Two-thirds of Brits have sent work emails containing sensitive data to the wrong person
According to a new survey[1], 68% of Brits have sent work emails to the wrong recipients. The data included in these emails includes things like confidential figures to court documents. And, despite strict rules when it comes to reporting data breaches, many employees are not telling their organisations about these privacy errors.
Furthermore, it is likely that the current pandemic is making matters worse. Because today, 60% of the UK's workforce is now working remotely and there has been a 23% increase in email usage.
What did the data breach survey find?
Anecdotal evidence provided to security firm Egress when carrying out this survey included the following statements:
Mistake: I once sent confidential figures to a colleague in my team rather than the CEO as they both had the same first name. Outlook gave me her name as a suggestion rather than the CEO.
Did you report it? No, my colleague saw my mistake and quietly told me.
Mistake: I sent a document for a bankruptcy to the wrong client because I mixed up two small businesses. Both were chapter 7 bankruptcies filed around the same time and they both began with the letter A. I accidentally sent a document that came in from court to the wrong client because I confused the two, as previously mentioned.
Did you report it? No I did not. We are small business and I apologised to the client it was sent to and advised to disregard. Then I sent the document to the correct person.
Mistake: I emailed an excel sheet about future investment opportunities to the wrong person.
Did you report it? No, just apologised and sent it to the right receiver.
ICO data security incident trends
The survey was carried out in response to the ICO's latest Data Breach Incident Report. In this, the ICO revealed that misdirected emails were the primary cause of data breach incidents during Q4 2019. In fact, such email errors accounted for 20% more data breach reports than phishing attacks.
The consequences of a work email error can be devastating
Most security breaches happen because of distractions or mistakes. But the consequences of a simple email error can be devastating.
For example, an independent inquiry into child sexual abuse was fined £200,000 by the ICO after sending a bulk email that identified possible abuse victims. In this case, an officer sent an email to 90 people involved in a review without using the blind carbon copy (bcc) functionality. This allowed the recipients to see each other's email addresses and identified them as possible victims of child sexual abuse.
In another breach, the Home Office admitted that an administrative error exposed the email addresses of hundreds of Windrush migrants. These recipients had all signed up to be kept informed about the Windrush compensation scheme.
And, Bupa was fined £175,000 by the ICO for failing to prevent a 2017 data breach which compromised the personal information of up to 108,000 health insurance customers.
Even one-off incidents involving a single induvial can have serious repercussions if their sensitive data falls into the wrong hands.
Organisations must do more to protect personal data
With misdirected emails potentially having devastating repercussions, organisations must provide employees with proper data protection training, and technology that stops emails going to the wrong recipients. Especially when, in addition to human error being the leading cause of data breaches, the sheer scale of this problem is clearly being underestimated.
What can you do if you are the victim of a data protection breach?
If you have suffered damage, distress or a loss of privacy caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation.
Our expert, friendly team will advise you on whether you have a valid claim and will be pleased to answer any questions you might have.
[1] https://www.egress.com/news/misdirected-emails-poll-0620