More than 250 email addresses exposed in Shropshire Council data breach

Those involved were emailed an invitation to a webinar focussing on the management of direct payments – but everyone who received the email could see each other's addresses.

An investigation was carried out after the council's data protection officer was informed.

Emails of apology were sent out to those who had been affected, and they were also told about the measures that would be taken going forward.

A follow-up email from the council said: "The outcome of the investigation was that a group email address was used on July 23 to send an email to a number of individuals including yourself.

"However, instead of the 'BCC' field being used, the ‘to’ field was used in error, meaning that email addresses were made visible to all other email recipients.

"The investigation identified that there was no personal data in the content of the email itself, but that personal email addresses had been inadvertently shared with other recipients.

"As a result of the concerns and the incident, we followed our internal procedure when such incidents occur and we took immediate actions to ensure any risk was mitigated as much and as far as possible.

"The first mitigation was to attempt to recall the email but this was not successful, we then sent a further email asking recipients to delete the email sent incorrectly and we are keeping a record of all confirmations where this has been done and will do going forward.

"Our data protection officer undertook a risk assessment of the breach and discussed the incident with the Information Commissioner’s Office, to ensure appropriate action was taken to reduce any risk and inform the risk assessment, which then informed the actions taken.

Lessons

"An action plan was then identified and will be implemented asap to follow up on the learning."

The email explains that all those within the team will be asked to complete the mandatory data protection training again, if not already done so within the last two months.

The incident will also be highlighted at future team meetings, through further staff correspondence and processes will be reviewed.

Tom Mullen, Shropshire Council’s data protection officer, told the Shropshire Star: “Any data breaches are taken very seriously and are thoroughly investigated in line with our internal procedures to reduce any potential risks and to take appropriate action.

“In this case, the incident was fully investigated and appropriate actions taken to mitigate any risks posed.

“As a result of the internal investigation all those affected were contacted with an explanation of the situation and an apology.

“In addition, a number of measures were implemented internally to reduce the risk of a similar incident happening again, and to ensure that we learn lessons from this going forward.”