The UK’s data watchdog, the Information Commissioner’s Office (ICO) issued a hefty fine of £200,000 on the Independent Inquiry into Child Sexual Abuse (IICSA) for sending a bulk email that identified possible victims of child sex abuse.
A staff member sent an inquiry to 90 people on 27 February 2017 using the “to” field instead of the “black carbon copy” field – exposing everyone’s addresses and making them vulnerable. While 52 of the addresses included full names or had a full name label attached. And one of the complainants was “very distressed” over this incidence.
The ICO said that the last year’s incident was a breach of the Data Protection Act.
ICO director of investigations, Steve Eckersley, said: “People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.
“IICSA should and could have done more to ensure this did not happen.”
The Inquiry has apologized to the victims affected by this data breach, and has said that they take data protection “very seriously.”
“After a wide-ranging review by external experts, we have amended our handling processes for personal data to ensure they are robust and the risk of a further breach is minimized,” the IICSA said.