Serco blunder has much wider reputational risk implications

Outsourcing giant Serco has today apologised for a data breach involving the email addresses of almost 300 individuals, in a blunder that has potentially greater consequences than doubts over the firm's approach to data security.

Serco is among the companies appointed by the government to hire and train 15,000 contact tracers. The firm shared the data in the visible copy field of an email.

The outsourcer said it does not intend to report the breach to the Information Commissioners' Office. Whether or not the ICO will take a different view is not yet known. In a similar mistake last month, the Home Office reported its own case of wrongly shared email addresses.

The error will not instil faith the government's new COVID fighting contact tracing system, which is set to ask thousands of people who have fallen ill to share the details of their friends and acquaintances.

Jake Moore, a cyber security specialist at ESET says the reputational risk will impact both the firm, and may jeapordise public trust in this important project.

“At a time when people are already questioning the app’s privacy concerns, this comes as a serious blow. Apps like this need the public’s inherent trust from the outset, so learning of even a small number of email addresses leaked is a shame. Those affected should remain aware that they could be used in phishing attempts – but luckily the numbers are low enough to mitigate any further risk. There is a genuine dilemma amongst many people as to whether or not we should download this app with the potential privacy concerns. The question is now whether the public will trust the app after this has happened so soon?

"Moreover, if the app does not achieve the desired uptake, it is flawed from the start.”

That app has its own flaws already, it seems, as wide-ranging security glitches have been discovered during the Isle of Wight pilot.

Security researchers have warned the problems pose risks to users' privacy and could be abused to prevent contagion alerts being sent.

GCHQ's National Cyber Security Centre has acknowledged the issues, promising to fix some and review others. But the researchers suggest a more fundamental rethink is required.

Specifically, they call for new legal protections to prevent officials using the data for purposes other than identifying those at risk of being infected, or holding on to it indefinitely.

Earlier this month, the government announced that Dido Harding was to lead the programme of testing and tracing, in a decision that came as a surprise to many, given the gravity of the 2015 TalkTalk hack on Harding's watch.

Forgotten your login for the digital edition of CIR Magazine, or not received your print copy? Request support.

    Share Story:

Recent Stories

Your people and the pandemic: Are you doing enough?
Employee health, well-being and security have always been a vital part of risk management, and as organisations seek ways to ensure a smooth, successful and sustainable return to operations amid the evolving environment, careful consideration has to be given to all these areas, and quickly. Published August 2020

Responding to COVID-19: A safe and secure return to work
Learn more from the experts that worked on the recovery of the Diamond Princess. Published July 2020