City of York Council Exposes Disabled Residents' Data in Email Blunder
The City of York Council inadvertently revealed the email addresses of hundreds of Blue Badge holders through a mass email sent without using BCC, prompting an investigation by the ICO.
A significant data breach has occurred at the City of York Council, where an email sent to hundreds of Blue Badge holders inadvertently exposed their personal information. The council confirmed that the error involved sending an email without utilizing the blind carbon copy (BCC) function, which allowed all recipients to view the email addresses of everyone else on the distribution list. This oversight meant that individuals receiving updates related to the Blue Badge scheme, often associated with disabilities or mobility impairments, had their status inadvertently disclosed to a wide audience.
According to reports, the council sent three emails containing Blue Badge-related information before realizing the mistake. A subsequent fourth email was dispatched, acknowledging the error and instructing recipients to delete the previous messages, including from their deleted items folders. Recipients were also advised to remain vigilant for any suspicious communications that might arise from the incident.
The sensitive nature of the exposed data lies not just in the email addresses themselves, but in the context of the mailing list. Every recipient was on a list specifically for Blue Badge holders, effectively identifying them as individuals who likely have a disability or mobility issue. This disclosure has caused distress for some, with one affected resident expressing upset that her condition, which she kept private, was revealed to hundreds of strangers.
In response to the breach, the City of York Council stated that it has activated its data breach procedures and is conducting a thorough risk assessment in line with guidance from the UK's Information Commissioner's Office (ICO). A spokesperson for the council emphasized that they are working diligently to understand the full scope of the incident and its potential impact on individuals.
The council has not yet disclosed the exact number of individuals affected or whether the error was due to human error or a technical malfunction. They are currently assessing whether the incident meets the threshold for mandatory reporting to the ICO within the statutory 72-hour window, a decision that may hinge on the specific implications of the exposed mailing list.
The Information Commissioner's Office (ICO) has confirmed that it received a data breach report regarding this incident. Following an assessment of the provided information, the ICO has closed the case, indicating that advice has been given to the council. This resolution suggests that while the breach was acknowledged, it may not have met the criteria for further formal investigation or penalties at this time.
This incident serves as a stark reminder of the persistent risks associated with basic data handling practices. Despite advancements in cybersecurity, common human errors like the misuse of email distribution functions continue to lead to significant data exposures, highlighting the ongoing need for robust training and stringent protocols within public sector organizations.