[ad_1]
This Friday, Altice, which is the operator responsible for operating the SN24 Line, mistakenly sent an email with the personal details of hundreds of health professionals on the line, including doctors, dentists, psychologists and nurses.
Information – which included the tax identification number, citizen card details, profession, nationality and place of birth of the professionals from 1906 SNS24 – it was not encrypted and was easily visible to recipients. The PUBLIC learned of the case due to a complaint from one of the psychologists who received the message.
Contacted by the PUBLIC, Altice confirms the error. “Altice Portugal confirms that a collaborator, when sending a routine email to health professionals, mistakenly attached a file that contained personal data of those same professionals,” the company acknowledged.
Altice declined to provide information on how many people received the email or why the data was not encrypted. However, the company indicates that it immediately opened an internal process with a view to protecting personal data and determining responsibilities and that it has already contacted the National Commission for Data Protection about the case.
The PUBLIC contacted the CNPD at the end of this Friday, but did not receive a response until the moment the article was published.
“What worries me most about this situation is that the data was easily visible,” the SNS24 psychologist shares with the PUBLIC who alerted the newspaper about the situation and asked that his name not be disclosed for fear of reprisals.
Although it is not possible to know how many people received the file because the senders were added through BCC Hidden copy, making recipients’ email addresses “invisible”), various health professionals created groups on WhatsApp and Facebook to alert them to the problem. Some claimed to have deleted the file; others said they had received nothing but had their details on file.
“I know that several people are already contacting the National Data Protection Commission to report the problem. And some contact the banks to cancel their accounts, “added the health professional with whom PUBLIC spoke.
Altice tried to mitigate the problem with two emails that PUBLIC had access to. The first one was sent at 6:59 pm (almost an hour after the first email), by the employee who made the mistake, apologizing for the mistake and asking for the file sent in error to be deleted. Around 8pm, another email was sent from the SNS24 Service Manager requesting that the email be removed “in accordance with current confidentiality agreement.”
With the Data Protection Regulation, which came into force in 2018, entities have up to 72 hours to report any violation of personal data to the National Data Protection Commission. If this violation is considered to represent a high risk to the rights and freedoms of citizens and if that risk has not been mitigated, the person also has the right to be informed of this leak.
Human error remains one of the biggest problems in cybersecurity. The problem is often compounded by companies’ reluctance to admit problems. A 2018 study conducted by IEEE, the Institute of Electrotechnical and Electronic Engineers, noted that 70% of attacks on companies were not externally reported.
