Local councils’ customer information exposed by data breach

Outsourced firm Virtual Mail Room fails to secure customer data in latest breach

Posted 9 September 2020 by Christine Horton

The personal information of tens of thousands of people has been left exposed after an outsourced communications company failed to effectively secure its systems.

Data relating to more than 50,000 letters sent out by banks and local authorities were indexed by Google after London-based firm Virtual Mail Room left its system exposed, according to WIRED, which first reported the breach.

The exposed information – which ranged from insolvency to final reminders of unpaid council tax and mortgage holidays – was left available to view since June. Thousands of names and addresses were also left exposed, affecting people in the UK, US and Canada.

Virtual Mail Room’s clients include 14 local councils, Metro Bank, the publisher Pearson and insolvency specialist Begbies Traynor. The specific content of the letters sent to individuals were not visible.

A database of letters sent by local authorities reveals the names and addresses of 2,300 people living in Croydon. Councils in Eastbourne, Reigate, North Tyneside, Ashford, North East Derbyshire and West Lindsey were also caught up in the breach. One database showed the details of hundreds of people receiving letters from housing associations.

Mickel Bak, director of Virtual Mail Room, told WIRED that the company was the target of an attack that led to the data being posted online. “We are clearly very concerned that we were the target of an attack to access information that we hold,” he says. “We have, and are taking the necessary steps required to assist our clients and appropriate authorities in this instance.”

The names, email addresses, and telephone numbers of staff with access to Virtual Mail Room’s systems were also visible. The tools on the backend were also left unsecured, allowing for print and delivery jobs to be potentially modified or deleted.

All-time high

Data leaks are at an all-time high, rising by 492 percent to a record 27 billion in the first half of 2020.

However, research suggests a third of UK consumers will avoid a business “for up to several years” if their personal data is compromised due to a business’ poor data security practices during COVID-19

WIRED reports that a spokesperson for the Information Commissioner’s Office (ICO), the UK’s data regulator, was aware of the incident and was making enquiries.