IT services company Capita has apologised for the "regrettable error" that saw the personal information and credit card details of local residents in Lambeth, London, emailed as plain text.
One member of Lambeth Council has called for an inquiry into the incident, which was first reported by ZDNet UK on Tuesday. Capita is still refusing to reveal how many residents were affected by the glitch, which affected Lambeth's online council tax system.
The incident took place last week and only came to light after an alert council tax payer in Lambeth warned the council of the problem.
According to a statement issued by Capita on Wednesday, the incident "was caused by a member of Capita staff who, during a complex software upgrade, omitted to activate the encryption code which masks certain customer details". As a result the details were shown in plain text in the emails sent to confirm payment and as a result could be seen by anyone who intercepted the email.
"Lambeth Council and Capita apologise for this regrettable but isolated error," said Capita in a statement. This "affected a small number of citizens", Capita added, without revealing how many had been affected.
The mistake is particularly serious, given the risks posed by ID theft today. Capita insisted that it was "an isolated error that has never occurred before" and said it has " reviewed its processes and staff training to mitigate such a situation recurring".
Capita also said that it "took prompt action to rectify the error within 48 hours", but did not explain why it took two days to rectify the mistake.
"This is quite clearly unacceptable," said Councillor Daniel Sabbagh, the finance spokesman for the opposition Labour Party in Lambeth. "We will be asking for further information, and demanding a full inquiry to ensure that no resident has lost out as a result of this security breach."
On Tuesday, a Lambeth Council spokeswoman said that it was "unacceptable for this information to be displayed [in this way]".
Talkback
Why is it a day never goes by without a story about EDS or Crapita messing up?
More to the point, who keep hiring these muppets in the first place? How can a company that has so blatantly and publicly cocked up keep going?
This is basic stuff, it should not have occurred and I trust that Capita are going to put Lambeth Council and its constituents into the same position that they would have been in had the breach of security had not occurred.
I am always amazed when outsourcing comapnies are quoted as saying that the issue was down to an error on the part of a single person. The whole point of outsourcing service delivery is that it should provide a competent and safe pair of hands for running the service to good industry practices and against the framework of a decent security policy.
What happened to the processes that provide the checks to stop something like this happening and why did they fail?
Why was the encryption of personal data switched off in the first place? Do we infer that live data which had not been made anonymous waas being used in testing?
Don't we have any software companies in the UK? For some reason, these US Corporations appear to think we, in the UK, are stupid. Capita claims this is an "isolated incident" and that it "won't happen again". Isn't that what was said when thousands of UK bank accounts were made public, accidentally of course! So this " has never happened before", I've heard that one many times too. Of course this has not happened to Lambeth Council constituents but Capita certainly have a habit for repeating these statements. Instead of outsourcing to the US, India etc., UK companies should outsource, only if neccessary and only to other UK companies that need the business. If we used more British companies, we would have some answerability and if things do go wrong, as does regularly with Capita, a UK company would find it very easy to sue a UK company. As Capita is a US company, it is too difficult to take legal action and therefore a simple "sorry" tends to be adequate compensation. WQhen they do apologise, "sorry" actually means " we have been paid, will continue to be paid and therefore your customers can go suck eggs you stupid British idiots". Finally, what is the difference between outsourcing to the US and outsourcing to India? Indians have brains and sell account details instead of giving them for free LOL
Yes, we are stupid. Because fool me once then shame on you. But fool me twice then shame on me.
And since "we" (our decision makers) keep repeating the same old mistakes and never really learn from the past (why should they? no real liability, remember? comes with having no clue) the only signal we're sending out is: please milk me more, oh, slap me again, master. How strange that markets react to that.
Sigh.
In order to change behaviour you need to change attitude and that requires intervention with the right stimulation (countering unwanted motivating factors).
Education also helps but some people seem to have turned such a blind eye that teaching sign language and such might be in order.