Mermaids transgender charity data breach exposed confidential emails

Private emails between the charity and parents were reportedly available for public viewing.
Written by Charlie Osborne, Contributing Writer

Mermaids UK has apologized for an "inadvertent" data breach which exposed private messages between the charity and the parents of gender variant and transgender children.

As first reported by the Sunday Times last week, over 1,000 pages of confidential emails were leaked online, including "intimate details of the vulnerable youngsters it [the charity] seeks to help." 

The letters, sent between 2016 and 2017, also contained the names, addresses, and telephone numbers of those reaching out to the charity.

When data breaches occur, it is often the case that cyberattackers infiltrate internal networks and steal information -- and this data may be published online or sold in underground forums.

However, in Mermaids UK's case, the material had simply been uploaded to the web and could be accessed just by typing in "Mermaids" and the UK charity number assigned to the group.

After being warned of the leak on Friday, the charity removed the content from public view.

CNET: Black Hat cancels Rep. Will Hurd's headline speech after Twitter backlash

In a statement, Mermaids UK called the data breach "inadvertent" and insists there is no evidence of the sensitive material being abused.

Mermaids said the leak involved roughly 1,100 emails between executives and trustees, rather than the correspondence of private users, according to the BBC. A spokesperson said the records were not related to "Mermaids service users emailing each other, and their emails and private correspondence being available to an outside audience."

The charity added that the emails stemmed from a "private user group" and "the information could not be found unless the person searching for the information was already aware that the information could be found." (Considering the publication was able to find the information through a simple online search, however, this position may not be wholly accurate.)

The UK's Information Commissioner's Office (ICO) has been informed, a step now demanded in light of the General Data Protection Regulation (GDPR) legislation, introduced in 2018.

TechRepublic: Magecart attack: What it is, how it works, and how to prevent it

Under the terms of GDPR, organizations now must be prompt when it comes to reporting data breaches and should they be found wanting in terms of data protection and security, heavy fines can be issued. Each security incident is considered on a case-by-case basis.

Mermaids has also contacted the families affected, alongside stakeholders and the Charity Commission.

See also: Have I Been Pwned: It's time to grow up and smell the acquisition potential

"Mermaids apologizes for the breach," the charity added. "Even though we have acted promptly and thoroughly, we are sorry.  At the time of 2016 -- 2017, Mermaids was a smaller but growing organization. Mermaids now has the internal processes and access to technical support which should mean such breaches cannot now occur."

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards