Shropshire Star

Tenants' private details put online in housing agency data blunder

Personal details belonging to thousands of housing tenants were mistakenly published online in a massive data blunder by a housing association which covers parts of Shropshire.

Published

Names, addresses, telephone numbers, email addresses, details of illnesses and private family circumstances were made available on the website of South Staffordshire Housing Association.

Cancer patients, ex-police officers, pensioners and disabled people were among those to have their details laid bare for all to see.

The data breach was today described as "horrendous" by South Staffordshire MP Gavin Williamson, who is demanding an investigation.

SSHA, whose chairman is former South Staffordshire Council chief executive Rolf Levesley, has since taken down the information. It is carrying out an internal investigation into how the details were published and how long they were up for.

More than 3,500 private messages between tenants and SSHA dating from July 2009 to as recently as Thursday were posted online via the association's Contact Us page.

They included:

  • A mother looking to move to a more suitable home after claims her neighbours had been using drugs. Her name, address and mobile telephone number were all visible to see.

  • A man revealing details of his disabilities and the need of support from his family at night because he was vulnerable.

  • A mother divulging private details about a family member who was battling cancer and the need for SSHA to help handle her garden.

Staff are now contacting the thousands of people affected. The Information Commissioner is aware of the issue and awaiting contact from those affected.

SSHA manages nearly 6,000 homes covering the former Bridgnorth District Council area, South Staffordshire, Wolverhampton, Cannock, Stafford and Dudley.

Not only were the details and messages made public, they were also able to be edited and deleted. The computer IP addresses, which can be used to track individuals to their homes or businesses, were also published.

Today, victims hit out at the organisation, which is chaired by Rolf Levesley and based at Acton Court, Acton Gate, Staffordshire.

Among them was a retired West Midlands Police officer in Kinver.

The 55-year-old, who did not wish to be named, has lived in a SSHA home for three years and said, because of the nature of her former job, it was vital her address remained secret.

"I'm disgusted by this," she said. "My details could be used by anyone and I could have any manner of person calling me up and making prank phone calls. I moved away from the area I policed for a quiet life and now my details have been put there for people to see. It's a breach of trust and I'm disgusted by it."

Gavin Williamson MP said: "This is the most horrendous situation because people's private, important and personal details were there for all to see. This should never be allowed to happen."

SSHA told the Shropshire Star it was now investigating.

A statement read: "On Thursday October 2 we were notified that some details customers had sent to us using our website enquiries form were visible on the contacts page of our website.

"On being alerted, we immediately removed the relevant page from service to prevent any further information being submitted or being visible. The information involved was the content of enquiries forms that had been submitted through the website including any contact information that was included and the enquiry that was made.

No other data was visible and customer accounts were not affected.

"We are in the process of identifying everyone who was affected directly and the nature of their enquiries to establish if any were of a sensitive nature. Once we have done so we will contact everyone affected directly to explain what happened, to provide advice and reassurance, and to explain what actions we have taken.

"The website enquiries page is now back in service; the underlying technical issue having been fully identified and corrected."

Data blunder victims urged to get in touch as alert issued on fraud:

The Information Commissioner's Office – ICO – today urged any victims of the South Staffordshire Housing Association – SSHA – data breach to come forward.

The data protection and information watchdog holds organisations to account and issues fines if it feels there have been serious mistakes. It has invited SSHA tenants with fears their personal details were published online to get in touch.

ICO spokesman David Murphy said: "There are clear laws around how organisations must look after the personal information they hold, particularly around keeping sensitive information secure.

"If people are not happy about how their information has been handled, then they can report those concerns to the ICO."

Meanwhile, a cyber crime expert has warned the victims may be vulnerable to online fraud. Tony Proctor, principal lecturer in cyber security at the University of Wolverhampton, said it was imperative that SSHA contact those affected as soon as possible. He said that any information, passwords or log-in details could be used by hackers to access people's other private online accounts.

He said: "It sounds like a serious security breach but obviously I don't know the ins and outs of what had happened. What organisations should have is information security management and what some companies do is hire ethical hackers to try and penetrate their computer systems. It is possible, despite this, that someone has made a mistake. What is important is South Staffordshire Housing Association contact the people affected as soon as possible."

And Mr Proctor had a warning to those whose details were submitted online: "With an email address cyber hackers could look to use that and the smallest of details to try and get into accounts. If a password was shared on the website then often people will use the same password for a number of accounts and their bank, Pay-Pal or eBay accounts could be accessed."

Mr Proctor advised anyone worried they are a victim to visit the website of Action Fraud, an agency that investigates internet and online fraud. Action Fraud is can be contacted at www.actionfraud.police.uk, while the ICO hotlines are 0303 123 1113 or 01625 545 745.

Sorry, we are not accepting comments on this article.