Virtual Mail Room is an outsourcing tool used by companies and authorities to easily distribute their communications, both digital and physical. Virtual Mail Room is used by Metro Bank, Pearson (a publisher), Begbies Traynor (an insolvency specialist), Aldermore Bank, and 14 local councils including Croydon, Eastbourne, Reigate, North Tyneside, Ashford, North East Derbyshire, and West Lindsey among others. Many of which were affected by the issue.
Letters to 2,300 residents of Croydon, London were available for anybody to access online, including recipients’ names and addresses. The same can be said for 6,500 customers of Aldermore Bank and 250 Metro Bank customers. The personal telephone numbers, names, and email addresses of Virtual Mail Room staff were also made available.
Letters included pre-delinquency and remediation letters, letters from housing associations, and royalty statements.
Due to the varied client portfolio of Virtual Mail Room, customers from the UK, US, Belgium, Poland, Germany, Italy, the UAE, Sweden, and Ireland were impacted by the leak.
In terms of legal implications, Wired said, “Such missteps could fall foul of GDPR, with data controllers and processors potentially facing fines totalling tens of millions of pounds,” adding that, “a spokesperson for the Information Commissioner’s Office, the UK’s data regulator, confirmed it was aware of the incident and was making inquiries.”
While specific letters could not be accessed or opened, the types of letters were available for anyone to see from June this year. As well as this, tools on the back-end could have been accessed, allowing modification (or even deletion) of certain jobs.
Ray Walsh, a Digital Privacy Expert at ProPrivacy called the leak a “huge cause for concern.” He said: “This kind of data is immensely valuable to criminals seeking to engage in fraud and identity theft, and the fact that it has been left exposed online for anybody to see is extremely troubling.”
Walsh also pointed out how this scenario “raises very serious concerns” over the ways that banks and local councils choose to outsource their mailing services. “Customers expect mail from these organizations to be handled in a secure and discreet manner, and it is clear from this latest mishap that the businesses these jobs are being outsourced to aren’t necessarily up to the task.”
Speaking to Wired, Virtual Mail Room’s director, Michael Bak explained the company was the target of an attack, which led to the data being posted online. “We are clearly very concerned that we were the target of an attack to access information that we hold,” he says. “We have, and are taking the necessary steps required to assist our clients and appropriate authorities in this instance.”