[BreachExchange] Mermaids children's charity apologise for data breach

[Destry Winant]

https://www.itpro.co.uk/data-breaches/33845/mermaids-childrens-charity-apologise-for-data-breach

A charity that supports transgender children has issued an apology
after a data leak led to the publication of personal emails.

Mermaids, which is a UK organisation that provides support and advice
to transgender or non-transgender-conforming children, said it took
immediate action after being made aware of the issue on Friday.

The data was published online after chief executive, Susie Green, set
up a private email group to share information with the charity's
trustees, according to The Guardian, but the online platform was
publicly accessible.

The details of the leak were first reported in The Sunday Times, which
said that more than 1,000 pages of the organisation's internal
confidential emails had been accidentally published online. The report
also said that the leaked information included "anguished" messages
from parents about their children's suffering.

"The correspondence includes names, addresses and telephone numbers,"
The Sunday Times reported. "The material could be found online simply
by typing in Mermaids and its charity number."

But the charity has denied this in a statement and said that the
information, which contained internal emails from 2016 and 2017, was
only accessible through "certain precise search-terms", adding that it
could not be found unless the person searching for the information was
already aware that it could be found.

Where The Sunday Times reported "anguished" messages from parents,
Mermaids said it was material that mainly consisted of internal
information involving "full and frank discussion of matters relevant
to Mermaids", which included some information identifying a small
number of service users.

Having contacted the ICO, the charity has said it's following the
watchdog's guidance and has contacted those affected.

"The overall position is that there was an inadvertent breach, which
has been rapidly remedied and promptly reported to the ICO, and there
is no evidence that any of this information was retrieved by anybody
other than the Sunday Times and those service users contacted by the
journalist in pursuit of their story," Mermaids said in a statement.

"Mermaids apologises for the breach. Even though we have acted
promptly and thoroughly, we are sorry. At the time of 2016-2017,
Mermaids was a smaller but growing organisation. Mermaids now has the
internal processes and access to technical support which should mean
such breaches cannot now occur."