Person pretending to be Tusla worker turned up at children’s residential unit on night shift – The Irish Times

Someone pretending to be a Tusla agency worker gained entry to a residential unit for children and “obtained unauthorised access” to their personal data, records released to The Irish Times show.

The “high-risk” incident happened when the individual used the “credentials of an authorised person working at the unit” rostered that night.

They remained at the unit overnight, with access to the children, their files and the personal data of people who worked there.

“The ‘unauthorised party’ was acting with the assistance of the ‘authorised operative’,” the records also stated.

“The other authorised staff who were coming off duty or coming on duty would not have known of the full identity (other than name) of the other external recruitment agency worker who was rostered to work that night shift, as this was a recent recruit who the staff would not have worked with before.

“Therefore, ‘bona fides’ of the ‘bad actor’ were not in question and [other staff] had no reason to suspect ‘personation’/’false identity’.”

The incident, which happened on June 27th, 2023, was reported to Tusla’s data protection unit three days later. The affected children, staff and the Data Protection Commission were alerted.

A review of this incident found “no suggestion that any service user was adversely impacted”, a Tusla spokesman said.

Details of the incident, which was categorised “high risk” and as an “access control deficit”, are contained in a large release of records under the Freedom of Information Act on personal data breaches at Tusla, which is the Child and Family Agency.

They show there were 2,184 breaches between 2019 and the end of 2024, with about 150 more to July 5th this year.

In another high-risk incident, files containing “personal data” were missing for 26 years when found in the “private home” of a former Tusla staff member. The incident in the southeast came to light in January last year.

“Staff member had originally taken the files home in 1998 to work on and had left them in a home study where they went unnoticed/undiscovered until recently,” a description states.

“Files were absent (location unknown) and unavailable to Tusla (and predecessor agencies) during this period when business needs did arise that required access by Tusla to some of the files.

“No backup copies of the data was available to Tusla during the period the data was absent from Tusla control.”

It was recorded as a “misplaced/lost/exposed record or device”.

Almost a quarter (515) of the breaches during the six years were “high risk”, with 58 per cent (1,274) categorised as “low risk”, 11 per cent (243) “zero” risk and 6.5 per cent (143) “medium” risk.

In 2021 about a third (117 out of 362) were high-risk breaches.

The most common breaches (706) were emails sent to the wrong address. A total of 383 were caused by “information overshare”. This could be when a file was sent to a person with their own details, but also containing details about other people they had no right to see.

A breach similar to this allegedly occurred this year when the whereabouts of a mother and child fleeing abuse were provided to their alleged abuser.

The alleged abuser had sought their own file from Tusla following an allegation of abuse against them.

David Hall, chief executive of Sonas domestic violence charity, which was accommodating the mother and “very young child”, said Tusla failed to redact both the name of the shelter where the woman and child were staying and that of a domestic violence support worker who reported the alleged abuse, putting them all “at risk”.

When the alleged breach came to light in March, he said the data of women and children fleeing domestic violence were “not safe”.

On Friday he said he had not received satisfactory assurances from Tusla that “vulnerable women and children’s” data was safe.

Other breaches since 2019 include 348 incidents of “misplaced/lost/exposed record or device”; 273 “incorrect record shared”; 120 “access control deficit”; and 35 “misdirected phone call or message” – including Tusla staff leaving messages with the intended recipient’s personal details on the wrong number.

Tusla’s national adoption information and tracing service had the highest volume of high-risk breaches between 2022 and 2024 – accounting for 19 per cent (56) of the 295 such breaches in those years, mainly concerning too much information released to people seeking their birth and early-life history, including information about other people.

These new figures come as the cost to Tusla since 2020, due to personal breaches, tops €500,000.

Figures released under FoI show the agency has paid damages of €134,500 for data breaches since 2022, incurring related legal costs of €177,164.

These are in addition to fines levied by the Data Protection Commission (DPC) in 2020 totalling €200,000. The DPC conducted three investigations into Tusla in 2020 for alleged breaches of the EU’s General Data Protection Regulation (GDPR), resulting in separate fines of €75,000, €40,000, €50,000 and €35,000.

The DPC ordered Tusla to “bring its processing operations into compliance … by implementing appropriate organisational measures to ensure a level of security appropriate to the risk”.

Breaches have however increased since – from 362 in 2020 and 362 in 2021 to 408 for 2022, 481 in 2023 and 441 last year.

The DPC has not investigated Tusla since August 2020, a spokesman confirmed, but has “continued to engage with Tusla after the conclusion of all inquiries undertaken to ensure that the orders contained within the decisions issued were complied with. In addition, the DPC has regular and ongoing engagement with Tusla like we have with all other public sector bodies”.

The Irish Council for Civil Liberties said the number of breaches was “very concerning”.

“Tusla processes very sensitive data about vulnerable people, including children. We are not just talking about people’s rights to privacy and data protection, but also in some cases their safety,” it said.

“These figures raise serious questions about how Tusla is carrying out its obligations under the GDPR and what policies and protocols are in place. The Data Protection Commission should examine these figures and take appropriate action.”

A Tusla spokesman said: “Due to the large volume of data we process daily … breaches occasionally and regrettably occur, which can have a significant impact on those involved.

“We are fully aware of our responsibilities regarding the handling of sensitive data, and we take all breaches very seriously.

“In the case of any data breach, we will react quickly to inform impacted persons or their parent/caregiver of the breach, identify the cause and undertake a full assessment and comprehensive risk evaluation.

“Tusla conducts systematic reviews of all reported breach incidents, and we adapt and update training and operational practices to mitigate against similar breaches occurring in the future.

“We will continue to work with the DPC with full transparency on the matter, as appropriate. Where required, we take all possible steps to recover the information subject to the breach.

“Over the last number of years, a comprehensive programme of work has been under way … to improve awareness in relation to data breaches, ensure staff are aware of their duty to report all breaches and to mitigate the risk of data breaches occurring..

“Over the last year there has been a 63 per cent reduction in ‘high-risk’ breaches, a 29 per cent reduction in ‘misaddressed post’ and an 18 per cent decrease in ‘information overshare’ breaches.”