Regus, an office-space provider, has seen the data of 900 employees exposed by accident. This Regus data breach took place following a staff review, and involved staff details being posted publicly online.
According to BBC News, the review involved sales staff showing researchers around an office space, while the researchers pretended to be clients interested in renting the space.
However, subsequent to the review, a spreadsheet of staff data was published on the task-management website Trello. The details published included names, addresses, and job performance data.
Furthermore, the names and addresses of researchers from Applause, a company contracted by Regus parent company IWG, were also published.
According to the report from the BBC:
“Team members are aware they are recorded for training purposes and each recording is shared with the individual team member and their coach to help them become even more successful in their roles,” IWG said.
“We are extremely concerned to learn that an external third-party provider, who implemented the exercise, inadvertently published online the outcomes of an internal training and development exercise.
“As our primary concern we took immediate action and the external provider has now removed the content.”
How this Regus data breach happened is unclear. According to the co-founder of Trello, Michael Pryor:
“Trello boards are set to private by default and must be manually changed to public by the user.
“We strive to make sure public boards are being created intentionally and have built in safeguards to confirm the intention of a user before they make a board publicly visible.”
Given these measures on Trello, it appears that the breach has taken place due to human error. This demonstrates why data protection staff training is so important: any employee can be responsible for a data breach which results in significant fines.
Worryingly it appears that this data breach has not been reported to the Information Commissioner’s Office (ICO). This is despite it being a requirement under GDPR that data breaches are reported within 72 hours if it constitutes a risk to people.
However, it remains to be seen whether it has been reported to a data commissioner in another country; the BBC has made enquiries to Luxembourg’s official body to see if the breach has been reported there instead.