Personal data of 9,735 teachers shared after ‘phishing’ email breach
The personal data breach occurred when a phishing email was accessed by two staff members of the Council, allowing then for the creation of an auto-forward rule from their email accounts to a malicious email account. As a result, between 17 February 2020 and 6 March 2020 when the auto-forward rule was discovered, 323 emails were forwarded to the unauthorised external email address. The emails contained the personal data of 9,735 data subjects and the sensitive personal data of one data subject.
Who was affected?
The council holds personal data on 104,000 serving and retired teachers, those who have been affected by the breach have been notified. Information leaked included name, address, PPS number, Teaching Council registration number, the month they joined the register, and their renewal date. No financial information, or email addresses, were disclosed.
Steps carried out?
The Teaching Council notified the DPC on the 9th of March 2020 of the incident, and have stated that it was a strictly isolated incident and the wider systems or databases of the Teaching Council had not been affected. The circulation of such attachments in the council is not normal practice and steps have been taken to ensure that this does not happen again.
What to do if you are affected by the breach?
Affected individuals have been advised that the risk of a security threat is not likely, but they should be vigilant if they receive any suspicious emails or written requests from unknown third parties, and to verify the identity of any unknown third party before disclosing personal data.
If you have been notified by the council that your information has been involved in the breach, please contact our team, who would be happy to help with any queries you have.