Lessons to be learned from a data breach

The Information Commissioners Office (ICO) recently reported on a reprimand they issued to a housing association after personal information became accessible in an online customer portal.

Clyde Valley Housing Association in Lanarkshire launched a new portal in 2022. On the first day of its release a resident discovered they could access personal information about other residents. As a result, they called a customer service adviser to report the breach.

Unfortunately, the concerns were not escalated and so the personal information remained accessible for a further five days.

The housing association sent a mass email to promote the new portal. Following this, four more residents also made a report, and the new system was subsequently suspended.

It appears that there was a lack of testing before making the portal live, and concerningly staff were not sure what to do about escalating the breach once it was reported.

A case like this leaves lessons for all businesses to reflect on. While new digital systems can allow for large productivity gains, data security has to be a top priority. The reputational damage from a data breach can be significant.

Data protection training is vital for staff so that they know what to do. Reviewing training needs is a must. For instance, an occasional tabletop exercise might help you to see where training needs lie. See: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/04/housing-association-reprimanded-for-exposing-personal-information-on-online-portal/