[BreachExchange] Identity theft after Watford Community Housing data leak
Destry Winant
destry at riskbasedsecurity.com
Wed Aug 26 10:44:46 EDT 2020
https://www.watfordobserver.co.uk/news/18677092.leak-watford-community-housing-vulnerable-tenants-risk/
Some victims of a data breach which leaked thousands of tenants’
personal details have become victims of fraud, been under threat of
physical harm, and some were forced to relocate.
The blunder was made by Watford Community Housing when it sent out an
email on March 23 to all tenants to inform them of changes to services
during the coronavirus outbreak.
But attached to the email was a spreadsheet that contained personal
information of the housing association's 3,545 tenants.
The information included full names, gender, addresses, mobile
numbers, email addresses, ethnic origins, religion, and sexual
orientation.
One tenant, Sasha, previously told the Observer that the leaked
information put many vulnerable tenants in “life changing and
life-threatening situations”.
Now Aman Johal, a lawyer and director of Your Lawyers which is
representing nearly 200 clients affected, has confirmed that many
vulnerable people were put into psychological, physical, and financial
threat from the data being in the public domain.
Mr Johal said: “I think there’s a lack of understanding about how
serious and significant these breaches can be on individuals.
“Many of these individuals are vulnerable, some of the clients for
example have been victims of domestic violence – and this data breach
now puts them at further risk essentially in terms of violence.”
The lawyer exemplified one client who had their identity stolen during
the breach, which included a bank account and credit card being taken
out in her name and her email account compromised by fraudsters.
The incident is being investigated by Action Fraud.
But Watford Community Housing say the risk of identity or financial
fraud is low.
Other clients have had to be rehomed with the assistance of UK
authorities due to the leak causing a “real risk”.
Under the General Data Protection Regulation (GDPR), it is specified
there should be “appropriate technical or organisational measures”
ensuring the “appropriate security of personal data”.
Personal information of more than 3,500 tenants leaked by housing association
Tenants could claim up to £15k after personal information of thousands leaked
Mr Johal said: “In terms of families having to move location and
change jobs, that’s going to have significant impact on their mental
health as well as financially.
“Some commenters said you need to prove consequential loss for
compensation – that’s just incorrect, that’s not right in the law.
People affected by a data breach are entitled to claims for injuries
to feelings, we call it distress.
“And when talking about the lower levels impacted by the breach, you
don’t have to show the psychiatric injuries or financial loss.
“Watford Community Housing have a real obligation to take care of that
personal data, particularly when they have vulnerable individuals that
they hold data for – they’ve not learnt from highly publicised data
breaches which have occurred.”
Mr Johal constantly made parallels to similar major data breaches
which the firm helped its victims – including the personal details
leaked of 400,000 British Airways customers in 2018, and the 56 Dean
Street breach which leaked nearly 800 patients who attended HIV
clinics.
The Dean Street breach was claimed to be a result of “human error”, a
term previously used by Tina Barnard, the chief executive of Watford
Community Housing.
Around 39 per cent of the Dean Street claims were settled to an
average of £10,562.50 – which was settled against the advice of the
firm.
Your Lawyers expect to recover around £21,000 for most of the other
Dean Street claimants, as the cases are still ongoing.
Mr Johal believes a similar amount could also be claimed for many of
the Watford Community Housing claimants, but some of the more
significantly impacted victims could claim even more.
Fletchers Data Claims, another firm representing clients affected,
said most victims could claim a minimum settlement between £1,000 to
£5,000, while others seriously affected by the breach could earn up to
£15,000.
What did Watford Community Housing say?
Watford Community Housing say they are “continually reassessing” their
systems and procedures to guard against an error like this happening.
The Information Commissioner’s Office (ICO) has carried out a review
of the incident.
Watford Community Housing say the ICO issued some recommendations to
prevent a similar incident happening but does not consider any
regulatory action should be taken at this stage.
Tina Barnard, the chief executive said: “The security of customer
information is extremely important to us. We have clear safeguards in
place around the usage and protection of customer data, and this
incident was the result of human error.
"We have taken a variety of steps to assess the potential impact on
those affected, including identifying any safeguarding concerns, and
we are providing comprehensive support.
“We have written to everyone affected to provide information and
guidance. This support package includes access to free credit
monitoring services to help give our customers peace of mind."
She continued: "However, it is worth noting that the risk of identity
or financial fraud is low as no personal passwords, national insurance
numbers or financial information, such as bank details or payment
history, were affected by the incident.
“The ICO has carried out a review of the incident and has issued some
recommendations but does not consider that any regulatory action
should be taken at this stage.
"We take our obligations towards data protection extremely seriously
and we are working to implement the ICO’s recommendations.”
More information about the BreachExchange
mailing list