Outsourcing firm exposed thousands of letters sent by banks and local councils

Virtual Mail Room, a London-based firm offering cost-effective customer communications services to banks, local councils, and other organisations, recently exposed the personal information of tens of thousands of people in the UK by failing to secure its systems.

Virtual Mail Room reportedly failed to secure its systems, resulting in tens of thousands of letters sent by banks, local councils, and other organisations getting indexed by Google in June. These letters contained the names and addresses of recipients as well as the types of letters they were sent.

According to WIRED who first reported the exposure, the exposed tranche of data maintained by Virtual Mail Room included the names of thousands of UK residents who were sent pre-delinquency and remediation letters by banks as well as tens of thousands of people who communicated with local councils such as Croydon, Eastbourne, Reigate, North Tyneside, Ashford, North East Derbyshire and West Lindsey.

If accessed by hackers or online fraudsters, the exposed tranche could have enabled them to launch phishing attacks to target innocent victims by pretending to be banks or local council authorities themselves. Hackers could also blackmail victims into paying money by threatening to post their communications with banks online.

Mickel Bak, the director of Virtual Mail Room, told WIRED that the data exposure was the result of a cyber attack targeting the firm. “We are clearly very concerned that we were the target of an attack to access information that we hold. We have, and are taking the necessary steps required to assist our clients and appropriate authorities in this instance,” he said.

Commenting on the massive exposure of public records by Virtual Mail Room, Tim Mackey, principal security strategist at Synopsys CyRC, said that when selecting any technology vendor, a review of their security and privacy practices should always be performed and organisations should ask questions relating to what their software and service provider supply chain looks like, how they’ve vetted their partners, what security audits they’ve passed, and what data they retain from each transaction.

"The primary goal of these diligence questions is to build a threat model surrounding the relationship with the service provider. In effect, if there was a security or operational incident with the provider, or should it move to insolvency, what would the impact to the business be? Often security is thought in terms of defending against an attack, but in reality a comprehensive security strategy invests in understanding business risk such that damage from attacks is minimised," he added.

According to Niamh Muldoon, Senior Director of Trust and Security at OneLogin, the exposure highlights that trust is dependent on every single security action, and the importance of using trusted service partners in the supply chain.

"While the attack was targeted at Virtual Mail Room, the impact ripples across to hundreds of other companies utilising their services. These companies should be vigilant, not solely of their own internal security but ensuring that the partners they work with undergo all the necessary checks as well," she added.

Read More: Driving licences of 54k Australians leaked via misconfigured S3 bucket

MORE ABOUT: