Outcomes - Selected Case Summaries
Categories
Serious data breach at real estate company - Betty Boo Real Estate Sales
Decisions | 27 April 2023
A complaint was made against the data controller who had been made aware of a breach to their business email account, but had not taken mitigating action. The personal data of multiple individuals was exposed and two clients fell victim of the hackers and suffered a substantial monetary loss.
The Office of the Ombudsman investigated the matter, and found that the data controller had violated the first principle (privacy notice), the statutory requirements to report personal data breaches, and the seventh principle (lack of appropriate technical and organizational measures).
Amongst other things, the Ombudsman required the data controller to migrate her business email to a more robust platform, retain the services of IT support to ensure ongoing compliance, undertake cybersecurity awareness training and annual data protection training, and develop appropriate policies and procedures to ensure that personal data is safeguarded and maintained in compliance with the requirements of the DPA, going forward.