Watford Community Housing (WCH) sent out an unencrypted spreadsheet with 3,544 rows of personal information on its tenants, including names, addresses, dates of birth, religion, sexual orientation, ethnic origin and disability status. It’s not yet been confirmed if any of these individuals are subject to witness protection orders in court proceedings.
Watford Community Housing Trust Data Breach ⚠️ An email was sent to thousands of people with an attachment containing the personal details of 3,545 people. If you have been affected then get in touch with us to see how we can help you claim compensation.https://t.co/1njKnyI74g pic.twitter.com/lvcO4Un1dE
— Data Breach Help (@Databreach_help) March 24, 2020
Email is a vulnerable medium. As this unfortunate data leak shows, even the best IT security tools are not infallible against human behaviour. This incident again reinforces the need for “data centric” security technologies. This would help protect data at source, removing the risk factor associated with human error. If Watford Housing Community had had such technologies in place, it could have prevented this highly sensitive information from being sent without prior approval and prevented it from being opened by the recipients. All organisations, especially those that handle sensitive personal data, have a duty of care to prioritise data protection and prevent incidents like this taking place.
To prevent future attacks and safeguard sensitive information, organisations must have full visibility and control over their data. This can be accomplished by leveraging multi-faceted solutions that defend against malware on any app or endpoint, enforce real-time access control, detect misconfigurations, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage.
Watford Community Housing should be commended for a responsible disclosure and a prompt response, which will make all the difference to maintaining the trust of those affected by this breach.
However, it’s important to note here that the reasons behind this breach are relatively unsophisticated and highlight a fundamentally poor operational practice. Sending files over email – particularly unencrypted files – is always risky. This incident shows that if you do this in error, there is no way of recalling that data once it’s been sent. Your only recourse is to politely request that the unintended recipients delete it.
Notwithstanding the breadth of technology now available to organisations, email has never been a good tool for sharing personal information. It can all too easily end up in the wrong hands and – as this organisation clearly knows – put you square in the sights of the ICO. With GDPR enforcement still in relatively early days, this small error could add up to a significant financial cost.