Digital and CRM agency Jaywing has suffered a security breach after its intranet was exposed following a routine update, leaking private information from client CollectPlus as well as internal documents for Vodafone.
The intranet – usually a depository for internal material like training manuals – for the Jaywing Contact division, which does customer servicing, customer research and telemarketing for clients, underwent an upgrade on 17 September.
However, the leak was only detected last week by Reviews.io, a company which as part of its services will scan the internet looking for mentions of brands and their employees.
Its chief executive Callum McKeefery told The Drum that its algorithm found a link to the internal site leading to what he described as a “black hole” of data.
He reported it to Jaywing as well as clients that he’d identified including CollectPlus and Vodafone.
Jaywing Contact’s managing director Chris Hancock confirmed that four clients in total had been affected but declined to name the other two.
For three clients, no customer data was implicated but for CollectPlus some personal customer data was exposed as well as some employee log-in information, giving access to CollectPlus’ parcel tracking system.
Hancock admitted that while the this “shouldn’t have been on [the intranet]” none of the data was sensitive, such as bank account details.
He added that it currently amounts to 11,200 records of which the majority were contained within a single document looked at by a single IP address, meaning it has not been widely accessed.
A spokesperson for CollectPlus said it was aware that a limited amount of non-sensitive customer contact information was accessible publicly for a short time.
“We believe that the incident impacted a very small proportion of our customers and the technical issue has now been contained,” they said.
“We are working closely with our service provider to ensure this does not happen again. We take the security of our customer data extremely seriously and will continue to work closely with our partners and suppliers to ensure that they adhere to security best practices.”
Meanwhile, a Vodafone spokesperson said it had conducted a “thorough investigation and there has been no breach of customer-related data.”
Though not legally necessary, Jaywing said the Information Commissioner's Office (ICO) had been informed as a matter of good practice.
An ICO spokesperson said: “Businesses and organisations are required under the Data Protection Act to keep people’s personal data safe and secure. If people have concerns about the way an organisation is handling their personal data, they can report them to us.”
It comes ahead of the implementation of the European Union (EU) General Data Protection Regulations (GDPR), a wide ranging reform which, among other things, will require companies to report any data breaches within 72 hours or risk a fine standing at €20m, or 4% of an organisation’s global revenue.