Mermaids UK, a charity organisation that works for the empowerment of gender variant and transgender children, recently admitted that it suffered a data breach that exposed internal emails from 2016 and 2017, some of which contained personal information of an unknown number of individuals supported by the charity firm.
The announcement from the charity firm came after The Sunday Times revealed that a large number of internal emails that contained “intimate details of the vulnerable youngsters” were available to view on the Internet by simply searching for the charity name and its charity number.
According to BBC, over 1,100 internal emails were exposed on the Internet, included correspondence between executives at Mermaids, and “were shared to a private group on a private messaging platform”.
Mermaids claims exposed data was not accessed by third parties
“On the afternoon of Friday 14th June Mermaids was made aware of a data breach. We are grateful to the Sunday Times for bringing it to our attention. Mermaids immediately took action. The same day Mermaids notified the Information Commissioners Office (ICO). The breach was also immediately remedied.
“The scope of the breach was that internal Mermaids emails from 2016 and 2017 in a private user group were available on the internet, if certain precise search-terms were used. Mermaids understands that the information could not be found unless the person searching for the information was already aware that the information could be found,” the charity firm said in a press release.
“The material mainly consisted of internal information involving full and frank discussion of matters relevant to Mermaids, but unfortunately included some information identifying a small number of service users. Mermaids has contacted these people.
“The information, seen in its actual and proper context, is normal internal information for a group such as Mermaids. The information shows Mermaids takes its responsibilities seriously and that there is candid internal consideration of all issues.
“So the overall position is that there was an inadvertent breach, which has been rapidly remedied and promptly reported to the ICO, and there is no evidence that any of this information was retrieved by anybody other than the Sunday Times and those service users contacted by the journalist in pursuit of their story,” it added.
Last year, charity firm Age UK suffered a major data breach that compromised personal details of over 5,000 existing and past employees. Information compromised by the incident included names, dates of birth, e-mail addresses and national insurance numbers.
‘We can confirm that Age UK has had two recent, unrelated data security incidents concerning information held by Age UK about Age UK employees. The information did not include bank details or passwords and we are not aware of any actual or attempted misuse of this personal data,’ said a spokesperson for Age UK.