Outcomes - Selected Case Summaries



Unauthorized use of third-party website leads to data breach

Informal Resolution | 21 January 2022

An employee of a financial institution uploaded a corrupted pdf document containing personal data of a small number of investors (including the name, date of birth, ownership details, home address and social security number) to a third-party website in an attempt to repair the file. The data controller (the financial institution) had not approved the use of this website for this purpose, and started an investigation and reported the breach to us.

The investigation showed no evidence that the data had been accessed or used by the third-party website. The affected individuals were encouraged to look out for unusual activity on their account, and were offered a free 24-month membership with an identity theft monitoring service. Staff received additional training, and steps were taken to ensure that the third-party website did not retain the data.

We received the breach notification outside the statutory notification period of 5 days, although under the particular circumstances of this case this was not unreasonable since it took some time for the controller to investigate the matter and establish jurisdiction. The appropriate actions taken by the controller mitigated the risk of harm, and the case was closed without further action.