Holiday firm Thomson has apologised to customers whose data was accidentally emailed to an unknown number of external organisations, however experts have warned this does not go far enough.
Some 500 customers found out their personal details, including their full name, home address and dates of their holiday, had been inadvertantly leaked by a Thomson employee.
In a statement, the company told IT Pro: "We would like to apologise to our customers involved and reassure them that we take data security very seriously and we are urgently investigating the matter to ensure this situation will not be repeated."
However, it seems that an apology is all the customers can hope to receive, with the BBC reporting that Thomson will not be offering compensation, nor allowing those affected to alter their bookings.
This is despite concerns criminals could get their hands on the leaked data and use the information to rob holidaymakers' homes while the properties are empty.
"Sorry is not good enough and I'm surprised they aren't doing more," Bola Rotibi, an analyst with Creative Intellect Consulting, told IT Pro.
"This wasn't a hack, it was a poorly implemented process, and the question remains as to who the email was supposed to go to and why this type of information wasn't encrypted," she added.
Rotibi pointed to Thomson's responsibilities under the Data Protection Act and said regulatory bodies should come down hard on the company.
UK data watchdog the Information Commissioner's Office (ICO) told IT Pro: "We are aware of an incident at Thomson and we will be making enquiries."
Email recall called into question
In its initial statement, Thomson said: "The error was identified very quickly and the email was recalled, which was successful in a significant number of cases."
However, just how successful this course of action could have been has been called into question.
Tony Pepper, CEO of encryption services provider Egress said: "I would be interested to see what [Thomson] used to do this.
"For example, the recall function in Microsoft Office only works on internal communications, otherwise it simply sends another message to ask that people don't open the [email] sent in error - which will often have the opposite effect, making people more likely to read the email than before to know why someone had tried to recall it."
IT Pro contacted Thomson to ask if it has any intention of doing more to help customers affected than just apologising, and if further information about how the breach occured will be forthcoming. However, the company did not respond.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
