[BreachExchange] Home Office admits second data breach

Destry Winant destry at riskbasedsecurity.com
Tue Apr 16 09:26:02 EDT 2019


https://www.freshbusinessthinking.com/home-office-admits-second-data-breach/

An apology has been issued by the Home Office after the department
revealed fears of a second breach of UK residents’ data in seven days.

The potential shortfall comes through accidental sharing of the
private details of EU nationals aiming to obtain settled status in
Britain.

As the Home Office sought to remedy technical issues, the emails of
240 applicants were “inadvertently” sent to fellow applicants to the
scheme, government officials say.

All of those thought to be affected by the incident have been informed
via an email which stated:

“We take this opportunity to apologise for any inconvenience caused by
this incident. We value your patience and understanding at this time.
We would like to reassure you that we are taking this matter very
seriously.”

The news comes on the back of an admission made a matter of days ago
by the Home Office to a number of the Windrush generation, following
the sharing of 500 personal email addresses amid the roll-out of the
department’s compensation programme.

Shadow home secretary Dianne Abbot called described the situation as
“shambolic”, and pointed out the government’s “mismanagement of the
Home Office” being “the most shambolic of all.”

“Data breaches are now a matter of routine, while all those who are
unfortunate enough to have to deal with the Home Office face a
combination of indifference, incompetence and the hostile
environment,” the MP for Hackney North and Stoke Newington said.

EU citizens among those caught up in the breach have said they feel
like “second-class citizens”, with one individual criticising the
government for not knowing “who was in this country.”

Email recipient and Danish national, Natasha Jung, asked:

“When will the UK wake up and realise that EU citizens are being
treated as second-class citizens? We have had zero say in the entire
process, despite Brexit affecting us the most.”

Another Danish victim of the breach took to Twitter to vent their
disbelief, stating:

“Not only am I not welcome, my own data is not even safe by the
government who requested said data because they don’t even know who is
in this country!”

Nicolas Hatton, co-founder of the campaign group, the3million, said:

“3.6 million EU citizens are forced to entrust the Home Office with
their most sensitive data.

“A data breach within the first week of the settled status launch does
raise the question whether the Home Office has the right safeguards in
place to keep our data safe.”

Responding via email, the Home Office said that it was taking the
matter “very seriously” and that the issue would be addressed via its
“agents.”

A department official said:

“In communicating with a small group of applicants, an administrative
error was made which meant other applicants’ email addresses could be
seen.

“As soon as the error was identified, we apologised personally to the
240 applicants affected and have improved our systems and procedures
to stop this occurring again.”

Speaking to GDPR: Report, Egress Software’s CEO, Tony Pepper,
elaborated on wider data protection failure highlighted by the
episode.

“Incidents like this ‘administrative error’ – such as forgetting to
use the Bcc field or sending an email to the wrong person – are
unfortunately all-too-common events.

“This news, plus the separate incident at the government department
that involved 500 email addresses [demonstrates] the lack of a safety
net that could detect and mitigate such errors led to an employee
causing a data breach,” Mr Pepper added.

“It’s clear that organisations need to look at implementing more
robust risk-based protection tools to avoid such email mis-send
incidents, enabling employees to work effectively and securely. With
organisations typically prioritising the malicious outsider over the
accidental insider threat, the latter has been fundamentally
underestimated.

“With intelligently applied machine learning and big data analysis
combined with a people-centric approach to technology, it is possible
to mitigate against such human errors and enhance organisations’
cybersecurity,” he continued.

To date, over 400,000 EU nationals have applied to settle in the UK
under the Home Office’s programme.


More information about the BreachExchange mailing list