A data fail left banks and councils exposed by a quick Google search
Details of more than 50,000 letters sent by banks and local authorities were left online for anyone to see
by Henry Dyer
Private details relating to more than 50,000 letters sent out by banks and local authorities were indexed by Google after a London-based outsourcing firm left its system hopelessly exposed. Details about everything from insolvency to final reminders of unpaid council tax and mortgage holidays were left available for anyone to view since June.
Thousands of names and addresses – and the types of letters they were sent – were left exposed, affecting people in the UK, US and Canada. Virtual Mail Room, the firm responsible for the data breach, worked for clients including Metro Bank, 14 local councils, the publisher Pearson and insolvency specialist Begbies Traynor. The specific content of the letters sent to individuals were not visible.
The privacy breach raises doubts about the due diligence carried out by companies and local authorities using outsourced mailing services to handle sensitive customer data. It also comes at a particularly painful time, with many of the names and addresses contained in the breach belonging to people who have been hit hard financially by the pandemic. Such missteps could fall foul of GDPR, with data controllers and processors potentially facing fines totalling tens of millions of pounds. A spokesperson for the Information Commissioner’s Office, the UK’s data regulator, confirmed it was aware of the incident and was making enquiries.
The details exposed by the breach are hugely personal. Amongst the tranche of exposed personal data were the names and addresses of 6,500 customers of Aldermore Bank. The back-end system left exposed reveals which customers received pre-delinquency and remediation letters. A spokesperson for the bank says it is investigating the issue. Elsewhere, more than 250 Metro Bank customers were identified with their company name and address. A Metro Bank spokesperson says the company has “temporarily suspended sharing data” with Virtual Mail Room as a precautionary measure while its investigation continues.
On its website, Virtual Mail Room states it offers clients with “a simple, but secure, web interface” that allows companies to upload documents, contact lists and other information and track the progress of mail-outs and generate reports. But what was designed as a speedy way for companies to contact their customers has turned into a major data privacy headache.
A database of letters sent by local authorities reveals the names and addresses of 2,300 people living in Croydon. Councils in Eastbourne, Reigate, North Tyneside, Ashford, North East Derbyshire and West Lindsey were also caught up in the breach. One database showed the details of hundreds of people receiving letters from housing associations. And it wasn’t just people living in the UK who were left exposed. Virtual Mail Room sends out royalty statements for the publishing firm Pearson to the US and Canada. Aldermore customers with addresses in Belgium, Poland, Germany, Italy, the UAE, Sweden, and Ireland were also included in the breach.
Mickel Bak, the director of Virtual Mail Room, says the company was the target of an attack that led to the data being posted online. “We are clearly very concerned that we were the target of an attack to access information that we hold,” he says. “We have, and are taking the necessary steps required to assist our clients and appropriate authorities in this instance.” All the data left unprotected has since been secured, but not before it was left online for anyone to see since June.
The names, email addresses, and telephone numbers of staff with access to Virtual Mail Room’s systems were also visible. The tools on the backend were also left unsecured, allowing for print and delivery jobs to be potentially modified or deleted.
Robin Wood, an independent security consultant, says that the breach seems like the sort of thing that would be picked up had the system be properly tested. “It is also something that could have been picked up by marketing, or SEO teams, who monitor Google to see what is indexed. If they had seen it, but didn't realise what was happening, then awareness training would have helped,” says Wood.
More great stories from WIRED
🐾 A liver disease is putting the Skye Terrier’s existence at risk. Doggy DNA banks could help save it
🔞 As AI technology gets cheaper and easier to use, deepfake porn is going mainstream
🏡 Back at work? So are burglars. Here’s the tech you need to keep your home safe
🔊 Listen to The WIRED Podcast, the week in science, technology and culture, delivered every Friday