[BreachExchange] Brit watchdog fines child sex abuse inquiry £200k over mass email blunder

[Audrey McNeil]

https://www.theregister.co.uk/2018/07/18/ico_hands_sexual_
abuse_inquiry_200k_fine_for_security_breach/

The UK's data watchdog today issued the Independent Inquiry into Child
Sexual Abuse (IICSA) a £200,000 penalty after it sent a bulk email to
participants that identified possible victims of historical crimes.

The Information Commissioner's Office (ICO) said IICSA – set up in 2014 to
probe the degree to which institutions in England and Wales failed in their
duty to protect young people from molestation – had breached the Data
Protection Act (DPA) 1998 by not keeping confidential and sensitive
personal data secure.

A employee of the inquiry fired a blind carbon copy (BCC) email to 90
people participating to inform them of a public hearing. Upon realising
their error, a correction was issued but email addresses were mistakenly
entered into the "to" field rather than BCC.

As a result, all recipients were able to view each other's email addresses,
highlighting other possible victims child sexual abuse. Some 52 of the
addresses included full names or had a full name label attached.

One recipient notified IICSA of the breach, and they then entered two
further email addresses into the "to" field before replying to all in the
chain.

IICSA subsequently sent three emails requesting that the recipients delete
the original email and not circulate it further, but one of these in turn
led to 39 "Reply All" emails.

According to the ICO, the inquiry: failed to use an account that could send
separate emails to each person involved in the cases; didn't give guidance
or training on BCC emails; hired an external IT firm to manage the mailing
list and relied on advice from the third party that it would prevent email
recipients from replying to the whole list; and shared those email
addresses with the IT company in breach of its own privacy notice.

The ICO's director of investigations, Steve Eckersley, said the breach
placed "vulnerable" people "at risk" and the ICCSA "should and could have
done more to ensure this did not happen".

"People's email addresses can be searched via social networks and search
engines, so the risk that they could be identified was significant," he
added.

The ICO and IICSA were sent 22 complaints about the security breach, one
from someone who said they were "very distressed" by it.

The breach was dealt with under the DPA 1998, not the 2018 Act that
replaced it, due to the date of the breach in February 2017.

The Inquiry said it takes data protection "very seriously" and apologised
to the victims impacted by this security breach.

"After a wide-ranging review by external experts, we have amended our
handling processes for personal data to ensure they are robust and the risk
of a further breach is minimised," the IICSA said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180718/8f4a779c/attachment.html>