Personal data related to more than 50.000 letters sent by banks and local authorities were made available by the search engine of Google when Virtual Mail Room, a London-based company, left its system exposed. Details such as insolvency payments and reminders about unpaid taxes have been available to all Google users since June.
Thousands of names and addresses were left exposed, affecting customers from the UK, USA. and Canada. Virtual Mail Room, the company responsible for data breaches, works for clients such as Metro Bank, 14 local councils, Pearson Publishing and Begbies Traynor insolvency experts.
The breach of privacy raises doubts about due diligence by companies and local authorities that use mail services to manage sensitive customer data. Many of the names and addresses included in the data breach belong to people who have been severely affected by pandemic.
Mismanagement of personal data violates its rules GDPR, with controllers possibly facing fines totaling tens of millions of pounds. A spokesman for the Office of the Information Commissioner, who is also the UK's data regulator, confirmed that he was aware of the incident and was investigating.
Among the exposed privacy were the names and addresses of 6.500 Aldermore Bank customers. In addition, more than 250 Metro Bank customers were identified by their company name and address. A Metro Bank spokesman said the company had "temporarily suspended data sharing".
On its website, the Virtual Mail Room states that it offers customers "a simple but secure interface Internet»Which allows companies to upload documents, contact lists and other information and monitor mail progress and generate reports. Designed as a quick way for companies to communicate with their customers, it has become a major privacy headache.
A database of letters sent by local authorities reveals the names and addresses of 2.300 people living in Croydon. Local councils in Eastbourne, Reigate, North Tyneside, Ashford, North East Derbyshire and West Lindsey also fell victim to the breach. A database included the personal data of hundreds of people who received letters from housing institutions. And they were not just people living in the UK. Virtual Mail Room sends letters from Pearson Publishing Company to USA and Canada. The offense also involved Aldermore customers with addresses in Belgium, Poland, Germany, Italy, the UAE, Sweden and Ireland.
Mickel Bak, director of the Virtual Mail Room, says the company was the target of an attack that led to the publication of personal data on the Internet and continues: attack who gained access to the information we hold. We take the necessary measures to help our customers and the competent authorities ".
Robin Wood, independent consultant security, says the breach could have been avoided if the system had been tested properly. "It 's also something that marketing teams, who monitor Google to see what data is available, could have realized. "If they saw personal data exposed but did not find it strange, then they definitely need an education on data security and management," he said.