In yet another instance of a lack of oversight resulting in the breach of personal data, names and email addresses of about 2,000 students at the University of Hertfordshire were leaked when a bulk email addressed to all of them contained an attachment that included such details in plain text.
The leak of names and email addresses of students at the University of Hertfordshire took place when the University’s Creative Arts school sent an email addressed to a group of students, asking them to attend a lecture to be delivered by artist Harold Offeh as part of the school’s “Thinking Through Making” programme. The email was sent around 11 AM on 6th November.
“The email was not sent to all students and the incident affected a group of students in one of our schools of study. The relevant students were contacted immediately and the email was recalled.
“We are contacting all affected students with information and advice. We are carrying out an internal investigation and have informed the Information Commissioner’s Office,” the University of Hertfordshire said in a statement.
“This incident reflects how easy it is to make a simple error, such as putting email addresses in the ‘To’ as opposed to the ‘BCC’ field and all of a sudden you have a disclosable event on your hands. It’s one of those types of errors that is near impossible to solve with any form of technology,” said Javvad Malik, security awareness advocate at KnowBe4.
“The only way to address this in a reasonable manner would be to ensure all staff are fully trained and aware of correct procedures and associated security risks. To be effective, this security awareness and training should be an ongoing task so that staff remain up to speed and aware of any dangers that present themselves,” he added.
ICO has been penalising organisations for not preventing data breaches of such kind
The Information Commissioner’s Office has not taken kindly to ommissions in the past that have led to similar data breaches, especially of information belonging to sensitive and vulnerable citizens.
In July last year, the ICO fined the Independent Inquiry into Child Sexual Abuse (IICSA) £200,000 for failing to protect the identity of possible victims of child abuse after a human error compromised identities of such victims to third parties.
The ‘human error’ occurred in February 2017 when, instead of putting e-mail addresses of possible child abuse victims in the ‘bcc’ field, the employee erroneously pasted e-mail addresses of 90 Inquiry participants in the ‘To’ field.
Gloucestershire Police was also fined £80,000 by the ICO for failing to conceal the identity of dozens of victims of child abuse, thereby causing immense distress to the affected victims. The breach occurred on 19th December 2016 when an officer at Gloucestershire Police sent a bulk email to 56 recipients to inform them about an update on a case, but instead of putting the e-mail addresses in the ‘bcc’ field, added all the email addresses in the ‘To’ field.
Health insurance company Bupa was also fined £175,000 by the ICO in October last year for failing to prevent a massive data breach in 2017 that compromised personal information of up to 108,000 international health insurance customers.
The breach took place when a malicious employee at Bupa gained access to the company’s customer relationship management system (“SWAN”) that stored personal information of 1.5 million customers, misused his privileged access to steal data of 108,000 customers, and then put up the data for sale on the dark web marketplace AlphaBay that could be accessed via Tor.