A former council worker has been cautioned by police after admitting taking tens of thousands of residents’ emails from a database in order to promote a business, it has been revealed.
The data breach took place in November last year when 79,000 email addresses were copied from a garden waste collection database. They were taken by an employee, now no longer working for the council, “with the purpose of promoting a business not related to the council,” the local authority said.
A separate database of email addresses from Warwick District Council were also impacted by the breach.
The former council worker has apparently apologized for his actions and given assurances that all email addresses have been deleted. He was cautioned under the Data Protection Act 2018.
Read more on insider threats: Home Working Drives 44% Surge in Insider Threats
Stratford-on-Avon District Council CEO, David Buckland, also apologized for the incident.
“It is important to stress that this information only contained email addresses, it did not contain any bank details, or names and addresses,” he added.
“We have concluded through our investigations that this data breach was a deliberate act by an individual, and not a breakdown of the robust internal controls we have in place.”
Security experts were quick to warn of the potential damage that malicious insiders can cause organizations.
Javvad Malik, lead security awareness advocate at KnowBe4, argued that even email addresses could be a treasure trove for phishing actors, if they got into the wrong hands.
“This is why it’s important to have the right technological controls in place which can restrict access to sensitive information for legitimate business purposes only,” he added.
“However, this incident also illustrates that technical controls alone are insufficient. A strong security culture, underpinned by regular training and a clear understanding of the consequences of data misuse, is essential.”
Jamie Akhtar, CEO and co-founder of CyberSmart, argued that the cost-of-living crisis is forcing many employees to take risks like this.
“Nevertheless, the solution is not for business leaders to view their staff with suspicion or as a threat. Instead, employers must be mindful of how their staff are coping with financial uncertainty or hardship,” he concluded.
“If anything, this story highlights the importance of conducting regular security awareness training and also the need to show up for employees with empathy and support.”