Email breach

Published: 15 February 2024

An organisation was responsible for managing a number of different client databases all of which related to confidential financial relationships.

Background
An organisation was responsible for managing a number of different client databases all of which related to confidential financial relationships. An employee of the organisation was asked to send an email attaching details of one of the clients to another organisation. 

When sending the email, the employee attached the details of a number of other clients in error, thus compromising the personal data and confidentiality of all those other individuals.

The error was noticed when the recipient of the email opened the message to discover the extraneous data within the attachment and notified the sender immediately.

The organisation acted swiftly to request the deletion of the email and notify the ODPA of the personal data breach. Once the scope of the incident became clear, they also took steps to notify those individuals whose personal data had been compromised.

Learning points
  • The ODPA has consistently reported on the incidence of personal data breaches involving human error and this case highlights how easy it is for any organisation to suffer from a breach of this nature. 
  • It is unrealistic to expect staff to never make mistakes but effective and engaging data protection awareness and training within an organisation is a powerful preventative measure. It is also important for all organisations to have a breach response plan in place which is regularly reviewed and tested. 
  • In this case, the organisation responded immediately, putting into effect their well-planned breach response plan. They engaged early with the ODPA and quickly recognised the potential impact on those individuals whose data had been compromised. The member of staff who had sent the email were supported with additional awareness training and a review was undertaken into improvements that could be made to emails with attachments being sent outside of the organisation.