Tenants' private details put online in housing agency data blunder
The personal details of thousands of Midlands housing tenants have been published online in a huge blunder.
Names, addresses, telephone numbers, email addresses, details of illnesses and private family circumstances were put on the website of the South Staffordshire Housing Association.
Cancer patients, ex-police officers, pensioners and the disabled were among those to have their details laid bare for all to see.
The data breach was today described as 'horrendous' by local MP Gavin Williamson, who is demanding an investigation.
SSHA, whose chairman is former South Staffordshire Council chief executive Rolf Levesley, has since taken down the information. It is carrying out an internal investigation into how the details were published and how long they were up for.
More than 3,500 private messages between tenants and SSHA dating from July 2009 to as recently as Thursday were posted online via the association's Contact Us page.
They included:
A Wolverhampton mother looking to move to a more suitable home after claims her neighbours had been using drugs. Her name, address and mobile telephone number were all visible to see.
A Kinver man revealing details of his disabilities and the need of support from his family at night because he was vulnerable.
A South Staffordshire mother divulging private details about a family member who was battling cancer and the need for SSHA to help handle her garden.
A Bilbrook woman explaining problems with her finances and how she was struggling to pay her rent.
A Stafford Borough Council officer dealing with an application on behalf of a resident, whose full living situation was described in detail.
A woman from Cheslyn Hay giving an account of a neighbourly dispute and private details of lung disease and hospital visits.
A Cannock tenant giving details of a bank to cancel direct debit payments to SSHA.
Staff are now contacting the thousands of people affected. The Information Commissioner is awaiting contact from those affected.
SSHA manages nearly 6,000 homes covering South Staffordshire, Wolverhampton, Cannock, Stafford, Dudley and parts of Shropshire.
Stafford Borough Council confirmed it was victim of the breach and would be contacting the housing firm as a matter of urgency.
Not only were the details and messages made public, they were also able to be edited and deleted. The computer IP addresses, which can be used to track individuals to their homes or businesses, were also published.
Today, victims hit out at the organisation, which is based at Acton Court, Acton Gate, Staffordshire.
Among them was a retired West Midlands Police officer in Kinver.
The 55-year-old, who did not wish to be named, has lived in a SSHA home for three years and said, because of the nature of her former job, it was vital her address remained secret.
"I'm disgusted by this," she said. "My details could be used by anyone and I could have any manner of person calling me up and making prank phone calls. I moved away from the area I policed for a quiet life and now my details have been put there for people to see. It's a breach of trust and I'm disgusted by it."
Details of Frank Collington and his wife Joy were also published online.
Mr Collington, from Cheslyn Hay, said: "I feel violated. If someone's done this on purpose, they should be instantly dismissed. But even if it's accidental, it's hardly acceptable.
"Anyone could get hold of these personal details, I don't think this is good at all. They haven't been very good to deal with in general."
Susan Sanders, 57, also of Cheslyn Hay, had details of her partner's medical condition revealed online.
She said: "I am appalled by it. I had no idea when I contacted them that it would be up on the website for people to see. Anyone could get my details and call me and I expect an apology from them because someone hasn't done their job properly."
Heather Smith, a mother of two from Cannock, was another whose information was shared on the website.
She said: "I would complain but look what happened the last time I complained to them. It's not on. My personal details were there for all to see. I will be taking it further and I can't believe that this has happened."
Stafford Borough Council said it will also be contacting SSHA about the blunder after a case it was handling on behalf of a tenant was shown on the web page.
Council spokesman William Conaghan said: "We are very concerned to hear that personal details of people we have been trying to help could have been made publicly available by another organisation and will be contacting the housing association as a matter of urgency." The news of the error drew criticism from MP for South Staffordshire Gavin Williamson.
He said: "This is the most horrendous situation because people's private, important and personal details were there for all to see.
"This should never be allowed to happened. I'm sure there are many people who will be in uproar about this and that their details have been so badly mishandled.
"I will be getting in touch with the chief executive of South Staffordshire Housing Association to know what immediate action will be taken and how this was allowed to happen, who was responsible and how it will be put right."
SSHA has begun the task of contacting those affected and said it takes the security of its customers 'very seriously'.
A statement said: "Whilst the underlying technical issue has been solved, we will be investigating the root cause and any contributing factors that led to it occurring and will take steps to ensure that it cannot happen again." Anyone who is concerned and thinks they may have been affected by this incident can contact SSHA on 0800 096 8690 or email enquiries@ssha.co.uk
A SSHA statement read: "On October 2 we were notified that some details customers had sent to us were visible on our website.
"We immediately removed the page to prevent any further information being submitted or being visible. The information involved was the content of enquiries forms that had been submitted through the website including any contact information that was included and the enquiry that was made. No other data was visible and customer accounts were not affected.
"We are identifying everyone affected directly and the nature of their enquiries to establish if any were of a sensitive nature. We'll contact everyone affected directly to explain what happened, to provide advice and to explain what actions we have taken.
"The website enquiries page is now back in service; the underlying technical issue having been fully identified and corrected."
Data blunder victims urged to get in touch as alert issued on fraud:
The Information Commissioner's Office – ICO – today urged any victims of the South Staffordshire Housing Association – SSHA – data breach to come forward.
The data protection and information watchdog holds organisations to account and issues fines if it feels there have been serious mistakes. It has invited SSHA tenants with fears their personal details were published online to get in touch.
ICO spokesman David Murphy said: "There are clear laws around how organisations must look after the personal information they hold, particularly around keeping sensitive information secure.
"If people are not happy about how their information has been handled, then they can report those concerns to the ICO."
Meanwhile, a cyber crime expert has warned the victims may be vulnerable to online fraud. Tony Proctor, principal lecturer in cyber security at the University of Wolverhampton, said it was imperative that SSHA contact those affected as soon as possible. He said that any information, passwords or log-in details could be used by hackers to access people's other private online accounts.
He said: "It sounds like a serious security breach but obviously I don't know the ins and outs of what had happened. What organisations should have is information security management and what some companies do is hire ethical hackers to try and penetrate their computer systems. It is possible, despite this, that someone has made a mistake. What is important is South Staffordshire Housing Association contact the people affected as soon as possible."
And Mr Proctor had a warning to those whose details were submitted online: "With an email address cyber hackers could look to use that and the smallest of details to try and get into accounts. If a password was shared on the website then often people will use the same password for a number of accounts and their bank, Pay-Pal or eBay accounts could be accessed."
Mr Proctor advised anyone worried they are a victim to visit the website of Action Fraud, an agency that investigates internet and online fraud. Action Fraud is can be contacted at www.actionfraud.police.uk, while the ICO hotlines are 0303 123 1113 or 01625 545 745.