The breach described in the post is already one of the worst breaches of 2020 in my opinion.
It’s 2020 and yet we are still seeing privacy breaches involving very sensitive data due to an email gaffe. From media coverage, it is likely that a newsletter that was sent out put recipients’ email addresses in the cc: field instead of the bcc: field. As a result, people who responded to an inquiry into historical institutional abuse to apply for compensation have learned that their email addresses (and hence, in some cases their names or family names) have been exposed to other survivors.
Some of the recipients are likely the survivors of institutional abuse. Others may be their spouses, partners, or survivors. More information about the inquiry and compensation program can be found in the government’s FAQ. And of course, one can find a privacy notice about data protection under the GDPR.
RTÉ reports about the breach:
The identities of 150 survivors of historical institutional abuse in Northern Ireland have been exposed in a data breach, it has been confirmed.
A newsletter was circulated in an email by the HIA Interim Advocate’s Office on Friday which revealed the names of recipients in error.
Read more on RTÉ.
Note that BBC reports that the number affected is 250, and that people are (understandably) shattered and upset by this breach.
And no, I have no idea how you mitigate this for anyone who might be horrified that they have been “outed” as an abuse survivor if they wanted that kept private — and some of them had reportedly never disclosed their history of abuse to their own families.
Northern Ireland’s interim victims advocate Brendan McAllister won’t resign over this breach, and some of the survivors impacted it are in the process of initiating litigation in the High Court as well as a complaint to the ICO.