September 9, 2020
Personal details of more than 50,000 letters sent by banks and local authorities were being registered by Google after a London-based outsourcing firm left their system despondently exposed. Since June, details about everything ranging from liquidation to final notices of unpaid council tax and mortgage holidays were abandoned for anyone to see.
Several names and addresses, together with the types of letters they were sent – were left exposed. This affects people in the UK, the US, and Canada. The firm responsible for the data breach, Virtual Mail Room, has worked for clients that include Metro Bank, 14 local councils, the publisher Pearson and insolvency specialist Begbies Traynor. However, the specific content of the letters sent to the individuals was not visible.
The privacy breach has raised doubts about due diligence carried out by companies and local authorities using subcontracted mailing services to grip sensitive customer data. It comes in a painful time, as many of the names and addresses in the breach belonged to the people who have been hit hard financially by the pandemic. Such missteps could fall foul of GDPR; the data controllers and processors are potentially facing fines in 10 million pounds. A spokesperson from the Information Commissioner’s Office, UK’s data regulator, has confirmed that it was aware of the incident and was making inquiries.
The exposed data by the breach are very personal. Among the part of exposed personal data were the names and addresses of almost 6,500 customers from Aldermore Bank. The back-end system that was left exposed revealed which customers are receiving pre-delinquency and remediation letters. The bank’s spokesperson said that they are now investigating the issue. Somewhere else, more than 250 Metro Bank customers were recognized with their company name and address. A Metro Bank spokesperson said that the company has “temporarily suspended sharing data” with Virtual Mail Room as a precautionary measure while the investigation carries on.
Virtual Mail Room stated on their website that it offers clients with “a simple, but secure, web interface” that permits the companies to upload documents, contact lists, and other information and trail the progress of mail-outs and generate reports.
A database of letters sent by local authorities revealed the names and addresses of 2,300 residents of Croydon. Along with this, councils in Eastbourne, Reigate, North Tyneside, Ashford, North East Derbyshire, and West Lindsey were also caught up in the breach. A database showed the details of hundreds of people who received letters from housing associations. Not only people in the UK were left exposed.
Virtual Mail Room sent out royalty statements for the publishing firm Pearson to the US and Canada. Adding to this, Aldermore customers with addresses in Belgium, Poland, Germany, Italy, the UAE, Sweden, and Ireland were also affected in the breach.
Virtual Mail Room’s director, Michael Bak, says that the company was the target of the attack that led to the data being posted online.
All the unprotected data has been secured ever since, but not before it was left online for the public in June.
Adding to the data that was made public, the names, email addresses, and telephone numbers of the staff with access to Virtual Mail Room’s systems were also visible. The back end was also left unsecured; it allows the print and delivery jobs to be modified or deleted.
Robin Wood, independent security consultant noted that the breach seems like the sort of thing that can be picked up had the system tested adequately.