Child sexual abuse inquiry fined £200,000 for exposing victims

IICSA replied-all to participants, then shared their email addresses with an IT company without their consent

The Independent Inquiry into Child Sexual Abuse (IICSA) has been fined 200,000 for a data leak that identified possible abuse victims.

With a remit to investigate historic allegations of sexual abuse, the IICSA has been penalised after a staff member sent a mass email to 90 participants in its inquiry, by mistakenly entering their email addresses into the 'to' field instead of the 'bcc' field.

Advertisement - Article continues below

The incident occurred on 27 February 2017 - prior to the introduction of the General Data Protection Regulation (GDPR), which came into force on 25 May - meaning UK data watchdog the Information Commissioner's Office (ICO) delivered the penalty under the Data Protection Act 1998. Under GDPR the fine could have been much higher.

"This incident placed vulnerable people at risk, which is concerning. IICSA should and could have done more to ensure this did not happen," said the ICO's director of investigations, Steve Eckersley.

"People's email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant."

Informing the inquiry participants about a public hearing, an IICSA staff member initially sent an email containing an error, with all 90 addresses marked in the 'bcc' field. Attempting to correct the error, the staff member sent a follow-up email, but this time marked all recipients in the 'to' field - meaning their identities were exposed to all.

Of the addresses revealed, 52 contained the full names of the participants or had a full name label attached - many of whom may have been victims of child sexual abuse. The IICSA was alerted to the mistake by a recipient who added two further email addresses into the 'to' field before pressing 'reply all'.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The IICSA attempted to rectify the breach by asking all recipients to delete the initial email and to resist circulating the email any further. According to the ICO, one of these messages generated 39 'reply all' emails.

The investigation concluded that the abuse inquiry failed to use an account capable of sending separate emails to each participant, and it had not adequately trained staff on the importance of double-checking into which field an email address was entered.

The ICO also found that the IICSA should not have relied on advice from an IT company it had hired to manage the mailing list, which claimed that it would prevent individuals from replying to the exposed list. Most concerningly, however, the abuse inquiry breached its own privacy notice by sharing participants' email addresses with the IT company without their consent.

A total of 22 complaints came the ICO's way following the incident, with one complainant remarking that he was "very distressed" by the breach.

Advertisement - Article continues below

"The inquiry takes its data protection obligations very seriously and we have apologised to those affected by the data breach," IICSA secretary John O'Brien said.

"After a wide-ranging review by external experts, we have amended our handling processes for personal data to ensure they are robust and the risk of a further breach is minimised."

The 200,000 fine represents one of the largest fines handed to an organisation for a breach in the UK, with the maximum fine that can be levied under the DPA worth 500,000 - Facebook received this for its recent Cambridge Analytica data-sharing scandal.

If the case had been adjudicated under GDPR, however, the IICSA would have found itself open to a maximum fine of 20 million.

Picture: Shutterstock

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/security/cyber-attacks/356417/trump-confirms-cyber-attacks-on-russia-election-trolls
cyber attacks

Trump confirms US cyber attack on Russia election trolls

13 Jul 2020