Parcelforce Worldwide, which advertises itself as the UK's most trusted worldwide express carrier, inadvertently exposed customers' personal data on its web site after work was carried out to its computer system. The error allowed users to access names, postcodes and signatures of recipients through its mail tracing service. Parcelforce Worldwide, which is part of the Royal Mail Group, provides customers with a reference number to allow them to track the progress of the delivery or their parcel. BBC News found that when it entered reference numbers into the 'track and trace' online facility it was shown a series of unconnected deliveries. Easy access to that sort of data, which included people's names, addresses and signatures, would be valuable information to identity fraudsters.
Under the Data Protection Act, businesses which process personal information are under an obligation to make sure they have adequate safeguards in place to keep that information secure. The Information Commissioner's Office - the regulator in charge of enforcing UK data protection law - has confirmed that it will be conducting an investigation to establish how the security breach occurred and what steps Parcelforce will be taking to ensure it cannot happen again. The ICO has the power to serve an enforcement notice on a business that fails to safeguard personal information. Failure to comply with an enforcement notice could result in a prosecution and then possibly fines. However, even if fines are avoided, businesses often find that they have already suffered bad PR as a result of their careless data protection practices.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
