The EQC data breach
The Press reports:
Accidentally releasing the private information of almost 10,000 claimants is a “very embarrassing” mistake for the Earthquake Commission, Christchurch Mayor Bob Parker says.
How sensitive or private was this information?
This morning information about 9700 claims, including claim numbers and street addresses, was inadvertently sent to one person outside EQC who was not the intended recipient.
The information sent did not include customer names. Most of the information would require knowledge of EQC’s internal workings in order to interpret it.
EQC chief executive Ian Simpson says EQC staff contacted the recipient as soon as the breach was identified. The recipient has agreed to destroy all the information.
I have to say it sounds at the lesser end of the scale. No names, just addresses and claim numbers.
Canterbury Community Earthquake Recovery Network spokeswoman Leanne Curtis said the breach was “unfortunate”.
“It’s unfortunate for the people involved, [EQC] staff included, but I think it’s not unknown to most of us to have sent email to the wrong person at some stage in our life,” she said.
“I think this is a really good lesson for them and I hope they learn from it,” she said.
I understand the problem was the e-mail client did an auto-complete, and it was the wrong name. One can turn auto-complete off but mistakes will happen. Maybe you can put in some system rules where any e-mail with an attachment sent t an external address generates a warning?
Christchurch city councillor Glenn Livingstone said the breach was a “great betrayal of trust”.
Oh, don’t be hysterical.
Livingstone said Earthquake Recovery Minister Gerry Brownlee should also take responsibility for the mistake.
It takes a special kind of politician to turn an accident from a staff member (that was immediately realised and notified, involved no names of people, and was immediately retrieved) into an issue of ministerial responsibility.