Case Study

Exercise on Data Breach

At 10am on 1 April, a newly recruited junior member of staff uploads a
spreadsheet to the central intranet pages of the company.

The spreadsheet is uploaded in order to provide a list of all current staff members,
their job title, and their work extension number. Its purpose is to act as a telephone
directory, and the information is drawn from existing HR records.

Unfortunately, the incorrect version of the spreadsheet is uploaded onto the intranet
by the junior member of staff.

The member of staff had received two versions of the spreadsheet via email from a
senior HR colleague.

One version of the spreadsheet was redacted and contained only the necessary
information. The other was a full HR spreadsheet.
The junior member of staff had not received any guidance or training on the use of
the intranet and how to upload documents to the platform. It was also the first time
the staff member had received a spreadsheet, and she was unfamiliar with the
format, content and functionality of Excel.

Having commenced employment with the organisation only a week before, she was
afraid to seek clarification or help.

The junior member of staff selected the incorrect attachment from the two supplied
and uploaded the unredacted spreadsheet in error.
At 11am on 1 April, the junior member of staff is contacted by a colleague who has
noted that the spreadsheet contains the following information:
• Name
• Job title
• Work extension number
• Gender
• Grade
• Pay

He asks why this information has been made available and is very unhappy that his
salary, which is considerably more than that of a colleague working in the same area, has
been made available in this way.
The junior member of staff apologies and explains that there has been a mistake. She
tries to contact HR for advice on what to do, but there is no-one available due to a staff
training event.

The junior employee then receives a second call from another member of disgruntled
staff. They point out that the spreadsheet contains hidden columns, and that one of these
columns contains the next of kin and associated contact details for all staff members
detailed in the document. The caller asks to speak to the junior employee’s line manager.

At 12:30pm on 1 April, and as a result of further calls alerting senior staff members of
the issue, the spreadsheet is removed from the intranet in the belief that this fully
contained the incident.
Approx. 48 hours later at 12:30pm on 3 April, at a manager’s meeting, the HR
Director explains what has happened and agrees to add an apology to the staff intranet.

The Operations Director realises the company’s Data Protection Officer (DPO) has not
been informed about the incident. They take this information away and inform the DPO.

At 2:30pm on 3 April, the DPO looks at the spreadsheet. She discovers it contains a
pivot table containing additional information relating to 1000 current and previous
employees. The following categories of personal data are identified as being present:
• Medical history
• Ethnicity
• Disciplinary records
At this stage, the DPO sets out to fully investigate the matter by speaking to their IT
department and HR manager who initially removed the spreadsheet from the staff
intranet. This identified that the spreadsheet had been downloaded a total of 50 times
between the time of publication and removal.

One of the 50 users who downloaded the spreadsheet mentions the matter to a close
friend of his who is a freelance investigative journalist. The journalist regularly writes
pieces for a national newspaper. Sensing a story, the journalist calls the company asking
for a comment.