Instead of the tender invitations they were hoping for, users of a U.K. dating website have been receiving sexually explicit spam following the leak of their personal information, according to a BBC report.
Guardian Soulmates users have been receiving personalized messages, but rather than the possibility of a connection to a potential soulmate, the spam targets them employing snippets of their own personal details drawn from their profiles, including their site username.
The site is run by Guardian News & Media, the publisher of the newspaper and website The Guardian. The publisher stated that "human error" by a third-party technology provider was behind the accidental exposure.
One subscriber reported receiving spam from the site as early as November of last year. When he reported it to Guardian Soulmates, he was informed that the incident occurred in late April. What was even more troubling for this subscriber, though, was the fact that he had been unsubscribed from the site for several years.
A spokesperson for the site said it had been contacted by at least 27 subscribers who presented evidence that their accounts had been compromised. But, the spokesperson said only email addresses and user IDs had been exposed directly. Though, it was added, this data is enough to enable bad actors to uncover publicly available online profiles, which could include a photo, relationship preferences and a physical description, the BBC reported.
Guardian News & Media apologized to those impacted and stated it was investigating further.
The Information Commissioner's Office (ICO) – the U.K. regulatory office responsible for the enforcement of the Data Protection Act 1998 – also is investigating.
“Guardian Soulmates hasn't proven to be a good guardian of its customers' data," Sarah Stephens, head of cyber, media and E&O at JLT Specialty, a specialist insurance broker and risk consultant, told SC Media on Tuesday. "As is often the case with data breaches, it is the third-party technology provider that has proven to be the source of the attack and in this case it appears that human error, which remains the top cause of incidents by a significant margin, is also to blame."
Consumer facing companies who hold large amounts of sensitive personal data are increasingly vulnerable not only to attacks, but to serious reputational damage as a result of a data breach or cyberattack. Stephens explained. "We estimate that less than a quarter of companies around the world have a mature, well-tested cyber incident response plan and capability."
One practical step U.K. businesses can take in the immediate term is to ramp up this capability by refreshing their plans and testing their systems, so that when the inevitable attack occurs, they can respond in an agile manner, Stephens pointed out. "Next year, the EU General Data Protection Regulation will pass into national legislation mandating notification of data breach incidents within 72 hours. This will further raise the need for companies to readdress their response capabilities, particularly in light of the prohibitive fines at the commissioners' disposal (four percent of global turnover or EUR 20 million – whichever is larger).”