weerapat1003 - stock.adobe.com

Serco exposes contact tracers’ data in email error

Error saw almost 300 coronavirus contact tracers’ email addresses made visible to other recipients of the message

Business services and outsourcing company Serco has apologised after an internal error accidentally exposed the personal data of a number of newly recruited Covid-19 coronavirus contact tracers.

The relatively simple and quite common error saw almost 300 email addresses disclosed in the carbon copy (CC) field, rather than in the blind carbon copy (BCC) field of an email, making them visible to the other recipients of the message.

Computer Weekly understands that all the email addresses exposed belonged to new contact tracers who had given Serco permission to email them, and that no other information was compromised.

A Serco spokesperson said: “An email was sent to new recruits who had given us their permission to use their personal email addresses. In error, email addresses were visible to other recipients. We have apologised and reviewed our processes to make sure this does not happen again.”

Earlier this week, health secretary Matt Hancock claimed that 21,000 contact tracers have been recruited to track down people who have been exposed to Covid-19, but there are doubts over the accuracy of this figure and, according to insiders, the onboarding process has been fraught with difficulties.

The Guardian has reported that contact tracers have been left unable to log into their online systems, and described inadequate training procedures, including a case of new recruits being told to look at YouTube videos on the topic of how to talk to bereaved people appropriately. These reports did not originate from within Serco.

Tim Sadler, CEO at Tessian, a supplier of email security services, said: “It goes to show how a simple mistake on email can result in a high-profile data breach, exposing the personal information of almost 300 contact tracers and potentially leaving the firm under investigation with the ICO [Information Commissioner’s Office].

“Ahead of the GDPR [General Data Protection Regulation] anniversary, businesses need to ensure their employees understand and action data security best practices, particularly when sharing sensitive data on email. Companies should consider how technology can help prevent people’s mistakes from happening, before they turn into breaches.”

Camilla Winlo, consultancy director at DQM GRC, a consultancy specialising in data protection and privacy, added: “Operational email systems such as Outlook are not suitable or designed for sending bulk emails like Serco has done here. It’s easy to make mistakes like this – and not only does it put confidentiality at risk, but if enough of the recipients complain, you can actually end up with the whole operational email system being switched off.

Read more about data breaches

“That’s why bulk email systems draw from databases that can be safely maintained, and why they use separate domain names for their activities.

“You also need to question how this arose – you would expect that, had this been an officially sanctioned communication to 300 contacts, it would have been sent by a communications team with access to an appropriate bulk email platform.”

Winlo said the risk to the recipients of the email was low and that, given the nature of their work, contact tracers should be trusted to deal with personal data in an appropriate manner, but suggested there was a higher risk to Serco in terms of risk to its operational systems and damage to its reputation.

“It doesn’t help that there are already privacy concerns surrounding contact-tracing apps,” she added.

Read more on Data breach incident management and recovery

Data Center
Data Management