The Home Office has issued a public apology for committing an “administrative error” that resulted in the leakage of email addresses of hundreds of Windrush migrants to others.
Last week, Home Secretary Sajid Javid launched a new Windrush Compensation Scheme to provide compensation to a large number of migrants “who did not have the right documentation to prove their status in the UK and suffered adverse effects on their life as a result”.
The compensation is to be provided to individuals who have suffered the loss of employment, lost access to housing, education or NHS healthcare or suffered emotional distress or deterioration in mental and physical health. The scheme is open to anyone from any nationality who has the right to live or work in the UK and arrived in the UK before 31 December 1988.
Hundreds of email addresses leaked by the Home Office
A large number of Windrush migrants requested the Home Office to provide more information about the compensation scheme, following which a series of emails were sent out to these migrants with each email containing about a hundred recipients.
However, before sending the emails, the Home Office failed to mask email addresses by entering them in the ‘bcc field’, thereby leaving email addresses of hundreds of migrants visible to others. After the breach was discovered, Immigration Minister Caroline Nokes issued an apology for the “administrative error”, stating that an internal review had been launched to investigate the breach.
“Even though there are technologies available in the Cybersecurity market for masking or anonymising email addresses, this breach was mainly due to a poor, human based-decision,” said Jonathan Deveaux, Head of Enterprise Data Protection at comforte AG.
“More organisations need to enable data protection of personal or sensitive info to ‘automatically’ occur, upon creation of the data, so that ‘accidental insider’ events like this happen less often. The data-centric security model adheres to this and is starting to gain momentum with organisations who want to stay out of the news headlines and restore data privacy,” he added.
“Unfortunately despite rigorous technical and process controls, examples of human error such as this can mean the difference between a normal day and a data protection disaster. What we’re seeing from a lot of organisations is a situation where technical solutions and process management are in place to a certain degree, but the equally important employee awareness aspect is still yet to be adequately addressed,” said Adenike Cosgrove, cybersecurity strategist for EMEA at Proofpoint.
“Businesses must make end-users aware of what type of data is protected under the GDPR. In addition, organisations must work to change user data-handling behaviour, they must offer action-oriented scenarios that challenge users to think about how the regulation affects their day-to-day business activities.
“GDPR mandates that users handling personal data must be trained on how to handle it appropriately to protect the privacy and confidentiality of that information. Companies rolling out cyber security awareness and training programs should ensure that employees are trained not just on potential technical threats, but are also educated on how to handle sensitive information, particularly Personally Identifiable Information (PII). By leveraging technical controls and making data privacy a business priority, organisations can reduce the likelihood of data exposure,” Cosgrove added.