Digital Rights Ireland

Even more social welfare leaks

Today’s Irish Independent has details of yet another case of a civil servant in the Department of Social and Family Affairs selling personal information to the media. As before, there is no evidence of any official inclination to take these cases seriously – the offender in this case was allowed to resign and no further action taken against her. And yet again serious questions arise:

* Why wasn’t this case referred to the Gardaí for criminal prosecution?
* How did it take a full year to take action against her?
* Who was responsible for the decision to allow her to resign and to allow the matter to be brushed under the carpet?

Official gave private details to media in new leak shock

Tuesday October 16 2007

A SENIOR civil servant has resigned after she was found to have improperly accessed and passed on personal records of up to 40 individuals.

The married woman, who worked at the Department of Social and Family Affairs for at least 16 years, was accused of passing on information to a Sunday newspaper, which then published the confidential details. She was found to have improperly accessed the records of many others, including high- profile individuals.

Breached

The leaks — which breached the Data Protection Act — only emerged after the department received a solicitor’s letter from a woman whose social welfare details were published by the newspaper.

The breach came two years after a department employee was found to have passed on confidential information to his criminal brother, who then burgled a man and attempted to extort money from three men.

The improper access also occurred despite an investigation being carried out by the Data Commissioner, after the details of Euromillions winner, Dolores McNamara, were viewed by over 100 employees.

The victim — whose identity is known to this newspaper — was separated from her husband. He had just completed a multi-million euro property deal and days later she found her name, date of birth, new address and social welfare benefits published in the national newspaper.

She was immediately suspicious, as details of her address were included in the article, details she had passed on to the department just two weeks earlier.

An immediate investigation was launched and the computer use of a senior staff officer was examined.

“The results of our examination reveal that this officer accessed eight very high profile cases in addition to the two mentioned,” the internal documents state.

“It is also noted that 30 other cases from all parts of the country were accessed.”

They questioned her and pointed out that some of the individuals were public figures. In many cases she was the only department official to have accessed the details, and in most cases an article appeared in a newspaper just days later.

In the majority cases she said she “couldn’t remember” why she had opened the electronic files or said she had “no explanation” for her behaviour.

“She was advised that, in addition to the issue regarding access in the previous cases, that in each instance in the following nine cases an article appeared in xx newspaper [paper's name removed] some two to three days after she had accessed the system,” officials wrote after interviewing her.

She admitted to accessing the details but claimed she had never “intentionally” passed on any information to a third party.

However, she was warned that her actions amounted to grave misconduct and if she did not submit a plausible explanation for her actions, she would be dismissed. Just two days later, in May of last year, she offered her resignation.

Stress

“This entire episode has caused me considerable stress and upset so for health reasons I consider that I should just simply resign at this juncture,” she stated in a letter to the department.

She was given ample opportunity to offer an explanation for her conduct but failed to do so.

She claimed she was suffering from health problems as a result of the stress and worry and, for this reason, her resignation was accepted instead of sacking her.

“On balance, resignation might be reluctantly accepted taking everything into account,” officials decided in August last year, almost a full year after her misconduct was discovered.

3 comments October 16th, 2007

Yet more social welfare leaks

Today’s Irish Independent reveals still more leaks from the Department of Family and Social Affairs, along with information that the leaks were used by criminals to target their victims. As we’ve said before, there is a systematic problem of staff in public bodies abusing sensitive personal information, and no evidence of any political will to stop it. This case raises some serious questions:
* It is apparently “common practice” among department employees to be “checking people casually”. What does the Minister intend to do about this? How many employees have been sanctioned for doing this?
* Why did the Department conceal this case and express concern that it might “go public”?
* Why did the Department fail to discover this leak, acting only when notified by Gardai?

If you share our concern, you can click here to email the Minister, Martin Cullen looking for answers.

Full text:

Civil servant mole leaked intelligence to criminal

Security fears after top official gave information to his criminal brother

THE security of everyone’s personal and financial details is in serious doubt after a civil servant mole leaked highly sensitive information to his criminal brother.

The Irish Independent can reveal the brother used the key information, which is held by the Government, to burgle one man and attempt to extort money from three businessmen.

The mole worked in the Data Protection Section of the Department of Family and Social Affairs and broke the Official Secrets Act by passing on the details.

He later admitted to officials that it is common practice amongst civil servants to check up on the financial status of friends, family and acquaintances.

The married father passed on information including PPS numbers and the earnings of the men targeted by his criminal brother. Other records accessed out of “curiosity” were those of a politician, pop star and a “notorious criminal”.

The department was unaware of the breach until detectives from the National Bureau of Criminal Investigation contacted officials and told them the criminal had the sensitive information in his possession, and he had received it from his civil servant sibling.

It can also be revealed that there have been a number of breaches since, with employees deliberately leaking sensitive information to third parties.

A file on the matter was sent to the DPP but the department has refused to reveal the outcome of the investigation into the leaking of sensitive and confidential information.

The former employee:

* Checked personal details of colleagues and that of former acquaintances;

* Told his bosses that it was “common practice” among department employees to be “checking people casually”;

* Claimed he looked up classified information out of “nosiness” and “curiosity”.

When the breach was discovered it was feared he maliciously tampered with other records.

The documents, which have been released under the Freedom of Information Act to the Irish Independent, also reveal that department officials were anxious about the serious breach becoming public knowledge.

Emails sent between officials assigned to gather background information on the employee and his activities state: “You need to be aware of this. The risk that this could go public is genuine.”

So serious was the breach that teams from eight different sections within the department were drafted in to carry out the internal investigation.

Documents show the illegal activity emerged in April 2003 when gardai sent a letter to the department about their investigation into “three attempts to extort monies from businessmen” in the Dublin region.

“When X was arrested he had possession of a piece of paper which contained the name, address, former address, date of birth, PRSI No and amount earned the previous year,” the garda document stated.

Gardai pointed out the accused had a brother working in the department and asked that a full audit be carried out to ascertain had he accessed confidential details of the three men.

The former employee — who was sacked as a result of his improper conduct — had access to the Central Records System (CRS) of the department.

An inter-departmental email sent after he had been interviewed read:

“A member of staff is alleged to have obtained particulars of an individual from CRS, notified these particulars to his brother who initially committed a burglary on the person in question, and later used the information in the context of extorting money from the victim.

“The brother has been arrested and charged in relation to these offences. Our staff member has also been arrested. He has not yet been charged but I am advised he has admitted to obtaining the victims’ details and providing them to his brother. Gardai expect that he will be charged.”

Scrambled

Officials also frantically scrambled to establish how much computer privilege the employee had and whether he had deliberately amended personal details. “Could he edit/amend records?” one official asked a colleague by email.

“It is not clear what he was doing in accessing these accounts — some with great frequency — so we must eliminate what possibilities exist for him to tamper. He is very bright and has previously worked in the IT sector so would be a good candidate for picking up ways to do things!!”

During an interview the accused said civil servants commonly checked personal details of people they knew.

“He instanced that it was said to him early on … that he was married, before colleagues would have learned of this through conversation etc,” a transcript of the interview read. “He maintained ‘You know we have Civil Servant access here’ was said to him at one point.”

The employee admitted illegally accessing and passing on the information and tendered his resignation. He later withdrew but was subsequently sacked. Information held by the department includes name, date of birth, PPS number and any benefits being claimed, or claimed in the past.

Add comment October 15th, 2007