The Bristol council data breach incident that was reported last week is understood to have affected thousands of residents.
The incident was yet another case of an avoidable data breach that has been caused by what appears to be a simple error. We see these kinds of leaks all the time, and they’re not the first council to have committed a breach just like it.
One of the most severe data breach group actions we’re running stemmed from an incident that’s exactly the same as this one. The damage that can be caused from a simple email error that leads to a leak can be substantial. A large volume of the cases we deal with are for council data breach compensation claims. They really are awfully common.
About the Bristol council data breach
It’s understood that the Bristol council data breach incident is another case of an email that was sent out using the CC function instead of the BCC function.
Ironically, the email that was sent was to notify people who had signed up to the Bristol Citizens’ Panel that their email address would be removed in accordance with GDPR. Instead of using the BCC function, the CC function was used. The result was that identities and contact information of those involved in the Panel have been leaked to each other.
This isn’t the first incident where an email that has been sent to be compliant with GDPR has subsequently breached GDPR by leaking the recipient list either. It’s basic stuff, but we see these kinds of breaches a lot. The 56 Dean Street Clinic leak remains, perhaps, the worst seen yet. We’ve been fighting for justice for victims of that leak since 2015.
Reaction to the Bristol council data breach
The Bristol council data breach email resulted in complaints from some of the recipients. We understand that the “reply all” feature had been used to air concerns as well.
The council has confirmed that the email was sent in the way it was “in error” and has apologised for what has happened.
In response to the breach, the council said:
“We sincerely apologise for an email that was sent out in error earlier today. The email was sent to recipients with the email details in the ‘To:’ address field so these were visible to everyone who received the message. This was done in error and should not have happened. This has been reported to the city council’s data controller as a data breach.”
Your email address will be deleted from the Citizens’ Panel database and you will not be contacted again.”
A lot of the enquires we receive, and the cases we take on, are for council data breach compensation claims. Local authority leaks and breaches lead the way when it comes to the volumes of incidents that take place.
With the volume of personal and sensitive data that councils often hold, these kinds of incidents can be severe for the victims.