Background Luas, and its operating company Transdev (“Luas”), were recently targeted in a cyber attack in which the personal data of over 3,000 users on the Luas website was compromised. As part of the attack content was removed from the Luas site and a message posted in lieu stating that the perpetrators had control of the site, demanding the sum of one Bitcoin (valued at €3,402 at the time) in ransom. Information security experts have since indicated that the breach was limited to the names and email addresses of those users who accessed the website to send messages to Luas through a standard webpage form. At the time of writing, a limited version of the Luas website has returned to operations, although there has been no indication of when the full site will be reinstated.

The Breach Under Article 33 of the General Data Protection Regulation (“GDPR”) there is an obligation to notify the relevant body (here being the Data Protection Commission (the “DPC”)) of a data breach unless that breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. Given that the only personal data processed by the Luas website was email addresses and names submitted to it (payment for any penalties took place through a third-party service provider), it is arguable that the associated risks were/are minimal. Notwithstanding this, Luas notified the DPC within 72 hours; it is often recommended that any entity which suffers a data breach liaise with the DPC irrespective of the notification requirement. The DPC has stated that they will publish guidelines on when notification is required in due course.

Remember, in addition to notifying the relevant supervisory authority, there may also be a duty, under Article 34 of the GDPR, to inform the affected data subjects when a breach occurs. The threshold for such notification is higher, however, being a “high risk” to the rights and freedoms of the data subjects as a result of the data breach.

Penalties As we know, Article 83(5) of the GDPR provides that a data controller may be liable for a fine of up to 4% of global annual turnover or €20 million, whichever is the higher, for more significant breaches of the GDPR. However, this particular breach may be more likely to be found to contravene Article 32 on security of personal data, in which case the maximum fine would be the higher of 2% of global turnover or €10 million.

The degree to which the target of a data breach complies with their obligations under the GDPR (or the Irish Data Protection Act 2018) will often dictate the level of penalty imposed, together with the nature, gravity and duration of the infringement, the categories of personal data affected, and any previous infringements by the data controller. Organisations should also be alive to the potential for claims by data subjects affected by a breach as the GDPR allows any person who has suffered material, or non-material, damage as a result of an infringement of the GDPR, the right to receive compensation from the data controller (Article 82(1)). These provisions have yet to be properly tested in court, yet organisations ought to be aware of the potential for the judiciary to impose heavy fines in the absence of any guidance to date.

Mitigating the Breach Here, Luas took its website down in order to minimise and ascertain the extent of the attack. Additionally, the company posted a message on the website and to social media stating that they had contacted the DPC in relation to the breach and that they are revising their online security measures. In light of these mitigating actions, and the seemingly limited risks to data subjects’ personal data, actual loss, both to Luas and its customers, may be limited. However, the breach has demonstrated that a thorough review of all of Luas’ IT infrastructure and cyber-security systems needs to be undertaken by Luas urgently in order to avoid a more harmful data breach and more significant action by the DPC – something which the perpetrator may have been trying to demonstrate. Given the recent examples of how technology have disrupted infrastructure on a global scale – from drones at international airports to State-backed attempts to gain control of utility providers – the potentially catastrophic impact of a more severe breach cannot be overstated.

The Track Ahead Despite having received a disproportionate level of media attention, the attack on the Luas website ranks on the lower end of the severity scale. While personal data is likely to have been accessed by third parties, such data appears to have been limited to the names and email addresses of a website user subset. This is a good example of the types of breaches which are becoming more common and are being faced by all types of businesses which process personal data daily.

It is often the perception that data breaches are only significant for large multinationals or companies operating in the online sphere, with the recent Facebook breaches being an example. However, the reality is that any business may be targeted. Given the risk of reputational damage due to a breach, prevention is better than cure when it comes to taking measures to safeguard personal data.

Furthermore, in order to comply with the requirements of the GDPR and Data Protection Act 2018, it is necessary that businesses implement both technical and organisational measures to minimise the risk of such a breach together with ensuring that processes are developed and are adhered to in the event of a breach occurring. Ensuring compliance and minimising risk ought to be to the forefront of any entity which suffers a similar attack.