Readers like you keep news free for everyone.

More than 5,000 readers have already pitched in to keep free access to The Journal.

For the price of one cup of coffee each week you can help keep paywalls away.

Support us today
Not now
Dublin: 16°C Wednesday 17 August 2022

Aer Lingus exposed over 100 job applicants' details in an email blunder

Candidates’ email addresses were accidentally shared with other jobseekers.

Image: Brian Lawless/PA Wire/PA Images

AER LINGUS REVEALED the email addresses of more than 100 people who applied for a communications job, potentially exposing their identities to other candidates through the blunder.

The IAG-owned airline apologised to the group four days after the job-hunters had their information shared in a 3 January group email.

In the correspondence, seen by Fora, Aer Lingus explained that candidates’ email addresses had been “inadvertently included” in a mass communication because their details were pasted in the ‘cc’ instead of the ‘bcc’ field.

More than 100 email addresses were shared in the original communication, which was sent after candidates completed an online test as part of their application for the communications specialist role.

“Aer Lingus would like to apologise to you for this mistake,” the airline told the affected jobseekers.

“Privacy is of the utmost importance to Aer Lingus and we are reviewing our processes to prevent this happening again.

“We are investigating how this occurred and will be taking actions to prevent any recurrence in the future which will include further training with relevant agents.”

Aer Lingus invited those who were affected to submit questions or comments directly to the company by emailing its data protection officer.

Brexit Aer Lingus CEO Sean Doyle Source: Brian Lawless/PA Wire/PA Images


When contacted by Fora, a spokesman for the Data Protection Commission said the privacy watchdog had not been notified by Aer Lingus about the email blunder and it had not received any complaints from those affected by the incident.

Under EU-wide GDPR rules, which came into force last year, organisations must notify the commission of a personal data breach within 72 hours of becoming aware of it, unless the breach is “unlikely to result in a risk to the rights and freedoms of a natural person”.

The regulations state that people’s rights and freedoms may be at risk if personal data processing leads to “physical, material or non-material damage” such as identify theft or fraud, damage to the reputation, or the loss of confidentiality.

Organisations face hefty fines if they are found to have breached the data protection rules.

In a statement, an Aer Lingus spokeswoman said it had “taken steps to prevent a recurrence of such an incident” – although it did not believe the matter required reporting to the Data Protection Commission. 

Making a difference

A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article.

Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

For the price of one cup of coffee each week you can make sure we can keep reliable, meaningful news open to everyone regardless of their ability to pay.

“(GDPR rules state) that data breaches are not reportable … in circumstances where the breach is unlikely to result in a risk to the rights and freedoms of natural persons,” she said.

“Accordingly, given the nature of this incident, Aer Lingus was not of the view this threshold had been reached.”

She added that Aer Lingus had not received complaints from any of the email’s recipients about the incident.

Get our NEW Daily Briefing with the morning’s most important headlines for innovative Irish businesses.

Written by Conor McMahon and posted on

About the author:

Fora Staff

Read next:


This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
write a comment

    Leave a commentcancel