Jersey company failed to protect personal data

A Jersey recruitment company failed to protect personal data of it's clients and staff.

CSS Ltd suffered three separate breaches when their IT systems were attacked by a third party. They were in August 2018, November 2018 and another one between January and May 2019.

The information that was taken included identity information, travel itineraries, family information and employment documentation of clients and the names of staff members.

The Jersey Information Commissioner has investigated the breaches and has told the company to update it's systems, provide training to staff and let people know their data was comprised.

The JDPA found CSS Ltd failed to identify the unauthorised access as a “personal data breach”, they did not appreciate the significance of the breach or understand the potential impact it could have on those whose information was compromised and it failed to realise that it needed to notify the Authority that it had happened.

The JDPA said it did however, admit there had been breaches and allowed investigators to talk to staff and enter their premises, and has now updated it is IT systems and staff training.

CSS LTD responded to the news saying they thanked the office of the information commissioner for their 'support and advice following an attempt to infiltrate the IT systems'.