State departments hit by 2,000-plus data breaches since 2019

Most violations of data minor with 1,100 incidents at Department of Social Protection

There have been more than 2,000 data breaches across Government departments since 2019, information released through the Oireachtas shows.

Statistics from the 15 departments show the Departments of Social Protection, Foreign Affairs and Justice experienced the highest numbers of breaches in recent years. More than 400 breaches have taken place so far this year.

The information was provided to Aontú leader Peadar Tóibín TD on foot of parliamentary questions.

The responses suggest the majority of breaches were minor in nature but several departments and agencies have accepted there were breaches that were considered “high risk”. Most of the breaches have been notified to the Data Protection Commission.


The department with most breaches has been Social Protection which reported 1,100 since 2019.

Minister for Social Protection Heather Humphreys said every data breach was a matter of great concern but the number of confirmed breaches had to be viewed in the context of the scale of the business of her department, which processes almost two million applications and spends €30 billion each year.

Customer information

“In 2020, the department provided services to an extraordinarily high volume of customers. At one point, the department was processing over 50,000 claims per day. At its peak, in early May 2020, 602,000 were in receipt of the pandemic unemployment payment (PUP). Just under 20 million PUP payments have been made to nearly 900,000 people providing income support of some €7.5 billion to date,” she said.

“The vast majority of the confirmed data breaches relate to incidents where customer information was accidentally and inadvertently disclosed to third parties, eg letters incorrectly addressed. In each of these incidents, the department followed procedures in accordance with data protection legislation,” added Ms Humphreys. “Every effort was made to secure data as quickly and efficiently as possible .”

Minister for Foreign Affairs and Defence Simon Coveney disclosed one serious breach in the Department of Defence.

“One case, deemed to be a high risk to the rights and freedoms of an individual data subject [person], was notified to the data subject and the Data Protection Commission, in line with GDPR requirements,” he said.

Threat levels

“My department also implements a programme of continuous review in relation to ICT security in order to keep up-to-date with evolving threat levels and to respond appropriately. For security and operational reasons, it would not be appropriate for me to comment on specific details in relation to cybersecurity.”

Responding to the breaches, Mr Tóibín said: “Given the events of the past week, in terms of the HSE and Department of Health cyberattack, a lot of questions have been posed about the security of data in the State. It has always been apparent to me how exposed we are to data theft and cyberattacks.

“Last year, the National Cyber Security Centre was given a budget of only €5 million.”

He said the figures did not show the number of data breaches recorded in the Health Service Executive or Department of Health. They were unable to do so because of the impact of last week’s cyberattack. It is certain that the overall total for the three years would have been much higher had that information been disclosed, he added.

Mr Tóibín described the 362 data breaches experienced last year by Tusla, the child and family agency, as “staggering”.

Harry McGee

Harry McGee

Harry McGee is a Political Correspondent with The Irish Times