Politics

Munster Technological University cyberattack response cost €3.5m, PAC told

State facing ‘significant’ potential loss as training board funds in non-interest bearing account, Comptroller and Auditor General says

The response to a 2023 cyberattack on Munster Technological University resulted in direct costs of €3.5 million, the Public Accounts Committee was told.
The response to a 2023 cyberattack on Munster Technological University resulted in direct costs of €3.5 million, the Public Accounts Committee was told.
Cormac McQuinn
Thu May 15 2025 - 18:46

The cost of a cyberattack on a university, a “high-risk” data breach at an education and training board, and instances of noncompliance with the spending rules have been highlighted by the State’s spending watchdog.

Comptroller and Auditor General (C&AG) Seamus McCarthy on Thursday updated the Dáil Public Accounts Committee (PAC) on more than 100 financial statements of State bodies, including several from the education and health sectors, most of which related to 2023.

The committee was told that the response to a 2023 cyberattack on Munster Technological University “resulted in direct costs of €3.5 million".

Mr McCarthy also drew TDs’ attention to “a high-risk data breach” at the Dublin and Dún Laoghaire Education and Training Board in March 2023. He said he understood the breach was reported to the Data Protection Commissioner.

READ MORE

Separately, he flagged the impact of a delay in the purchase of a property for €6.5 million by Louth and Meath Education and Training Board, “where the funds are being held in a non-interest-bearing account since September 2023”.

He said he understood “those funds are still in a non-interest-bearing account” and “the transaction hasn’t been completed”.

How can money and time be saved in the cost of tendering for public contracts? ]

Responding to a question from Fine Gael TD Joe Neville on the matter, Mr McCarthy said he would not estimate how much could have been lost in terms of interest on the €6.5 million, but that “the potential loss of value to the State is significant”.

The CA&G routinely highlights instances of non-compliant procurement where the sums exceed €500,000 at a body under his remit. Non-compliant procurement can involve purchases that do not go through competitive tender processes, in some cases due to exceptional circumstances or time constraints.

Mr McCarthy said there was €4.4 million in non-compliant procurement by University College Dublin (UCD) in 12 months over 2022 and 2023.

He told the committee that UCD set out how this expenditure related to 33 suppliers, adding: “I suspect it’s [the €4.4 million] made up of a considerable list of relatively smaller amounts.”

Later, Mr McCarthy told the committee that while St James’s Hospital reported that 86 per cent of its €256 million in procurement was compliant, this “would imply that an estimated €35.4 million" was non-complaint.

He also highlighted how procurement noncompliance at Beaumont Hospital was an estimated €18.5 million.

The C&AG said that non-compliant procurement has been a focus of interest of the PAC in the past and “I think good progress has been made in bringing down both the number and value of non-compliant procurement”.

  • Join The Irish Times on WhatsApp and stay up to date

  • Listen to our Inside Politics podcast for the best political chat and analysis

  • Get the Inside Politics newsletter for a behind-the-scenes take on events of the day

Cormac McQuinn

Cormac McQuinn

Cormac McQuinn is a Political Correspondent at The Irish Times