Perth and Kinross Council recently joined the league of local councils in the UK who have, in the recent past, exposed personal details of thousands of citizens due to human error on part of their employees.
Email addresses of over 1,000 local landowners were exposed by the Perth and Kinross Council when one of the Council’s employees sent an email to all of them without masking their email addresses. The Council later sent another email to all landowners and asked them to disregard the previous email.
The breach of email addresses of over 1,000 landowners was later reported by the Council to the Information Commissioner’s Office. “We take our responsibilities as a controller of personal data extremely seriously, and have reminded all staff of the importance of protecting that,” the Council said.
By the way, the Council is still using the outdated HTTP certificate to secure its website instead of the standard HTTPS. Hackers can easily manipulate the outdated SHA-1 encryption algorithm in HTTP certificates and thereby take control over websites using HTTP.
‘Human error’ featuring regularly in cyber security incidents
This isn’t the first time that employees at local councils in the UK have been found guilty of committing basic errors when handling personal information of citizens, and we fear this won’t be the last. What’s worse is that such errors are not limited to local councils but are also committed by employees at many private and government organisations on a regular basis.
Considering that organisations based in the UK have been at the receiving end of millions of cyber attacks in the past few years from domestic hackers as well as from hackers operating from hostile countries that necessitating the arrival of a strong data protection law, what the country doesn’t need is the breach of personal records of thousands of citizens even when organisations are not targeted by cyber crime.
Earlier this year, thousands of children with special needs or in care were rendered vulnerable after their personal details were shared by the Leicester City Council with as many as 27 travel companies.
Their details were stored in an Excel sheet which was attached to an e-mail by a council employee. The e-mail was then sent to the travel firms to attract fresh tenders for transporting vulnerable children.
Last year, the Basildon Council in Essex was fined £150,000 by the Information Commissioner’s Office for disclosing sensitive personal information in a planning application. In the said application, the Council had revealed sensitive personal information about a traveller family which stayed in a green belt zone for several years. Leaked personal details included mental health issues and other disabilities.
Do employees know what ‘bcc’ means?
As recently as last week, email addresses of hundreds of West Ham football club supporters were exposed when the club sent out a bulk email to fans who had secured tickets for the Carabao Cup match against AFC Wimbledon but pasted all the email addresses in the ‘To’ field instead of in the ‘bcc’ field. The same mistake was committed by the employee at Perth and Kincross Council this week.
The pasting of email addresses in the ‘To’ field instead of in the ‘bcc’ failed has occurred many times in the past, forcing organisations to apologise to affected customers or to face regulatory action for such careless mistakes.
In July, the ICO fined the Independent Inquiry into Child Sexual Abuse (IICSA) £200,000 for failing to protect the identity of possible victims of child abuse after a human error compromised identities of such victims to third parties. Instead of putting e-mail addresses of possible child abuse victims in the ‘bcc’ field, the employee erroneously pasted e-mail addresses of 90 Inquiry participants in the ‘To’ field.
Even though such cyber security breaches are regularly reported by the press, the rate at which such breaches are occurring hasn’t lessened. It remains to be seen if the ICO will impose exemplary fines on erring organisations in the days ahead to force them to sit up and take notice of such basic errors and to take urgent steps to prevent the leakage of sensitive customer data to third parties.