University of Limerick (UL) has been fined €98,000 by the Data Protection Commission (DPC) following an investigation into a series of personal data breaches.
UL notified the DPC of 12 breaches that occurred between November 2018 and January 2020.
In six of the cases, unauthorised people gained access to the employee email accounts of UL staff members by means of phishing attacks.
The unauthorised users were able, in some cases, to set up forwarding rules which diverted emails containing specified keywords to a folder they had created in the user's mailbox.
The compromised email accounts contained personal data including identity information, contact details, PPS numbers, bank information, medical or legal documentation, staff disciplinary and HR records, and data belonging to students, staff, and external parties.
Following its investigation, the DPC has found that UL did not implement appropriate technical and organisational measures to ensure the security of personal data as required by the General Data Protection Regulation (GDPR).
The DPC also found that the university failed in three cases to inform the people affected by a high-risk breach without undue delay.
The DPC said the fines of €98,000 are "substantially lower than the maximum fines proposed in the draft decision" because of UL's engagement and cooperation with the investigation.
"The DPC commends University of Limerick’s engagement with the DPC since being presented with the DPC’s proposed findings in a draft version of its decision," the DPC said in a statement.
"The final administrative fines reflect the mitigation occasioned by University of Limerick accepting the majority of the findings in the draft decision, acknowledging responsibility for significant infringements, and proactively taking steps to improve its systems, training, and policies, in order to reduce the likelihood of similar breaches occurring in the future," it added.
UL said there is no evidence that any personal data was extracted from employee email accounts as a result of the incidents.
"At the time the inquiry commenced, UL had already started a programme of improvement in the areas of IT security and data protection," a spokesperson said.
"UL then accelerated this programme and has invested substantial resources and time to strengthen its IT security and data protection arrangements," it said.
"UL continues to monitor the cyber threat landscape and is adapting its security measures to these threats on a continuous basis," the university said.
