DPC Fines University of Limerick €98,000 Over 12 Phishing-Related Data Breaches

• Guidance
• Decisions
• Law
  • Legislation
  • Judgments
  • SCCs Litigation
• Blogs
• Podcasts
• Publications
• Case Studies

Inquiry concerning the University of Limerick – December 2025

IN-19-7-1

Date of Decision: 10 December 2025

This Decision arises from an own-volition inquiry into the University of Limerick (‘UL’) following a series of personal data breaches that occurred between November 2018 and January 2020. The temporal scope of the Inquiry is from May 2018 to January 2020.

Between 30 November 2018 and 20 January 2020, UL notified the Data Protection Commission (‘DPC’) of 12 personal data breaches, in six of which unauthorised persons gained access to the employee email accounts of UL staff members by means of phishing attacks. The unauthorised users were able some cases to set up forwarding rules which diverted emails containing specified keywords to a folder they had created in the user’s mailbox. The compromised email accounts contained personal data including identity information, contact details, PPS numbers, bank information, medical or legal documentation, staff disciplinary and HR records, and data belonging to students, staff, and external parties.

This DPC carried out this Inquiry under sections 110-111 of the Data Protection Act 2018. It assessed UL’s compliance with Articles 5(1)(f) and 32(1) GDPR (implementation of appropriate technical and organisational measures to ensure appropriate security of the personal data processed on its email service); Article 30(1) GDPR (maintenance of a record of processing activities); Article 33(1) GDPR (notification to the DPC of personal data breaches without undue delay, and in any event within 72 hours of becoming aware of them); Article 34(1) GDPR (notification to concerned data subjects without undue delay of personal data breaches assessed to pose a high risk).

The DPC found that UL did not implement appropriate technical and organisational measures to ensure the security of personal data as required by Articles 5(1)(f) and 32(1) GDPR. The DPC also found that UL’s initial record of processing activity did not fully comply with the requirements of Article 30(1) GDPR, though UL implemented a compliant record of processing activity in May 2020, after the period assessed by the DPC in this Inquiry. The DPC found that three breach notifications were filed more than 72 hours after UL became aware of them, and were not reported without undue delay in accordance with Article 33(1) GDPR. With respect to Article 34(1) GDPR, UL failed in three cases to inform persons affected by a high-risk breach without undue delay. The DPC therefore found infringements of Articles 5(1)(f), 32(1), 30(1), 33(1), and 34(1) of the GDPR.

The DPC’s decisions on corrective measures took account of UL’s significant steps to remediate the deficiencies in its processing of personal data identified in this inquiry. Based on the details of those improvements provided by UL in its submissions, the DPC has decided that it is not necessary or proportionate for it to issue an order for UL to bring that processing into compliance with the GDPR. The DPC’s acknowledgement of those improvements does not however relieve UL of its obligation to continually evaluate the effectiveness of its measures and the measures that are necessary to ensure a level of security that is appropriate to the dynamic risk presented by its processing.

Having carefully considered the infringements identified in this Decision, the DPC has decided to exercise certain corrective powers in accordance with section 115 of the 2018 Act and Article 58(2) GDPR. The corrective powers that the DPC has decided are appropriate to address the infringements in the particular circumstances are:

1. A reprimand to UL pursuant to Article 58(2)(b) GDPR in respect of its infringements of Articles 5(1)(f) and 32(1) GDPR, Article 30(1) GDPR, Article 33(1) GDPR and Article 34(1) GDPR; and

2. Administrative fines for the infringements of Articles 5(1)(f) and 32(1) GDPR, Article 30(1) GDPR, Article 33(1) GDPR and Article 34(1) GDPR.
   The administrative fines issued for the above infringements are as follows:

3. 1. 1. In respect of UL’s infringement of Article 5(1)f and 32(1) GDPR, an administrative fine of €45,000,
   1. In respect of UL’s infringement of Article 30(1), an administrative fine of €3,000,
   2. In respect of UL’s infringements of Article 33(1) GDPR, an administrative fine of €35,000,
   3. In respect of UL’s infringements of Article 34(1), an administrative fine of €15,000. The DPC commends the tenor and tone of UL’s engagement with the DPC since being presented with the DPC’s proposed findings in a draft version of its Decision. These fines are substantially lower than the maximum fines proposed in the draft Decision. The final fines reflect the mitigation occasioned by UL accepting the majority of the findings in the draft Decision, acknowledging responsibility for significant infringements, and proactively taking steps to improve its systems, training, and policies, in order to reduce the likelihood of similar breaches occurring in the future.

The full decision can be downloaded at this link: Inquiry into University of Limerick December 2025 (16MB, PDF).