An education sector marketing firm has committed a data breach – ironically, because it mass-mailed people asking them to update their GDPR communications preferences.
Sprint Education sent an email earlier this week to one of its mailing lists asking recipients to update their mailing preferences.
The lengthy message stated that emailed folks' information had been harvested by Sprint under the terms of GDPR Article 6(1)(f), "legitimate interest".
Unfortunately for Sprint, one of the lucky recipients was a Register reader. He noticed the URL for updating one's mailing list preferences contained a string of numbers – and you can guess what he did and what he found.
"This is my first contact of any kind with this company, and it was totally unsolicited," said our reader, who asked not to be named.
By tweaking one of the digits, the name, job title and work email address of everyone on that Sprint Education mailing list could be viewed by the world and their dog. Some of the people whose data was on file had been on Sprint's database since the early part of this decade.
During the writing of this article, the link went from exposing anyone's creds to exposing none at all, redirecting to a simple opt-out page. However, text on the previous marketing preference page said:
We process your data in line with all relevant laws including the UK's Data Protection Act (DPA), the EU's General Data Protection Regulation (GDPR), and the ePrivacy Directive.
The opt-out page now simply reads: "We're sorry that you didn't find the email sponsored by Sprint Education to be of use."
Guy Lewis, a director of Sprint Education, told The Register: "From the very nature that we send teachers (corporate subscribers) a Data Collection and Fair Processing Notice before we begin actively processing their data and then that you resolved at a Preference Centre where they can manage their GDPR preferences, shows that we are an organisation that takes data protection and privacy with the utmost seriousness."
He added that the data being displayed was already in the public domain and explained the cause of the cockup: "In this single instance the team member here who broadcasted the email did not turn off [link click] tracking for our Preference Centre links (which as you've no doubt seen and noted ARE obfuscated and crucially, non-sequential). As soon as the team member noticed (which was almost immediately) the send was halted, meaning fewer than 250 school staff will have received the email with the sequential links in."
Tech lawyer Neil Brown, director of law firm decoded.legal, said Sprint Education seemed to have made a genuine effort to comply with data protection laws despite the snafu.
"I think they've done a really rather good job of getting in touch with people whose data they've scraped/bought, and told them who they are, what they are doing with the data, and what the recipients can do about it. And they've done it in plain, intelligible, language. Bravo. I wish more companies did this.
"Allowing someone to view other people's data in this way could well be a breach of Article 32 GDPR. I say 'could' because, if the data is public anyway (as they say in their privacy notice), they have an argument that that level of security was appropriate to the risk, as the risk associated with someone obtaining the data is very low – and being opted-out of marketing is probably no bad thing for most people either." ®