Work and Income privacy breach due to email mistake | Stuff.co.nz
Work and Income privacy breach due to email mistake
Daniel Smith
05:00, Aug 10 2021
This is a modal window.
An unanticipated problem was encountered, check back soon and try again
Error Code: MEDIA_ERR_UNKNOWN
Session ID: 2021-08-13:5fcba6ee462b40cfdb376b84 Player Element ID: IbraajJAxg-6139250289001
OK
Close Modal Dialog
1m 51s
Early morning queues for Manurewa WINZ office
Hundreds of South Auckland locals queue from the early hours of the morning for assistance from the Manurewa office of Work and Income. (Video first published July 2019)
Private email addresses of 103 beneficiaries have been made public due to a mistake by a Work and Income caseworker.
They were carbon copied (CC) into an email promoting free fruit and nuts from the Christchurch City Council, rather than blind carbon copied (BCC), which would have concealed them from each other.
One of the addresses was Ben Brown’s, who said he felt humiliated by the privacy breach.
“I feel quite emotional actually. At the end of the day we have no idea who has got their hands on these emails. You can do a lot of things with an email, especially if you know how to hack,” Brown said.
READ MORE:
* Reports of harmful digital communication have increased 24 per cent in a year - Netsafe
* Major data breach at cleaning and catering company Spotless
* Tenant excited to move into major new social housing development
Brown said, on Friday evening, he received a call from the Work and Income North Island regional manager who apologised for the privacy breach and asked him to delete the information and forget it ever happened.
ADVERTISEMENT
Advertise with Stuff
But Brown was not willing to accept their apology, until the case manager who sent the email, apologised.
The private email addresses of more than 100 beneficiaries were released due to a Work and Income caseworker mistakenly adding the email addresses to the CC field, rather than BCC.
THE PRESS
The private email addresses of more than 100 beneficiaries were released due to a Work and Income caseworker mistakenly adding the email addresses to the CC field, rather than BCC.
“I want a written apology, and a guarantee this won’t happen again,” Brown said.
Kay Read, group general manager client service delivery, at the Ministry of Social Development, confirmed 103 beneficiaries were sent emails with all the email addresses visible to those who were copied in. No other personal client details were shared.
“Although this was a mistake, the staff member did the right thing by informing their manager as soon as they realised it had occurred. MSD has reminded staff of the need to take extra care when sending emails to more than one person,” Read said.
Stuff for small businesses
Stuff Ads - the SME self-service solution
Get noticed now
“On Friday we phoned all clients who were sent the email to apologise for the mistake, and were able to speak to 68 of them. We have now sent a follow-up email to each of the 103 clients,” Read said.
Martin Cocker, chief executive of Netsafe, said this type of privacy breach was an easy mistake to make.
“Everybody that has ever used email has probably sent something they meant to blind carbon copy through the carbon copy function. So we all know it is not entirely uncommon to do that. But people who are transacting sensitive information need to be cautious about that.”
Netsafe chief executive Martin Cocker says it is hard to override human error.
NETSAFE
Netsafe chief executive Martin Cocker says it is hard to override human error.
Cocker said there were a few basic tricks that businesses could use to stop themselves sending out sensitive info via email.
“There are systems that you can put in place that stop you from accidentally sharing information. You can put delays on sending emails, that give you a certain number of minutes after you hit send which gives you an opportunity to stop it.”
But he said putting people into the CC field instead of the BCC field was difficult to override because the fault was largely human error.
Daniel Smith
05:00, Aug 10 2021
This is a modal window.
An unanticipated problem was encountered, check back soon and try again
Error Code: MEDIA_ERR_UNKNOWN
Session ID: 2021-08-13:5fcba6ee462b40cfdb376b84 Player Element ID: IbraajJAxg-6139250289001
OK
Close Modal Dialog
1m 51s
Early morning queues for Manurewa WINZ office
Hundreds of South Auckland locals queue from the early hours of the morning for assistance from the Manurewa office of Work and Income. (Video first published July 2019)
Private email addresses of 103 beneficiaries have been made public due to a mistake by a Work and Income caseworker.
They were carbon copied (CC) into an email promoting free fruit and nuts from the Christchurch City Council, rather than blind carbon copied (BCC), which would have concealed them from each other.
One of the addresses was Ben Brown’s, who said he felt humiliated by the privacy breach.
“I feel quite emotional actually. At the end of the day we have no idea who has got their hands on these emails. You can do a lot of things with an email, especially if you know how to hack,” Brown said.
READ MORE:
* Reports of harmful digital communication have increased 24 per cent in a year - Netsafe
* Major data breach at cleaning and catering company Spotless
* Tenant excited to move into major new social housing development
Brown said, on Friday evening, he received a call from the Work and Income North Island regional manager who apologised for the privacy breach and asked him to delete the information and forget it ever happened.
ADVERTISEMENT
Advertise with Stuff
But Brown was not willing to accept their apology, until the case manager who sent the email, apologised.
The private email addresses of more than 100 beneficiaries were released due to a Work and Income caseworker mistakenly adding the email addresses to the CC field, rather than BCC.
THE PRESS
The private email addresses of more than 100 beneficiaries were released due to a Work and Income caseworker mistakenly adding the email addresses to the CC field, rather than BCC.
“I want a written apology, and a guarantee this won’t happen again,” Brown said.
Kay Read, group general manager client service delivery, at the Ministry of Social Development, confirmed 103 beneficiaries were sent emails with all the email addresses visible to those who were copied in. No other personal client details were shared.
“Although this was a mistake, the staff member did the right thing by informing their manager as soon as they realised it had occurred. MSD has reminded staff of the need to take extra care when sending emails to more than one person,” Read said.
Stuff for small businesses
Stuff Ads - the SME self-service solution
Get noticed now
“On Friday we phoned all clients who were sent the email to apologise for the mistake, and were able to speak to 68 of them. We have now sent a follow-up email to each of the 103 clients,” Read said.
Martin Cocker, chief executive of Netsafe, said this type of privacy breach was an easy mistake to make.
“Everybody that has ever used email has probably sent something they meant to blind carbon copy through the carbon copy function. So we all know it is not entirely uncommon to do that. But people who are transacting sensitive information need to be cautious about that.”
Netsafe chief executive Martin Cocker says it is hard to override human error.
NETSAFE
Netsafe chief executive Martin Cocker says it is hard to override human error.
Cocker said there were a few basic tricks that businesses could use to stop themselves sending out sensitive info via email.
“There are systems that you can put in place that stop you from accidentally sharing information. You can put delays on sending emails, that give you a certain number of minutes after you hit send which gives you an opportunity to stop it.”
But he said putting people into the CC field instead of the BCC field was difficult to override because the fault was largely human error.
