Newcastle City Council has confirmed that there has been a data breach where the details of thousands of children and their adoptive parents have been accidentally leaked by a council worker.
In June this year, a Newcastle council employee accidentally attached an internal spreadsheet containing personal details of both children and adoptive parents to an email which was only intended as an invite to a summer party.
The document was miss-sent to 77 people, and contained personal details relating to 2,743 people, including the names, addresses and birthdays of the adoptive children, former and current adoptive parents and the associated social workers were on the spreadsheet.
The council admitted the adoption data breach and blamed it on “human error”, and they are aware it could leave adoptive parents at risk.
A lot of adoptions are not voluntary and this data breach can leave both the adoptive children and parents at risk of potentially dangerous situations.
The council are deeply concerned to learn of the breach, and has since apologised and enforced a series of measures to contain the breach and ensure future breaches like this do not happen.
The council have taken several measures to contain the situation; they have contacted the 77 people who received the email and request the email is deleted, as well as contacting every person affected by the data breach.
There will also be a review of policies relating to sensitive information and data protection, plus refresher training sessions for all staff, to ensure no breach like this can happen again.
A helpline and counselling service was set up for anyone affected by this data breach, via the dedicated helpline 0191 211 5562.
Newcastle council did everything they could following the data breach, but as they were not vigilant and precautious of their systems to prevent this sort of thing happening, they had to inform the relevant regulators, and now could face a fine of up to £50,000.
Mark James, ESET IT Security Specialist, discusses how this human error may have occurred, and how companies can prevent events like this happening in the first place.
“This highlights the need to segregate data, not just from the point of who should be reading that data, but you have to assume the worst.
“To be able to pull very sensitive data stored in a spreadsheet from an area where you might have a list of activities and or food for a summer BBQ selection is a clear indication that the data was not stored safely.
“Encryption in this case may not have helped as the user may have been authenticated to view or indeed use that data, but it should at the very least be stored in a safe and or secure location.
“Human error is unfortunate and we are all susceptible to making the odd mistake, but when it comes to private data you have to be vigilant, removing the possibility of making the mistake in the first place should be a priority and more importantly default.
“This data of course could be used for spam or phishing related attacks, most of the time they end up in the bin but once you start including data that holds an element of truth or looks official, and substantiated, then the likelihood of you being a victim is massively increased.
Is your business or company secure against incidents like this? Let us know on Twitter @ESETUK.
Join the ESET UK LinkedIn Group and stay up to date with the blog. If you are interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.