Leicester City Council accidentally sent an unsecured spreadsheet to 27 taxi firms that reportedly contained sensitive details of potentially thousands of vulnerable adults and children.
The error occurred as the local government authority were processing tenders for transport of people in care and people with special needs.
Although a recall email was sent, there is no telling just how far the data may have inadvertently spread.
The issue with accidental data leaks of this nature is that its hard to really know how far the data will end up going. The more recipients there are, arguably, the greater the risk. The type of recipients may also dictate the level of risk. If an email is sent to individuals as opposed to companies, the risks can be higher.
But, there is one other major thing that is often forgotten, and that’s whether the recipient has adequate cybersecurity, or whether their account is already compromised by hackers. Data protection breaches and hacks are happening all the time, and its known that cyber criminals will retain information until it can be used. To put this into a relatable example, if one of the taxi firms’ email addresses has already been compromised, and a cybercriminal hears about the council breach in the news, they could get hold of the information.
This train of thought is not ‘wild or outlandish’; it’s the simple reality of how fast data can spread.
An investigation into the Leicester City Council breach has been initiated, with Councillor Ross Grant saying the news made him feel “sick in my stomach”. Some of the data reportedly belonged to vulnerable persons, including children who are said to be at risk of harm from others. It only takes one person to receive the email who may have a malicious agenda to do some serious damage.
Data protection breaches for vulnerable persons
Data protection breaches involving the sensitive and personal details for vulnerable adults and children can often cause a lot of distress for victims and their families. Safeguarding such data is of paramount importance and handling such data should be done with care and with security in mind.
This isn’t the first – and probably won’t be the last – someone working for an organisation like a local council accidentally discloses information to the wrong people by simply sending an erroneous email. Local authorities hold a wealth of personal and sensitive data about people, and they need to make sure it’s handled with appropriate care.
A spokesperson for Leicester City Council said:
“Information would normally be shared with taxi companies on a much more limited basis. We take data protection and confidentiality very seriously and took immediate action, contacting all of the firms and asking them to delete the information. We are investigating and will report this incident to the Information Commissioner’s Office.”