BreachExchange mailing list archives
A data fail left banks and councils exposed by a quick Google search
From: Destry Winant <destry () riskbasedsecurity com>
Date: Wed, 9 Sep 2020 09:10:10 -0500
https://www.wired.co.uk/article/virtual-mail-room-data-breach Private details relating to more than 50,000 letters sent out by banks and local authorities were indexed by Google after a London-based outsourcing firm left its system hopelessly exposed. Details about everything from insolvency to final reminders of unpaid council tax and mortgage holidays were left available for anyone to view since June. Thousands of names and addresses – and the types of letters they were sent – were left exposed, affecting people in the UK, US and Canada. Virtual Mail Room, the firm responsible for the data breach, worked for clients including Metro Bank, 14 local councils, the publisher Pearson and insolvency specialist Begbies Traynor. The specific content of the letters sent to individuals were not visible. The privacy breach raises doubts about the due diligence carried out by companies and local authorities using outsourced mailing services to handle sensitive customer data. It also comes at a particularly painful time, with many of the names and addresses contained in the breach belonging to people who have been hit hard financially by the pandemic. Such missteps could fall foul of GDPR, with data controllers and processors potentially facing fines totalling tens of millions of pounds. A spokesperson for the Information Commissioner’s Office, the UK’s data regulator, confirmed it was aware of the incident and was making enquiries. The details exposed by the breach are hugely personal. Amongst the tranche of exposed personal data were the names and addresses of 6,500 customers of Aldermore Bank. The back-end system left exposed reveals which customers received pre-delinquency and remediation letters. A spokesperson for the bank says it is investigating the issue. Elsewhere, more than 250 Metro Bank customers were identified with their company name and address. A Metro Bank spokesperson says the company has “temporarily suspended sharing data” with Virtual Mail Room as a precautionary measure while its investigation continues. On its website, Virtual Mail Room states it offers clients with “a simple, but secure, web interface” that allows companies to upload documents, contact lists and other information and track the progress of mail-outs and generate reports. But what was designed as a speedy way for companies to contact their customers has turned into a major data privacy headache. A database of letters sent by local authorities reveals the names and addresses of 2,300 people living in Croydon. Councils in Eastbourne, Reigate, North Tyneside, Ashford, North East Derbyshire and West Lindsey were also caught up in the breach. One database showed the details of hundreds of people receiving letters from housing associations. And it wasn’t just people living in the UK who were left exposed. Virtual Mail Room sends out royalty statements for the publishing firm Pearson to the US and Canada. Aldermore customers with addresses in Belgium, Poland, Germany, Italy, the UAE, Sweden, and Ireland were also included in the breach. Mickel Bak, the director of Virtual Mail Room, says the company was the target of an attack that led to the data being posted online. “We are clearly very concerned that we were the target of an attack to access information that we hold,” he says. “We have, and are taking the necessary steps required to assist our clients and appropriate authorities in this instance.” All the data left unprotected has since been secured, but not before it was left online for anyone to see since June. The names, email addresses, and telephone numbers of staff with access to Virtual Mail Room’s systems were also visible. The tools on the backend were also left unsecured, allowing for print and delivery jobs to be potentially modified or deleted. Robin Wood, an independent security consultant, says that the breach seems like the sort of thing that would be picked up had the system be properly tested. “It is also something that could have been picked up by marketing, or SEO teams, who monitor Google to see what is indexed. If they had seen it, but didn't realise what was happening, then awareness training would have helped,” says Wood. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- A data fail left banks and councils exposed by a quick Google search Destry Winant (Sep 09)