Watford Community Housing (WCH) sent out an unencrypted spreadsheet earlier this week to recipients it thought were its tenants, aiming to provide guidance on communication with WCH during the Coronavirus crisis.
The spreadsheet showed 3,544 rows of tenants’ personal information, including names, addresses, dates of birth, religion, sexual orientation, ethnic origin, and disability status – but no financial details.
It has not yet been confirmed if any of these individuals are subject to witness-protection orders or survivors of domestic violence.
The WCH experience is now being cited to the sector as an example of what can go wrong.
However, its response to the error has been praised.
WCH could still face a significant financial penalty under the Data Protection Act 2018, but by responding quickly and decisively, there could be a case for mitigation.
A full internal investigation into the breach is now underway, with WCH liaising with the Information Commissioner’s Office and the Regulator of Social Housing.
In a statement on its website, WCH said: “We are extremely sorry that this has happened, and we will do everything we can to put things right and prevent this from happening in the future.
“We take the security of personal data extremely seriously and will be reassessing our systems and procedures to ensure that this does not reoccur.”
The data-protection sector was quick to have its say.
“This incident again reinforces the need for data-centric security technologies – this would help protect data at source, removing the risk-factor associated with human error,” said Jan van Vliet, VP EMEA at Digital Guardian.
“If [WCH] had had such technologies in place, it could have prevented this highly sensitive information from being sent without prior approval and prevented it from being opened by the recipients.”
Samantha Humphries, security strategist at Exabeam, said WCH should be commended for a responsible disclosure and a prompt response, which would make “all the difference” to maintaining the trust of those affected by the breach.
She added: “However, it’s important to note here that the reasons behind this breach are relatively unsophisticated and highlight a fundamentally poor operational practice.
“Sending files over email – particularly unencrypted files – is always risky [and] this incident shows that if you do this in error, there is no way of recalling that data once it’s been sent.
“Your only recourse is to politely request that the unintended recipients delete it.”
Raif Mehmet, VP EMEA at Bitglass, said the WCH breach strengthened the need for organisations to have full visibility and control over their data.
“This can be accomplished by leveraging multi-faceted solutions that defend against malware on any app or endpoint, enforce real-time access control, detect misconfigurations, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage,” he said.
Once WCH realised the breach on Monday night (23rd March), it sent out a second email apologising for the first and urging recipients to delete the spreadsheet.
Customers affected by the breach are being offered “support, guidance, and reassurance”, WCH has said.