Watford Community Housing exposed ethnicity and sexual orientation of residents

Watford Community Housing (WCH) accidentally sent across an email containing sensitive personal details of almost 3,500 individuals this week, exposing ethnicity and sexual orientation of thousands.

The community housing sent an email to its tenants on Monday 23 March, advising them on how to communicate with and receive information from the housing association during the coronavirus pandemic. However, the email sent across by the housing also contained a spreadsheet that included sensitive personal information of residents of the housing community. These included their dates of birth, contact details, sexual orientation, ethnicity, religion, and disability status.

The housing authorities have; however, confirmed that there hasn’t been any compromise of financial details. Following the exposure, Watford Community Housing issued a statement on their website stating:

“We are aware that an email was sent out which contained personal information about some of our customers. We will now be urgently contacting those affected in order to ensure that they are protected as far as possible and we are taking advice about what other steps we may need to take in this situation, including engagement with the Information Commissioner’s Office.”

To rectify the situation, they have sent a follow-up email to the recipients, apologised for the mishap, and requested residents to delete the previous email as promptly as possible.

Watford Community Housing has also confirmed that as this spreadsheet did not contain any financial details of the tenants, the risk of identity theft is low but customers can visit https://www.cifas.org.uk/individuals for further advice combatting potential fraud.

Furthermore, they have confirmed that the incident has been reported to the Information Commissioner’s Office and the Regulator of Social Housing. The association will monitor the situation closely and update the affected individuals with developments and next steps.

Data-centric security technologies needed to protect data at source and prevent leaks

Tina Barnard, chief executive of Watford Community Housing, told the Register, "We apologise unreservedly for this breach and share our customers' concerns. We take our responsibilities with customer information extremely seriously and this was the result of human error.

"In line with our commitment to being transparent, we have moved quickly to inform the ICO and we will work closely with the Information Commissioner as required. We will also carry out a full review of our processes to ensure this could not happen again.

"We are taking a variety of steps to assess the potential impact on those affected by the breach, including identifying any safeguarding concerns, and we are contacting our customers to provide information, guidance and support. Anyone with concerns should email CustomerRelationsTeam@wcht.org.uk and we will contact them," she added.

Commenting on the breach committed by Watford Community Housing, Jan van Vliet, VP EMEA at Digital Guardian, told TEISS that as this unfortunate data leak shows, even the best IT security tools are not infallible against human behaviour and this incident again reinforces the need for “data centric” security technologies.

“This would help protect data at source, removing the risk factor associated with human error. If Watford Housing Community had had such technologies in place, it could have prevented this highly sensitive information from being sent without prior approval and prevented it from being opened by the recipients. All organisations, especially those that handle sensitive personal data, have a duty of care to prioritise data protection and prevent incidents like this taking place,” van Vliet added.

Raif Mehmet, VP EMEA at Bitglass, says that to prevent future attacks and safeguard sensitive information, organisations must have full visibility and control over their data. This can be accomplished by leveraging multi-faceted solutions that defend against malware on any app or endpoint, enforce real-time access control, detect misconfigurations, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage.

Image Source: https://www.wcht.org.uk/

ALSO READ: University of Hertfordshire exposed students’ personal data in bulk email

MORE ABOUT: ,