Email Mistakes Expose HMRC, PTSB, WHSmith Data


Following last week's mistaken exposure of HIV patient data by email at London's 56 Dean Street clinic, three other email-driven breaches recently exposed hundreds of people's personal information.

The Irish bank Permanent TSB has acknowledged that a staff member mistakenly emailed approximately 100 customers' names and account numbers to a single unrelated customer.

Permanent TSB said the customer who received the email "has cooperated fully with the bank and has confirmed in writing that the email has been deleted from their email account and that they have no copies of it," the Irish Times reports.

The bank says it's investigated the incident, and has taken steps to make sure that it doesn't happen again.

HM Revenue and Customs (HMRC), the U.K.'s tax collection department, recently shared hundreds of job applicants' email addresses with their competitors as a result of what it described as a "technical glitch."

In one example seen by The Register, an applicant's email address was included in a list that also included almost 500 other addresses. In response to that applicant's complaint, HMRC recruitment wrote, "Please accept my sincere apologies for my previous email, sent today. Unfortunately, there was a technical glitch resulting in a confusing email. This is not how we would have wished to communicate the outcome of the process and we will obviously like to rectify this moving forwards."

An HMRC spokesman told The Register that the email had been send by a third party acting on HMRC's behalf. "No other personal data was displayed and we have told the agency to ensure that the technical problems that they experienced do not recur," the spokesman said.

And the British retailer WHSmith last week began mistakenly forwarding every request sent through its "contact us" form to its entire magazine subscriptions mailing list. Some of the messages included customers' full names and phone numbers.

The company told The Guardian the incident was the result of a systems processing bug by third party vendor iSUBSCRiBE, which manages WHSmith's magazine subscriptions. "We can confirm that this issue has not impacted or compromised any customer passwords or payment details, and we apologize to the customers concerned," WHSmith said.

One customer took the error in stride and used the contact form to write, "Think you guys have a virus, or have been hacked. If anyone else is reading this, have a great morning! Shout-out to my awesome husband and daughter."

Recent eSecurity Planet articles have examined the security risks introduced by third party vendors and the importance of offering security training to employees.