[BreachExchange] A data fail left banks and councils exposed by a quick Google search

Wed Sep 9 10:10:10 EDT 2020

https://www.wired.co.uk/article/virtual-mail-room-data-breach

Private details relating to more than 50,000 letters sent out by banks
and local authorities were indexed by Google after a London-based
outsourcing firm left its system hopelessly exposed. Details about
everything from insolvency to final reminders of unpaid council tax
and mortgage holidays were left available for anyone to view since
June.

Thousands of names and addresses – and the types of letters they were
sent – were left exposed, affecting people in the UK, US and Canada.
Virtual Mail Room, the firm responsible for the data breach, worked
for clients including Metro Bank, 14 local councils, the publisher
Pearson and insolvency specialist Begbies Traynor. The specific
content of the letters sent to individuals were not visible.

The privacy breach raises doubts about the due diligence carried out
by companies and local authorities using outsourced mailing services
to handle sensitive customer data. It also comes at a particularly
painful time, with many of the names and addresses contained in the
breach belonging to people who have been hit hard financially by the
pandemic. Such missteps could fall foul of GDPR, with data controllers
and processors potentially facing fines totalling tens of millions of
pounds. A spokesperson for the Information Commissioner’s Office, the
UK’s data regulator, confirmed it was aware of the incident and was
making enquiries.

The details exposed by the breach are hugely personal. Amongst the
tranche of exposed personal data were the names and addresses of 6,500
customers of Aldermore Bank. The back-end system left exposed reveals
which customers received pre-delinquency and remediation letters. A
spokesperson for the bank says it is investigating the issue.
Elsewhere, more than 250 Metro Bank customers were identified with
their company name and address. A Metro Bank spokesperson says the
company has “temporarily suspended sharing data” with Virtual Mail
Room as a precautionary measure while its investigation continues.

On its website, Virtual Mail Room states it offers clients with “a
simple, but secure, web interface” that allows companies to upload
documents, contact lists and other information and track the progress
of mail-outs and generate reports. But what was designed as a speedy
way for companies to contact their customers has turned into a major
data privacy headache.

A database of letters sent by local authorities reveals the names and
addresses of 2,300 people living in Croydon. Councils in Eastbourne,
Reigate, North Tyneside, Ashford, North East Derbyshire and West
Lindsey were also caught up in the breach. One database showed the
details of hundreds of people receiving letters from housing
associations. And it wasn’t just people living in the UK who were left
exposed. Virtual Mail Room sends out royalty statements for the
publishing firm Pearson to the US and Canada. Aldermore customers with
addresses in Belgium, Poland, Germany, Italy, the UAE, Sweden, and
Ireland were also included in the breach.

Mickel Bak, the director of Virtual Mail Room, says the company was
the target of an attack that led to the data being posted online. “We
are clearly very concerned that we were the target of an attack to
access information that we hold,” he says. “We have, and are taking
the necessary steps required to assist our clients and appropriate
authorities in this instance.” All the data left unprotected has since
been secured, but not before it was left online for anyone to see
since June.

The names, email addresses, and telephone numbers of staff with access
to Virtual Mail Room’s systems were also visible. The tools on the
backend were also left unsecured, allowing for print and delivery jobs
to be potentially modified or deleted.

Robin Wood, an independent security consultant, says that the breach
seems like the sort of thing that would be picked up had the system be
properly tested. “It is also something that could have been picked up
by marketing, or SEO teams, who monitor Google to see what is indexed.
If they had seen it, but didn't realise what was happening, then
awareness training would have helped,” says Wood.