Email addresses of hundreds of West Ham football club supporters were exposed when the club sent out a bulk email to fans who had secured tickets for the Carabao Cup match against AFC Wimbledon but pasted all the email addresses in the ‘To’ field instead of in the ‘bcc’ field.
According to screenshots accessed by The Sun, personal email addresses of as many as 186 West Ham supporters were leaked by the club employee who sent out the email.
The march of ‘human error’ continues
Human error has long been considered as a principle factor behind a spate of data breaches suffered by organisations even when such organisations were not specifically targeted by external entities. With the extensive use of web applications and websites by organisations to communicate with customers and third parties, lack of adequate training in cyber hygiene could, sooner or later, expose personal details of recipients to the rest of the world.
According to figures released by the Information Commissioner’s Office, a bulk of data security incidents suffered by the healthcare sector alone in 2017-18 was due to carelessness and inadvertent errors on part of employees. For example, out of 349 data breach incidents, 72 occurred due to data being faxed or posted to incorrect recipients, 49 occurred due to loss or theft of paperwork, 45 occurred due to data sent by email to incorrect recipients, 27 occurred due to data left in insecure location, 13 occurred due to failure to redact data, and 6 occurred due to failure to use bcc when sending email.
The pasting of email addresses in the ‘To’ field instead of in the ‘bcc’ failed has occurred many times in the past, forcing organisations to apologise to affected customers or to face regulatory action for such careless mistakes.
In July, the ICO fined the Independent Inquiry into Child Sexual Abuse (IICSA) £200,000 for failing to protect the identity of possible victims of child abuse after a human error compromised identities of such victims to third parties.
The ‘human error’ occurred in February last year when, instead of putting e-mail addresses of possible child abuse victims in the ‘bcc’ field, the employee erroneously pasted e-mail addresses of 90 Inquiry participants in the ‘To’ field.
“This incident placed vulnerable people at risk, which is concerning. IICSA should and could have done more to ensure this did not happen. People’s e-mail addresses can be searched via social networks and search engines, so the risk that they could be identified was significant,” said Steve Eckersley, Director of Investigations at the ICO.
West Ham apologises for the error
After realising that personal email addresses of hundreds of fans were exposed by the offending email, West Ham recalled it and sent another email to affected fans, stating that the breach occurred because of an inadvertent error and that it had informed the Information Commissioner’s Office about the incident.
“You may have received an email that included a segment of email addresses of those who were also successful in the ballot. The Club apologises that this information was inadvertently included and has reported this matter to the Information Commissioner’s Office.
“The email was recalled where possible and we ask that if you did receive this email to please disregard it immediately. Beyond your email address, no other information has been shared.
“The Club will take the necessary steps to review and amend the process with the view to prevent this from happening again,” the email read.
Firms need to do more to protect customer data
Even though the number of affected victims in this case is not in the thousands, organisations that either support or provide services to a large number of citizens need to ensure that they have complete visibility into how personal details of customers are stored, processed, or disseminated.
For instance, personal details of thousands of children with special needs or in care were exposed after their personal details were shared by the Leicester City Council with as many as 27 travel companies. Their details were stored in an Excel sheet which was attached to an e-mail by a council employee. The e-mail was then sent to the travel firms to attract fresh tenders for transporting vulnerable children.
The Council recalled the email a full 24 hours after it was sent so it cannot be said for sure if the said document was downloaded and distributed by unauthorised third parties.
The £200,000 fine imposed by the ICO on IISCA cannot be considered as a huge fine as it was levied under the 1998 Data Protection law which capped fines imposed by the watchgdog to a maximum of £500,000.
If the ICO decides to place an equivalent fine on West Ham for committing in a similar error, the quantum of monetary fine would be much larger considering that the new Data protection Law, which is based on GDPR, authorises the ICO to levy fines of up to £18 million or 4 percent of global annual turnover (whichever is higher).
Image Source: West Ham United