Leeds based charity supporting transgender children apologises after data breach

A charity based in Leeds which supports transgender children and young people has issued an apology after thousands of internal emails were made public online.

By Daniel Sheridan
Monday, 17th June 2019, 7:17 am
The charity apologised for the data breach.
The charity apologised for the data breach.

Leeds-based Mermaids UK said it was "deeply sorry" for what it called a "historical data breach".

The charity were made aware of a breach on Saturday which meant internal emails from 2016 and 2017 in a private user group were available on the internet, if certain precise search-terms were used.

The Sunday Times uncovered the breach and ran the story yesterday.

The charity said they were "grateful to the Sunday Times for bringing it to our attention".

A statement released on their website said: "The material mainly consisted of internal information involving full and frank discussion of matters relevant to Mermaids, but unfortunately included some information identifying a small number of service users. Mermaids has contacted these people.

"The information, seen in its actual and proper context, is normal internal information for a group such as Mermaids. The information shows Mermaids takes its responsibilities seriously and that there is candid internal consideration of all issues.

"So the overall position is that there was an inadvertent breach, which has been rapidly remedied and promptly reported to the ICO, and there is no evidence that any of this information was retrieved by anybody other than the Sunday Times and those service users contacted by the journalist in pursuit of their story.

"Finally, Mermaids apologises for the breach. Even though we have acted promptly and thoroughly, we are sorry. At the time of 2016-2017, Mermaids was a smaller but growing organisation. Mermaids now has the internal processes and access to technical support which should mean such breaches cannot now occur."

The paper claims the correspondence included "intimate details," names and addresses, but the charity denies this.

The charity said it had taken immediate action and reported the breach.