Email gaffe leaks thousands of tenants' sensitive data

The world might be in lockdown but some things never change; organisations are still playing being fast and loose with personal data with Watford Community Housing (WCH) the latest to expose thousands of people’s sensitive information in what should have been a simple exercise to update tenants details.

The WCH dispatched the email on Monday afternoon to a database of people it thought were its tenants, asking them to ensure their information was correct. However, instead of a single entry, the email included a spreadsheet with 3,544 rows that included people’s names, addresses, dates of birth, religion, sexual orientation, ethnic origin and disability status.

The incident was reported to the Register by one of its readers, received the email at about 6pm that day. He is not even a tenant, does volunteer with a local group supported by WCH.

In emails seen by The Register, the WCH realised its monumental cock-up and sent a second email out at 10pm apologising and urging recipients to delete the first email.

A statement on the association website said: “We are aware that an email was sent out which contained personal information about some of our customers. We will now be urgently contacting those affected in order to ensure that they are protected as far as possible and we are taking advice about what other steps we may need to take in this situation, including engagement with the Information Commissioner’s Office.”

WCH chief executive Tina Barnard said in a statement: “We apologise unreservedly for this breach and share our customers’ concerns. We take our responsibilities with customer information extremely seriously and this was the result of human error.

“In line with our commitment to being transparent, we have moved quickly to inform the ICO and we will work closely with the Commissioner as required. We will also carry out a full review of our processes to ensure this could not happen again.

“We are taking a variety of steps to assess the potential impact on those affected by the breach, including identifying any safeguarding concerns, and we are contacting our customers to provide information, guidance and support. Anyone with concerns should email CustomerRelationsTeam@wcht.org.uk and we will contact them.”

To use a well worn phrase, WCH should be afraid, very afraid. In 2018, the Independent Inquiry into Child Sexual Abuse was fined £200,000 by the ICO after a catalogue of data governance issues triggered a bulk email which identified possible victims of historic child sexual abuse.

The ICO investigation found that a member of staff working for the Inquiry had sent a blind carbon copy (bcc) email to 90 Inquiry participants telling them about a public hearing. After noticing an error in the email, a correction was sent but email addresses were entered into the ‘to’ field, instead of the ‘bcc’ field by mistake.

This allowed the recipients to see each other’s email addresses, identifying them as possible victims of child sexual abuse.