The Leicester City Council leaked personal details of potentially thousands of children with special needs in an e-mail it sent to 27 travel companies on Tuesday.
Leicester City Council recalled the e-mail over 24 hours after it was sent but it cannot be confirmed if the contents of the e-mail were downloaded or misused by third parties.
In a case of another massive breach of sensitive data owing to poor cyber hygiene or a lapse in judgment, thousands of children with special needs or in care were rendered vulnerable after their personal details were shared by the Leicester City Council with as many as 27 travel companies.
Their details were stored in an Excel sheet which was attached to an e-mail by a council employee. The e-mail was then sent to the travel firms to attract fresh tenders for transporting vulnerable children.
After Leicester City Council discovered the breach, it recalled the e-mail and asked recipients not to download the said attachment and to delete the e-mail permanently from their inboxes.
‘[The original] email had a large file attached to it called ‘Taxi Tender Live v 3′ that contains passenger information and was sent in error to your company. Please delete this email. Please then delete the email from your “Deleted items” folder. Please do not try to open or read it,’ the recall e-mail read.
Considering that the recall message was sent to all recipients over 24 hours after the original e-mail was sent by the Council, it cannot be said for sure if the said document was downloaded and distributed by unauthorised third parties.
‘We are talking children the court has taken action to protect from someone who would put them at risk and the council is potentially the organisation leaking their address. There is no guarantee this has not been copied and spread, we cannot put the genie back in the bottle,’ said Councillor Ross Grant to BBC.
A spokesperson for the Council later said that the Council takes data protection and confidentiality very seriously and is investigating the breach. The council also said that it will report the incident to the Information Commissioner’s Office.
Back in 2015, a study by privacy campaign group Big Brother Watch revealed that in the three years between 2011 and 2014, there were 4,236 data breaches at local councils, including 401 instances of data loss or theft. At the same time, there were 628 instances of incorrect or inappropriate data being shared in emails, letters and faxes and on 658 occasions, children’s information was involved in the breaches. However, only one in every ten data breaches resulted in disciplinary action, thereby explaining why such breaches continue to occur today.
Last year, the Basildon Council in Essex was fined £150,000 by the Information Commissioner’s Office for disclosing sensitive personal information in a planning application. In the said application, the Council had revealed sensitive personal information about a traveller family which stayed in a green belt zone for several years. Leaked personal details included mental health issues and other disabilities.
If the Information Commissioner’s Office discovers that the Leicester City Council failed to protect sensitive data of vulnerable children and finds it liable for the latest breach, it may levy an equal fine on the Council and thereby send a stern message to local councils who do not take data protection or confidentiality seriously enough.