Luas Data Breach: A Heavy Fail For Light Rail?

Author:Ms Sarah Slevin and David Rodgers
Profession:Ronan Daly Jermyn


Luas, and its operating company Transdev (“Luas”), were recently targeted in a cyber attack in which the personal data of over 3,000 users on the Luas website was compromised. As part of the attack content was removed from the Luas site and a message posted in lieu stating that the perpetrators had control of the site, demanding the sum of one Bitcoin (valued at €3,402 at the time) in ransom. Information security experts have since indicated that the breach was limited to the names and email addresses of those users who accessed the website to send messages to Luas through a standard webpage form. At the time of writing, a limited version of the Luas website has returned to operations, although there has been no indication of when the full site will be reinstated.

The Breach

Under Article 33 of the General Data Protection Regulation (“GDPR”) there is an obligation to notify the relevant body (here being the Data Protection Commission (the “DPC”)) of a data breach unless that breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. Given that the only personal data processed by the Luas website was email addresses and names submitted to it (payment for any penalties took place through a third-party service provider), it is arguable that the associated risks were/are minimal. Notwithstanding this, Luas notified the DPC within 72 hours; it is often recommended that any entity which suffers a data breach liaise with the DPC irrespective of the notification requirement. The DPC has stated that they will publish guidelines on when notification is required in due course.

Remember, in addition to notifying the relevant supervisory authority, there may also be a duty, under Article 34 of the GDPR, to inform the affected data subjects when a breach occurs. The threshold for such notification is higher, however, being a “high risk” to the rights and freedoms of the data subjects as a result of the data breach.


As we know, Article 83(5) of the GDPR provides that a data controller may be liable for a fine of up to 4% of global annual turnover or €20 million, whichever is the higher, for more significant breaches of the GDPR. However, this particular breach may be more likely to be found to contravene Article 32 on security of personal data, in which case the maximum fine would be the higher of 2% of global turnover or €10 million.

The degree to which the target of a data breach complies with their...

To continue reading