Updated Capita Education Services had a bit of an oopsie yesterday as a new helpdesk system spurted potentially thousands of email addresses at unsuspecting users.
A Register reader got in touch to express his surprise at receiving an email regarding a helpdesk ticket he didn't open, logged by someone he didn't know.
To make matters worse, the email contained approximately 100 addresses in the To: field. A colleague reported receiving the same email, except with the address field populated by a different 100 addresses.
A quick glance at the edugeek forums confirms that our reader is not alone in receiving Capita's spaffage.
Users have been comparing notes regarding what one acidly described as a "cessation of competence" as well as speculating: "Have they just breached the Data Protection Act in the process of telling us that they've already had a data breach?" before the inevitable was uttered: "Classic Crapita."
The email, with the subject "Incident INC0017274 has been assigned to group DO NOT USE", has come under technical scrutiny, with some suggesting a scam or phishing attack. Another user pointed out that such an attack would mean someone has a list of addresses that users thought were safe and sound within the bowels of the services behemoth.
A mea culpa followed, saying:
This afternoon you would have received an email titled "Incident INC0017274 has been assigned to group DO NOT USE". Please accept our apologies, as this was sent in error.
We are aware that email addresses were visible and we are addressing this as a Data Breach.
Please be assured that the email does not contain any malware and is not a result of malicious activity. May we ask that you please delete the email.
We are currently investigating the root cause with our Information Security Team and we will provide further feedback in due course.
Once again, we apologise for any inconvenience caused.
Head of Support Services
Education Software Solutions
Capita has form with cockups in the education software services arena. An upgrade to the Schools Information Management System (SIMS) in December 2017 resulted in some pupils being linked to the wrong contact details – a potentially huge boot up the backside of students' data protection.
A borkage related to the Common Transfer Files (CTF) mechanism in the system last year caused yet more headaches.
Disclosing those email address in the To field is, however, not great practice (ask Eli Lilly about the Prozac.com "incident").
The Register has contacted Capita for its take on things. A spokesperson told us:
We are aware of a technical issue which resulted in a number of our software clients receiving a limited number of other clients' email addresses. The impact on the affected clients is contained. We regard the security of our client's data as very important and we have taken immediate steps to address this issue.
We also spoke to the ICO, which told us the matter has yet to be reported to it. Capita has 72 hours from acknowledging the breach to do so. ®
Updated to add
An ICO spokesperson told The Register: "Capita has reported an incident to us and we will assess the information provided."