Massive GDPR breach at work, what should I do

welcometomynightmare

I didn't really know where to put this so if admins want to move it somewhere more appropriate that's fine.

Hello, 
      This month everybody, (I think it's about 95 people) who work where I do had their payslips sent in a none password protected email to a single employee who was somehow cc'd on the emails. Then a rather pathetic and very self serving apology was sent, by email, which again contained the payslip in none password protected format. Furthermore it said that in future if payslips are sent out in emails they will be done through the Brightpay App, "Your password is your date of birth" so now 95 people can easily find out each others passwords to the wages app,, the last thing it said was that if you want your password changing email your new password to the accounts guy and he will change it for you. 

  It is the most insane example of gross incompetence I think I've ever seen. The ordinary workers in this company do a GDPR training course, I don't think the same can be said for "The accounts team" which is who the apology email said was responsible, All the staff know "The accounts team" Is a guy called Simon who as far as I can tell is not trained in accounts but is the partner of the "Operations Director". As a snapshot of the competence of "The Accounts Team"  my wages were missing a day this month and someone else of the 10 or so people I work with had 3 days pay sent to someone else's account because they share the same forename, they're both called Wendy, this type of thing happens regularly.

I can see 4 huge CDPR breaches there.

Any suggestions or advice would be greatly appreciated.

Thank you in advance.

b

welcometomynightmare

I mean GDPR not CDPR

On-the-coast

My commiserations. 
Looks like there’s a big round of well informed wage negotiations coming up.  Employers as well as employees hate this kind of disclosure. 

What are you looking for?
compensation?
And at the least correction of the process going forward?

I’d be surprised if none of the 95 take this to the ICO so your room for individual negotiation may be limited. 

pennyfarthing66

The organisation has a duty to report the data breach to the ICO, they have a  duty to mitigate the impact of the breach, and HR should have a protocol in place to deal with the employee who breaches the GDPR. I would think disclosure to other employees of payslip information would constitute a serious breach and should not be allowed to be brushed under the carpet. Your employers may need reminding of this!

DullGreyGuy

So 95 people had their payslip to themselves and also another person... was this the same additional person? Presumably they are an employee too? What role do they have? 

Having a standard initial password isn't uncommon, we had 5 new starters this week and I know what all 5 of their passwords are because everyone who started this year has the same one and everyone last year you just had to change the 2024 to 2023. Arguably using DoB is more secure than that. 

Have you actually looked at the BrightPay app and if you can self manage the change in password? Looking at their site it seems like you can do it yourself if you are worried about the accounts guy knowing your choice. In almost, if not all, employers there will be people in certain departments that can bypass whatever security is in place as it's necessary for them to do their role. 

No requirement for someone in "accounts" to have any particular training. Sounds like more issues are driving the issue than simply what's just happened and this is just the straw thats broke the camels back. 

Marcon

welcometomynightmare said:

I didn't really know where to put this so if admins want to move it somewhere more appropriate that's fine.

Hello, 
      This month everybody, (I think it's about 95 people) who work where I do had their payslips sent in a none password protected email to a single employee who was somehow cc'd on the emails. Then a rather pathetic and very self serving apology was sent, by email, which again contained the payslip in none password protected format. Furthermore it said that in future if payslips are sent out in emails they will be done through the Brightpay App, "Your password is your date of birth" so now 95 people can easily find out each others passwords to the wages app,, the last thing it said was that if you want your password changing email your new password to the accounts guy and he will change it for you. 

  It is the most insane example of gross incompetence I think I've ever seen. The ordinary workers in this company do a GDPR training course, I don't think the same can be said for "The accounts team" which is who the apology email said was responsible, All the staff know "The accounts team" Is a guy called Simon who as far as I can tell is not trained in accounts but is the partner of the "Operations Director". As a snapshot of the competence of "The Accounts Team"  my wages were missing a day this month and someone else of the 10 or so people I work with had 3 days pay sent to someone else's account because they share the same forename, they're both called Wendy, this type of thing happens regularly.

I can see 4 huge CDPR breaches there.

Any suggestions or advice would be greatly appreciated.

Thank you in advance.

b

Depends who the single employee was (?someone who'd have access to this information anyway, such as finance or HR?) - and whether they actually opened all 95 payslips, which seems more than a tad unlikely!

If wages are being paid inaccurately as you suggest, then maybe the information is of limited value anyway.

Beware over-reacting to something which might actually have done little, if any, damage to anyone - BUT certainly check what actions the employer has taken, especially in relation to reporting to the ICO.

penners324

Sounds like utter incompetence from the accounts person 

MattMattMattUK

welcometomynightmare said:

I didn't really know where to put this so if admins want to move it somewhere more appropriate that's fine.

Hello, 
      This month everybody, (I think it's about 95 people) who work where I do had their payslips sent in a none password protected email to a single employee who was somehow cc'd on the emails. 

Mistakes happen, yes they should not, but they do. How much this matters depends on who the employee is, if they read the payslips etc. but it is far from the end of the world.

welcometomynightmare said:

Then a rather pathetic and very self serving apology was sent, by email, which again contained the payslip in none password protected format. 

There is no legal or GDPR requirement to send payslips with a password. 

welcometomynightmare said:

Furthermore it said that in future if payslips are sent out in emails they will be done through the Brightpay App, "Your password is your date of birth" so now 95 people can easily find out each others passwords to the wages app,, the last thing it said was that if you want your password changing email your new password to the accounts guy and he will change it for you. 

As others have said, initial password, create a new one. 

welcometomynightmare said:

It is the most insane example of gross incompetence I think I've ever seen. 

Then you must have a very limited exposure to the real world, this is nowhere near gross incompetence, at best it would be mild, low tier. I also cannot see any insanity, just a mistake.

welcometomynightmare said:

The ordinary workers in this company do a GDPR training course, I don't think the same can be said for "The accounts team" which is who the apology email said was responsible, All the staff know "The accounts team" Is a guy called Simon who as far as I can tell is not trained in accounts but is the partner of the "Operations Director".

There is no required training for most accounts, most would be regarded as mundane and book keeping, there is not even a requirement to be a trained or accredited accountant to complete company accounts or tax returns, there is certainly no required training to process payroll.

welcometomynightmare said:

As a snapshot of the competence of "The Accounts Team"  my wages were missing a day this month and someone else of the 10 or so people I work with had 3 days pay sent to someone else's account because they share the same forename, they're both called Wendy, this type of thing happens regularly.

Attention to detail, again, it should not happen, but it does. The company should of course be looking to improve the situation and any pay issues should be resolved in a reasonable timescale.

welcometomynightmare said:

I can see 4 huge CDPR breaches there.

welcometomynightmare said:

I mean GDPR not CDPR

On the theme of attention to detail...

I can only see one, the initial emails.

welcometomynightmare said:

Any suggestions or advice would be greatly appreciated.

Thank you in advance.

b

Chalk it up to having someone in payroll with poor attention to detail and move on, or leave. 

If you are feeling vindictive you could report it to the ICO, as a small business and the breach being minor they would likely get a letter though the post and be required to fill in an online form.

MacPingu1986

What Matt(x3) has said above.

You could report it to the ICO if you really wanted, all that will happen (if the ICO choose to investigate at all) is they will email the company in about 3+ months time to ask what happened. The company will probably reply to say it was an administrative mistake and payslips will be sent out in future via a dedicated app. The ICO will probably then close the case.

Worth remembering that even when the ICO determines a serious breach has take place, they have the power to fine a company or reprimand them but they do not (and do not have the power) to award compensation.

I would just move on.