An employee at outsourcing giant Serco leaked the email addresses of as many as three hundred COVID-19 contact tracers who were hired by the government to help stop the next wave of COVID-19 infections.
Earlier this month, Serco began recruiting and training approximately 15,000 people to enable them to serve as COVID-19 contact tracers with the aim of preventing the spread of the infection and to stop the next wave from appearing in the UK.
The contact tracing programme began this Monday and is expected to play a major role in stopping the spread of the virus even as schools and workplaces start opening in due course. The contact tracing programme will run parallel to the government's testing campaign to diagnose as many COVID-19 positive people as possible and to trace the people they came in contact with.
Merely three days after the programme took off, an employee at Serco leaked the email addresses of as many as three hundred contact tracers by including their addresses in the 'cc' field of an email instead of in the 'bcc' field.
The email was sent by a staff member to inform new trainees not to contact the company's help desk for information on training for the COVID-19 contact tracing programme.
"An email was sent to new recruits who had given us their permission to use their personal email addresses. In error, email addresses were visible to other recipients. We have apologised and reviewed our processes to make sure that this does not happen again," the company said in a statement given to the Today programme.
The fact that a simple error can result in a data breach of such a magnitude has been observed on many occasions in the past as well. In April last year, the Home Office found itself at the wrong end of a similar incident when a staff exposed the email addresses of hundreds of Windrush migrants in an email that was sent out to provide information about a compensation scheme to migrants.
The compensation was meant to be provided to individuals who have suffered the loss of employment, lost access to housing, education or NHS healthcare or suffered emotional distress or deterioration in mental and physical health. The scheme is open to anyone from any nationality who has the right to live or work in the UK and arrived in the UK before 31 December 1988.
"Unfortunately despite rigorous technical and process controls, examples of human error such as this can mean the difference between a normal day and a data protection disaster. What we’re seeing from a lot of organisations is a situation where technical solutions and process management are in place to a certain degree, but the equally important employee awareness aspect is still yet to be adequately addressed," said Adenike Cosgrove, cybersecurity strategist for EMEA at Proofpoint.
"Businesses must make end-users aware of what type of data is protected under the GDPR. In addition, organisations must work to change user data-handling behaviour, they must offer action-oriented scenarios that challenge users to think about how the regulation affects their day-to-day business activities.
"GDPR mandates that users handling personal data must be trained on how to handle it appropriately to protect the privacy and confidentiality of that information. Companies rolling out cyber security awareness and training programs should ensure that employees are trained not just on potential technical threats, but are also educated on how to handle sensitive information, particularly Personally Identifiable Information (PII). By leveraging technical controls and making data privacy a business priority, organisations can reduce the likelihood of data exposure," Cosgrove added.