Colin Monaghan, Anthony Strogen, Deirdre Munnelly, and Rosemary Lynch of Mason Hayes & Curran LLP write:
European Union, Ireland February 17 2023
The recent significant Circuit Court decision in the case of Gary Cunniam v Parcel Connect Ltd t/a Fastway Couriers Ireland & Others now provides useful guidance on the view of the Irish Courts in matters related to data breach claims. Importantly, the judgment will have a tangible impact on data breach claims which are pending or contemplated. We examine the key points of the judgment and what it means for the defence of data breach claims in Ireland.
Background of the claim
The plaintiff’s claim in Cunniam relates to a cyber-attack on the operations of Fastway Couriers in February 2021, in which delivery information relating to approximately 450,000 people was hacked, and was one of a number of claims brought against Fastway Couriers. The claims brought by the plaintiff were for non-material damage only and no defence had been delivered by the three defendant entities, together trading as Fastway Couriers.
The defendants sought a stay of the plaintiff’s proceedings pending the outcome of six preliminary references made to the Court of Justice of the European Union (CJEU). The references cited relate to questions from national courts concerning the application of liability in cases involving a hacking incident or cyber-attack, and the appropriate test for non-material damage. The first of these preliminary references which is likely to be determined is Case C-300/21 – UI v Österreichische Post AG. This is expected to give clarity to the issue of non-material damages in data breach claims under the GDPR.
Read more at Lexology.
This breach was found by a researcher called Alex Gor. He posted his finding and the backstory to the Irish software development sub reddit.
In essence Fastway were not hacked, they has no security on server open to the internet. Essentially giving away data given to them by other companies who contracted them to make deliveries on their behalf.
There was no cyber attack, they were not a victim- Fastway were simply reckless.
[link to reddit redacted as per comment links policy]
Thanks. I took a look at Gor’s detailed posts on DevelEire subreddit and some of the comments. So it was a leak and not a hack according to Gor, and it’s “shoot the messenger” time? Why is it still being referred to as a cyberattack or hacking incident in the court?