Another West Berkshire Council data breach

There has been another West Berkshire Council data breach, and it again involves an email being sent to people that has leaked the information for the recipients.

Just a few weeks ago, we covered a breach from the same council which saw an email sent to around 30 people where the “BCC” function wasn’t used. In this more recent event, it’s another case where the “BCC” function wasn’t used, but this time, it’s understood to have affected over a thousand people.

The long and short of the issue is that council data breach compensation claims are incredibly common because of how easily these events occur. But these incidents are completely preventable, and the fact that there has been two from the same council in the space of just a few weeks is alarming.

About the West Berkshire Council data breach

The most recent West Berkshire Council data breach event is another case of an email being sent out to more than one recipient where proper software isn’t used; or, at the very least, where the “BCC” function isn’t used.

It’s understood that the email was in relation to a leisure survey, and was sent out at the end of October to 1,107 people. The content of the email was a reminder for the recipients to complete the 2019 ‘Leisure Centre User Survey’, with a link for the survey provided.

The recipients’ email addresses were copied into the email in order to send the reminder to the mailing list. A member of staff had reportedly inserted the email addresses into the incorrect field, resulting in the breach.

The council has said that it is “really sorry” for the data leak, confirming that:

“On 25 October, the council was made aware of an incident by which a large number of service users were copied into an email containing a survey about leisure centres. This led to each recipient being able to see one another’s email addresses.”

When will organisations learn?

The West Berkshire Council data breach was an entirely avoidable incident. There’s software available – some of which is free to use – whereby you can send thousands upon thousands of emails to recipients safely without the risk of a data leak like this.

The old fashioned and outdated method of simply copying recipients’ email addresses into a field is dangerous, as exampled in this recent event. Even the use of the “BCC” function which should ensure that such a leak doesn’t happen remains dangerous given that accidental errors like this can occur.

Given how many times this has happened, when will organisations learn?

The dangers cannot be understated

The potential damage that can be  done in an event like the West Berkshire Council data breach can never be understated.

You can argue that this leak wasn’t severe in that it was just the email addresses for the recipients, although the impact from person to person can always differ. Some people may have a very important reason for keeping their email address private, and any leak of such information could cause serious distress. Data breach compensation pay-outs are generally valued based on the individual impact, which can vary greatly between people.

But to go back to an infamous example where such a simple and avoidable error can cause serious harm, we remind people about the 56 Dean Street Clinic leak that we’ve been representing people for. In that case, the same thing happened, but the recipient list was for users of a HIV service. As such, their private and sensitive medical data had been leaked.

Organisations must put a stop to practices that can easily end up in a data leak. These incidents are entirely avoidable, and it feels like it’s only a matter of time before we see another serious data leak that’s caused by a simple email recipient error.

Public sector data leaks: advice for victims

Making a BA data breach case