The latest data breach in the HSE has resulted in the medical records of up to 1,500 individuals being compromised.

It is understood that a private IT contractor who was supervised by a HSE staff member downloaded the records on to an unencrypted USB Key and brought the device home that night. He then later emailed the records to a mistyped email address.

An internal investigation within the HSE is said to be underway however the patients whose information has been compromised have not been informed.

Security researchers from Argentina have penetrated the well known Pirate Bay torrent website. It is thought that details of more than four million people have been compromised.  SQL injection is believed to have been used to compromise the website and it’s users details.

The website was shut down for several hours before it was later re-enabled with the security holes closed.

On September 1st last year Eircom blocked it’s customers from accessing the Pirate Bay website after a series of complaints from the IRMA.

The Pirate Bay has recently moved it’s website to Swedish Government servers with the aid of it’s political backers in order to potentially protect it legally from closure.

Irish companies that loose the personal data of more than 100 people will be obligated by law to report the breach to the authorities according to the new rules proposed by the Data Commissioner.

The only instance where a company or organisation can avoid having to report the breach is ensuring that data is encrypted and protected by a strong password, or in the case of lost or stolen equipment that a remote memory-wipe feature on a device be activated immediately.

In 2008 the Irish Government ordered a review to determine whether or not reporting obligations protected individuals sufficiently. It recommended that some kind of official guidance was necessary in the event of a breach.

The Irish Data Protection Commissioner has now published a draft Code of Practice outlining exactly when reports to him must be made.

“I have sought to bring forward a draft Code as quickly as possible after the Review Group report to respond to public concern in relation to organisations losing personal data under their control while at the same time not imposing an undue burden on those organisations,” said Irish Data Protection Commissioner Billy Hawkes.

In the event of an organisation loosing data comprising of sensitive medical or financial data then this must still be reported even if fewer that 100 people are involved.

“Data controllers who are required to report to the Office of the Data Protection Commissioner in accordance with this Code must do so within two working days of becoming aware of the incident,” said the guidance.

“Such data controllers are required to provide a detailed report of the incident reflecting careful consideration of … the amount and nature of the personal data that has been compromised; what action is being taken to secure and / or recover the personal data that has been compromised; what actions are being taken to inform those affected by the incident or reasons for the decision not to do so; what actions (if any) are being taken to limit damage or distress to those affected by the incident; and a chronology of the events leading up to the disclosure,” it said.

“The Office of the Data Protection Commissioner will investigate the issues surrounding the data breach,” it said. “Investigations may include on-site examination of systems and procedures and could lead to the use of the Commissioner’s legal powers to compel certain actions. Such actions may include a recommendation or requirement to inform data subjects about a security breach incident where a data controller has not already done so.”

The draft code of practice can be found here.

In the U.K. in April 2010 The Information Commissioner for the first time gained the power to fine organizations for violating the Data Protection Act. Fines up to £500,000 can be levied. In the case of Banks and Insurances companies other agencies have the power to impose even greater fines.

The European Union approved a data breach notification law last year as part of telecoms law reforms however this law only applies to telecoms firms. The Commission and Council rejected EU Parliament proposals to have the law apply to businesses that operate online, such as shops and banks.

Gardai are investigating a number of complaints from Small business owners in the Midlands and West of the Country who have been hit by cyber attacks.

Hackers have gained access to the computer systems of these businesses, encrypted data such as client files, order books and are now demanding ransom for the release of the data. Understandably this could cripple any sized business. Without proper security measures in place these businesses are effectively leaving themselves wide open to attacks such as these.

The worrying aspect of this is that most businesses in Ireland do not have adequate IT Security systems in place and are not aware of the seriousness of what can happen without proper protection.

Click here to read more on RTE’s website.