Privacy Fail as Charity Leaks Info on Vulnerable Adults

Privacy Fail as Charity Leaks Info on Vulnerable Adults

The website of a Scottish charity which works with some of society’s most vulnerable members has been shut down after a major data leak was revealed, exposing sensitive information on around 50 people.

The Scottish Appropriate Adult Network (SAAN) works to safeguard the interests of children or vulnerable adults that have been arrested or called in for questioning by the police.

It does this by providing so-called “appropriate adults” to accompany and offer support to these individuals during the process.

However, scores of these volunteers and vulnerable adults had their personal details including names, email addresses and phone numbers exposed by the SAAN website, The Sunday Post reported.

Also apparently included on the site was information about rape victims and domestic abuse cases.

To make matters worse, SAAN was contacted last year about the privacy snafu but failed to respond — apparently because of the same issue with the site.

“As soon as we were notified of the difficulties, we took immediate action and the website is unavailable until the issue has been resolved,” SAAN interim chair, Karen Donoghue, told the paper.

The ICO is said to be investigating the case.

Mark James, security specialist at ESET, argued that highly sensitive data of this kind is more than just a hassle to replace, it could put the victims in physical danger.

“For companies that are charged with keeping that data safe, there must be stricter rules and regulations to ensure that the means used for storing and protecting that data, must exceed those used for ‘ordinary’ data,” he added.

“How can we determine what data is more sensitive that others, is it even possible? Each case is different, but if actual harm could come from this type of data making itself public we need to do more to protect it in the first place.”

The GDPR will levy potentially huge fines for serious infractions when it comes into force on May 25 next year, with regulators likely to take a particularly dim view of highly sensitive information of the sort leaked by SAAN.

Source: Information Security Magazine