An accountancy firm waited two months to inform clients of a data breach that eventually saw farmers’ names and addresses end up in the hands of animal rights activists.
The breach occurred after accountants and financial planners Old Mill uploaded a mailing list containing 7,363 names and addresses to its webspace. Although not publicly visible, the list could be found and downloaded via a Google web search.
Old Mill said it was notified by a third party on 6 July that the mailing list had been accessed, downloaded and copied. The firm said it immediately took down the list and requested that the copy be destroyed.
No risk of harm
The company said it took legal advice at the time and concluded it was not necessary to notify farmers of the breach since “on balance we did not believe there was any risk of harm taking into account the limited nature of the information involved”.
Details included in the mailing list were limited to names, salutations, company names and addresses. It did not include any telephone numbers, email addresses or financial data. Old Mill said it had considered the risk of third parties accessing the list to be “very low”.
But the firm became aware on 12 September that a link to download the mailing list in its complete form had appeared in an article on the anti-badger cull website www.innocentbadger.com. Links to the article were posted on the Stop the Cull Facebook page.
The article also listed the farmer directors of companies involved in culling badgers to combat bovine tuberculosis in cattle – although Old Mill said this information was unconnected to the mailing list, which contained no reference to badger culling.
Old Mill has now written to farmers informing them of the breach. In a letter dated 14 September, the firm said it had reported the matter to the Information Commissioner’s Office. It said it was also working with its solicitors, and the police, asking for the mailing list to be removed.
It said: “We could not have anticipated the deliberate, hostile and potentially criminal actions that have taken place. However, we acknowledge that an error took place when the list was originally allowed to be available via a search engine and we apologise for this.”