Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

Brian Lawless/PA Wire/PA Images

Aer Lingus exposed over 100 job applicants' details in an email blunder

Candidates’ email addresses were accidentally shared with other jobseekers.

AER LINGUS REVEALED the email addresses of more than 100 people who applied for a communications job, potentially exposing their identities to other candidates through the blunder.

The IAG-owned airline apologised to the group four days after the job-hunters had their information shared in a 3 January group email.

In the correspondence, seen by Fora, Aer Lingus explained that candidates’ email addresses had been “inadvertently included” in a mass communication because their details were pasted in the ‘cc’ instead of the ‘bcc’ field.

More than 100 email addresses were shared in the original communication, which was sent after candidates completed an online test as part of their application for the communications specialist role.

“Aer Lingus would like to apologise to you for this mistake,” the airline told the affected jobseekers.

“Privacy is of the utmost importance to Aer Lingus and we are reviewing our processes to prevent this happening again.

“We are investigating how this occurred and will be taking actions to prevent any recurrence in the future which will include further training with relevant agents.”

Aer Lingus invited those who were affected to submit questions or comments directly to the company by emailing its data protection officer.

Brexit Aer Lingus CEO Sean Doyle Brian Lawless / PA Wire/PA Images Brian Lawless / PA Wire/PA Images / PA Wire/PA Images

GDPR

When contacted by Fora, a spokesman for the Data Protection Commission said the privacy watchdog had not been notified by Aer Lingus about the email blunder and it had not received any complaints from those affected by the incident.

Under EU-wide GDPR rules, which came into force last year, organisations must notify the commission of a personal data breach within 72 hours of becoming aware of it, unless the breach is “unlikely to result in a risk to the rights and freedoms of a natural person”.

The regulations state that people’s rights and freedoms may be at risk if personal data processing leads to “physical, material or non-material damage” such as identify theft or fraud, damage to the reputation, or the loss of confidentiality.

Organisations face hefty fines if they are found to have breached the data protection rules.

In a statement, an Aer Lingus spokeswoman said it had “taken steps to prevent a recurrence of such an incident” – although it did not believe the matter required reporting to the Data Protection Commission. 

“(GDPR rules state) that data breaches are not reportable … in circumstances where the breach is unlikely to result in a risk to the rights and freedoms of natural persons,” she said.

“Accordingly, given the nature of this incident, Aer Lingus was not of the view this threshold had been reached.”

She added that Aer Lingus had not received complaints from any of the email’s recipients about the incident.

Get our NEW Daily Briefing with the morning’s most important headlines for innovative Irish businesses.

Written by Conor McMahon and posted on Fora.ie

Close
Comments
This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
Leave a Comment
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.

    Leave a commentcancel