From RTÉ:
Irish Water has confirmed a possible breach of data protection may have occurred after it sent information packs with the wrong names to over 6,000 customers.
The water company said it occurred with packs sent to the owners of multiple properties.
The company has contacted the customers involved.
They also alerted the Data Protection Commissioner in relation to the incident, once they became aware of it on 4 September.
In a statement Irish Water said: “Our understanding is that the issuing of the letters does not constitute a breach and that the Office of the DPC are satisfied with how Irish Water have dealt with the issue”.
Read more on RTÉ.
If the letters revealed PPS numbers of customers, how many people live in a a particular property, and whether the home is rented or owner occupied, it’s not clear to me how Irish Water can claim that the letters did not constitute a “breach.” The fact that it’s not a hack or external incident does not preclude this properly being considered a breach under data protection principles. I’m pleased to see that my Irish infosec professionals Brian Honan and Daragh O’Brien agree that this is a breach.
Update: See this post by Daragh O’Brien. He had me at the Douglas Adams quote. 🙂