On Friday, the Teaching Council advised the TUI that it is dealing with an incident relating to the security of personal data of a number of teachers.
As well as informing the Data Protection Commissioner of the incident, the Council has also directly contacted the teachers affected. The following is an information note issued by the Council:
Information from The Teaching Council
The Teaching Council has identified that there was an unauthorised attempt by an external source to access a small number of email accounts on the Council’s servers.
A ‘phishing’ email was sent to a small number of Teaching Council staff. The phishing email caused a script to be activated that established an auto forwarding rule for subsequent emails being sent to the staff members concerned. This meant that emails received from those staff members were automatically forwarded to an external Gmail account for a short period of time.
This was detected as part of existing security procedures that are in place across our IT systems. Detailed and complete analysis has taken place of any emails which may potentially have been accessed and their contents. In total, 323 emails were found to have been forwarded.
Following this analysis, it has been been identified that two spreadsheets containing the registration details of a number of registered teachers were circulated internally within the Council systems and forwarded in the above emails.
The Teaching Council takes this matter and the security of data very seriously. We apologise for this incident.
The circulation of such attachments in the Council is not normal practice and steps have been taken to ensure that this does not happen again.
As a precautionary measure, and having consulted with the Data Protection Commissioner, the Council has contacted individuals whose names are included in this database to advise them of this occurrence.
This was a strictly isolated incident and the wider systems or databases of The Teaching Council have not been affected in any manner.
The Council has engaged IT consultants to investigate the matter thoroughly. They have confirmed that there have been no further unauthorised access attempts since this occurrence was detected.
While any such occurrence is very regrettable, the actions taken ensure that the problem has been confined and isolated appropriately.
Notes
The database files attached to the forwarded emails contained the names and addresses and registration status (but no email addresses, passwords, phone or financial details) of a number of teachers. It also contains PPS numbers.
There were details of 9,735 contacts on the database.
Affected individuals have been advised that the risk of a security threat is not likely but they should be vigilant if they receive any suspicious emails or written requests from unknown third parties, and to verify the identity of any unknown third party before disclosing personal data.