The Home Office has apologised to the Windrush generation again after admitting it wrongly shared 500 private email addresses while launching the compensation scheme. In what is being described as an “administrative error” by Immigration Minister Caroline Nokes has led to a breach of data protection rules. An internal review has been launched and the matter has been referred to the Information Commissioner.
Twitter Reaction:
Oooh – Could this be subject to the first #GDPR fine issued by @ICOnews? > BBC News – #Windrush: Home Office admits data breach in compensation scheme https://t.co/JKUTjuaVpJ
— Ibrahim Hasan (@IbrahimH_Lawyer) April 9, 2019
And the beat goes on and on as the agony of the Windrush #hostileenvironment is prolonged. First the Home Office couldn't find data on Windrushers and now they are giving it away freely!!
Windrush: Home Office admits data breach in compensation scheme https://t.co/gTCwMUVQwF
— Callton Young (@CalltonYoung) April 8, 2019
Government announce plans for "duty of care" online safety laws https://t.co/gSH9FbRkFB
Home Office admits to Windrush compensation data breach https://t.co/WqCV4KKboJ— Mr Ethical (@nw_nicholas) April 8, 2019
Experts Comments:
Jonathan Deveaux, Head of Enterprise Data Protection at comforte AG:
“Even though there are technologies available in the Cybersecurity market for masking or anonymising email addresses, this breach was mainly due to a poor, human based-decision. More organizations need to enable data protection of personal or sensitive info to ‘automatically’ occur, upon creation of the data, so that ‘accidental insider’ events like this happen less often. The data-centric security model adheres to this and is starting to gain momentum with organizations who want to stay out of the news headlines and restore data privacy.”
Tony Pepper, CEO at Egress Software:
“Immigration minister, Caroline Nokes, has again apologised to the Windrush generation after about 500 private email addresses were mistakenly shared with recipients of a mailing list for the compensation scheme. When this accidental incident occurred, there was no safety net and no way of alerting the sender of the mistake. This is a common error that we’ve also seen in our recent research, where 45% of employees who accidentally shared information sent it to the wrong person.
Traditional solutions to prevent inbound and outbound data breaches – such as firewalls, endpoint security, encryption and malware scanning – have little to no impact on accidental incidents, as they can’t stop someone from doing something like sending an email to multiple recipients using To/Cc instead of Bcc. This is because they can’t tell the difference between ‘good’ and ‘bad’ user behaviour (whether accidental or malicious).
While organisations typically prioritise the malicious outsider over the accidental insider threat, the latter has been fundamentally underestimated. With intelligently applied machine learning and big data analysis combined with a people-centric approach to technology and awareness programmes, it is possible to mitigate against such human errors and enhance organisations’ cybersecurity.”
Tim Sadler, CEO at Tessian:
“Everyone knows that sinking feeling when an email is sent to the wrong person. But in this case, a simple ‘administrative error’ has meant highly sensitive information has landed in the wrong hands and put personal data at risk.
“Misdirected emails are consistently one of the main forms of data security incident reported to the ICO. This incident highlights the importance of cybersecurity and data protection policies that focus on protecting people in order to prevent breaches caused by human error, if not only to protect the sensitive data organisations hold but also to prevent the headlines that cause reputational damage.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.