Back to blog overview

HISTORICAL DATA BREACH: Immediate Actions, next steps and an apology

*Updated 26 June 2019—
On the afternoon of Friday 14th June Mermaids was made aware of a data breach.  We are grateful to the Sunday Times for bringing it to our attention.
Mermaids immediately took action. The same day Mermaids notified the Information Commissioners Office (ICO). The breach was also immediately remedied.
The scope of the breach was that internal Mermaids emails from 2016 and 2017 in a private user group were available on the internet, if certain precise search-terms were used.
Mermaids understands that the information could not be found unless the person searching for the information was already aware that the information could be found.
In addition to the immediate action of notification to the ICO and remedying the breach, the following further actions have already been taken:
  • Mermaids has contacted those affected according to ICO guidance.
  • Mermaids has contacted families and stakeholders.
  • The trustees of Mermaids will instruct an independent third party expert to report to the trustees on the breach.
  • Mermaids has reported the incident to the Charity Commission.
  • Mermaids have rapidly examined all the information so as to ascertain any other measures which need to be taken.
The material mainly consisted of internal information involving full and frank discussion of matters relevant to Mermaids, but unfortunately included some information identifying a small number of service users. Mermaids has contacted these people.  The information, seen in its actual and proper context, is normal internal information for a group such as Mermaids. The information shows Mermaids takes its responsibilities seriously and that there is candid internal consideration of all issues.
So the overall position is that there was an inadvertent breach, which has been rapidly remedied and promptly reported to the ICO, and there is no evidence that any of this information was retrieved by anybody other than the Sunday Times and those service users contacted by the journalist in pursuit of their story.
Finally, Mermaids apologises for the breach. Even though we have acted promptly and thoroughly, we are sorry.  At the time of 2016-2017, Mermaids was a smaller but growing organisation.  Mermaids now has the internal processes and access to technical support which should mean such breaches cannot now occur.

*Updated 26 June 2019—

Since this statement was first published, Mermaids has taken steps to disable the cached/replicated version of the data which resulted from this breach. The material is not responsive to search engine enquiries, and links have been delisted from Google search by Mermaids' lawyers, a deletion notice has been served on the website and the relevant national data protection supervisory authority notified, to enforce deletion. In this way, the data breach and any effect on service users has been or is in the process of being successfully contained and remediated.