The process
of assessing the personal data that was released on the dark web, together with
the identification of affected individuals, has now been completed. This also involved the categorisation of affected individuals, taking a
risk-based approach, based on the nature of the personal data breached for
those individuals.
The issuing of direct communications by email or post to affected individuals in accordance with our data subject
notification obligations has commenced.
This direct communication will let recipients know what kind of personal information was released and of
measures that should continue to be taken to mitigate any risk that personal
data may be used unlawfully.
This is expected to take several weeks to complete and we will issue a
further update once all communications have issued.
Please note
that in some instances an individual notification is not deemed necessary in
light of the nature of the personal data affected by the attack (for example if
the data was limited in nature or where the relevant individual was not
identifiable from the data affected). However, as a matter of good practice,
you should continue to follow the general fraud prevention advice given in our
general communications or visit www.fraudsmart.ie.
We continue
to liaise with the Data Protection Commissioner’s Office in relation to our
compliance and data subject notification obligations in this regard and more
generally.