
systemic flaw that
may mean other
individuals are or
might be affected.
vi. A controller Yes, report to lead Yes, as could lead to The controller should take
operates an online supervisory authority if high risk. action, e.g. by forcing
marketplace and involves cross border password resets of the
has customers in processing. affected accounts, as well
multiple Member as other steps to mitigate
States. The the risk.
marketplace
suffers a cyber- The controller should also
attack and consider any other
usernames, notification obligations,
passwords and e.g. under the NIS
purchase history Directive as a digital
are published service provider.
online by the
attacker.
vii. A website hosting As the processor, the If there is likely no The website hosting
company acting website hosting high risk to the company (processor)
as a data company must notify individuals they do not must consider any other
processor its affected clients (the need to be notified. notification obligations
identifies an error controllers) without (e.g. under the NIS
in the code which undue delay. Directive as a digital
controls user service provider).
authorisation. The Assuming that the
effect of the flaw website hosting If there is no evidence of
means that any company has this vulnerability being

9
 user can access conducted its own exploited with any of its
the account investigation the controllers a notifiable
details of any affected controllers breach may not have
other user. should be reasonably occurred but it is likely to
confident as to be recordable or be a
whether each has matter of non-compliance
suffered a breach and under Article 32.
therefore is likely to be
considered as having
“become aware” once
they have been
notified by the hosting
company (the
processor). The
controller then must
notify the supervisory
authority.
viii. Medical records in Yes, the hospital is Yes, report to the
a hospital are obliged to notify as affected individuals.
unavailable for the high-risk to patient’s
period of 30 hours well-being and privacy
due to a cyber- may occur.
attack.
ix. Personal data of a Yes, report to Yes, report to
large number of supervisory authority. individuals depending
students are on the scope and type
mistakenly sent to of personal data
the wrong mailing involved and the
list with 1000+ severity of possible
recipients. consequences.

x. A direct marketing Yes, notifying the Yes, report to Notification may not be
e-mail is sent to supervisory authority individuals depending necessary if no sensitive
recipients in the may be obligatory if a on the scope and type data is revealed and if
“to:” or “cc:” fields, large number of of personal data only a minor number of
thereby enabling individuals are involved and the email addresses are
each recipient to affected, if sensitive severity of possible revealed.
see the email data are revealed (e.g. consequences.
address of other a mailing list of a
recipients. psychotherapist) or if
other factors present
high risks (e.g. the
mail contains the initial
passwords).

10