Outsourcing giant Serco has today apologised for a data breach involving the email addresses of almost 300 individuals, in a blunder that has potentially greater consequences than doubts over the firm's approach to data security.

Serco is among the companies appointed by the government to hire and train 15,000 contact tracers. The firm shared the data in the visible copy field of an email.

The outsourcer said it does not intend to report the breach to the Information Commissioners' Office. Whether or not the ICO will take a different view is not yet known. In a similar mistake last month, the Home Office reported its own case of wrongly shared email addresses.

The error will not instil faith the government's new COVID fighting contact tracing system, which is set to ask thousands of people who have fallen ill to share the details of their friends and acquaintances.

Jake Moore, a cyber security specialist at ESET says the reputational risk will impact both the firm, and may jeapordise public trust in this important project.

“At a time when people are already questioning the app’s privacy concerns, this comes as a serious blow. Apps like this need the public’s inherent trust from the outset, so learning of even a small number of email addresses leaked is a shame. Those affected should remain aware that they could be used in phishing attempts – but luckily the numbers are low enough to mitigate any further risk. There is a genuine dilemma amongst many people as to whether or not we should download this app with the potential privacy concerns. The question is now whether the public will trust the app after this has happened so soon?

"Moreover, if the app does not achieve the desired uptake, it is flawed from the start.”

That app has its own flaws already, it seems, as wide-ranging security glitches have been discovered during the Isle of Wight pilot.

Security researchers have warned the problems pose risks to users' privacy and could be abused to prevent contagion alerts being sent.

GCHQ's National Cyber Security Centre has acknowledged the issues, promising to fix some and review others. But the researchers suggest a more fundamental rethink is required.

Specifically, they call for new legal protections to prevent officials using the data for purposes other than identifying those at risk of being infected, or holding on to it indefinitely.


Forgotten your login for the digital edition of CIR Magazine, or not received your print copy? Request support.

Share Story: