The Information Commissioners Office (ICO) recently reported on a reprimand they issued to a housing association after personal information became accessible in an online customer portal.
Clyde Valley Housing Association in Lanarkshire launched a new portal in 2022. On the first day of its release a resident discovered they could access personal information about other residents. As a result, they called a customer service adviser to report the breach.
Unfortunately, the concerns were not escalated and so the personal information remained accessible for a further five days.
The housing association sent a mass email to promote the new portal. Following this, four more residents also made a report, and the new system was subsequently suspended.
It appears that there was a lack of testing before making the portal live, and concerningly staff were not sure what to do about escalating the breach once it was reported.
A case like this leaves lessons for all businesses to reflect on. While new digital systems can allow for large productivity gains, data security has to be a top priority. The reputational damage from a data breach can be significant.
Data protection training is vital for staff so that they know what to do. Reviewing training needs is a must. For instance, an occasional tabletop exercise might help you to see where training needs lie.
