A survey from Egress has revealed that more than two-thirds of Brits have been sending work emails containing sensitive data to the wrong recipient and many of them are not reporting such incidents to their organisations.
In May, the Information Commissioner’s Office released its data security incident trends report for Q4 2019. The report stated that the bulk of security incidents reported to the ICO included alteration of personal data, data emailed to an incorrect recipient, data of wrong data subject shown in the client portal, denial of service, failure to redact, incorrect disposal of hardware, incorrect disposal of paperwork, loss.theft of personal data, and verbal disclosure of personal data.
These incidents occurred mostly due to human error and formed 1,976 out of 2,629 security incidents reported to the ICO between January and March this year.
To test the accuracy of these findings, security firm Egress carried out a survey of 300 email users in the UK which led it to discover that over two-thirds of such users 68%) sent work emails containing sensitive data to the wrong recipients. The firm also found from anecdotal comments from email users that many of them did not report such data leaks to their line managers.
“The ICO report and the results of our quick poll show that this is really just the tip of the iceberg. Most email data breaches go unreported, so it’s difficult for CISOs and their security teams to fully grasp and tackle this problem. What’s more, with 60% of the UK’s workforce now working remotely, we’ve seen a 23% increase in email usage due to the pandemic. Imagine what the true cost of misdirected emails would be if all were reported as data breaches?” the firm asked.
“In this elevated risk environment, where misdirected emails can have devastating repercussions if personal or corporate data is exposed, it is paramount that organisations provide staff with technology that stops outbound emails going to unintended recipients,” it added.
Incidents of employees sending confidential emails to unintended recipients is a very common phenomenon that results in companies leaking sensitive data without any cyber attack from third parties. In September last year, UNICEF leaked names, email addresses, gender, and professional information of around 8,000 people through a bulk email.
Similarly, email addresses of hundreds of West Ham football club supporters were exposed when the club sent out a bulk email to fans who had secured tickets for the Carabao Cup match against AFC Wimbledon but pasted all the email addresses in the ‘To’ field instead of in the ‘bcc’ field.
The Information Commissioner’s Office has not taken kindly to ommissions in the past that have led to similar data breaches, especially of information belonging to sensitive and vulnerable citizens.
In July last year, the ICO fined the Independent Inquiry into Child Sexual Abuse (IICSA) £200,000 for failing to protect the identity of possible victims of child abuse after a human error compromised identities of such victims to third parties.
The ‘human error’ occurred in February 2017 when, instead of putting e-mail addresses of possible child abuse victims in the ‘bcc’ field, the employee erroneously pasted e-mail addresses of 90 Inquiry participants in the ‘To’ field.
Gloucestershire Police was also fined £80,000 by the ICO for failing to conceal the identity of dozens of victims of child abuse, thereby causing immense distress to the affected victims. The breach occurred on 19th December 2016 when an officer at Gloucestershire Police sent a bulk email to 56 recipients to inform them about an update on a case, but instead of putting the e-mail addresses in the ‘bcc’ field, added all the email addresses in the ‘To’ field.
Health insurance company Bupa was also fined £175,000 by the ICO in October last year for failing to prevent a massive data breach in 2017 that compromised the personal information of up to 108,000 international health insurance customers.
The breach took place when a malicious employee at Bupa gained access to the company’s customer relationship management system (“SWAN”) that stored personal information of 1.5 million customers, misused his privileged access to steal data of 108,000 customers, and then put up the data for sale on the dark web marketplace AlphaBay that could be accessed via Tor.