West Sussex County Council has apologised to numerous business owners for an ironic data breach that occurred in the process of inviting them to a cybersecurity event.
Located in Chichester, the Council sent an invite to some 200 individuals’ email addresses but used the wrong ‘blind carbon copy’ option, revealing the recipients’ email addresses to each other.
It’s a common form of breach – one that has had grave consequences in other cases, like that of the 56 Dean Street Clinic we are helping people claim for when they revealed the personal details of patients using the clinic for HIV services.
“An email invite was sent to email addresses supplied by organisations applying for county council grants. As a result of a complaint, we have taken steps to recall the message. We apologise for any inconvenience this may have caused,” said one spokesperson for the council.
Unfortunately, the nature of a data breach means that any leaked information can’t be so easily ‘recalled’ and retracted.
A spokesman said that the incident was not a “serious data breach” and was not significant enough to be reported to data protection regulators. However, the incident is another example of what could happen when there may be a lack of data protection training or protocols. Many other organisations have made the same costly mistake!
The timing of the breach caused further criticism as the email was sent only days after the BBC revealed the Information Commissioner’s Office’s (ICO) investigation into the West Sussex council for accidentally uploading confidential information of some 1,400 carer, foster carers and disabled people. The BBC report noted that the information was left online for seven years.
A spokesperson for the Council said “as soon as the problem was reported to us, we removed the spreadsheet from the website in under 29 hours.” Councils, especially when working on cybersecurity campaigns, should not have to be told about data breaches; they should have working data protection protocols that prevent and detect breaches.
The Council tried to mitigate the impact the damage caused by saying only the payment amounts and the recipients of the benefits were exposed in the spreadsheet. They noted the names were the only personally identifiable information compromised, but this is already significant as anyone who had access to the spreadsheet in those seven years could recognise friends, family or acquaintances listed.
A spokesperson for the council admitted that people with malicious intent could use the information for personal gain:
“… we accept that persons seeking to identify individuals could do so in some cases by making additional checks through other data sources.”
All organisations, private businesses and county councils need to give data protection the respect it deserves and prioritise keeping people’s information safe. It’s only months before the EU General Data Protection Regulation kicks in and ups the maximum fine to 20 million Euros or 4% of the offending organisation’s annual global revenue, whichever is the highest.
West Sussex county council may need to overhaul its data protection security and protocols if they want to be compliant by the time the GDPR rolls in.
IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.
Request a call back from our team
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with an * are required.