The Post Office has offered compensation to hundreds of former sub-postmasters following an inadvertent leak of their personal information, including names and addresses, on its corporate website. This data breach, uncovered in June of last year, exposed the private details of 555 individuals associated with the Horizon IT scandal.
Victims will receive individual payouts of up to £5,000, with the possibility of greater compensation for those wishing to pursue additional claims. The Post Office has expressed regret over the incident and is actively collaborating with the Information Commissioner’s Office to address the situation.
The compromised information was included in a document accessible on the Post Office’s website. At the time of the breach, Nick Read, the then chief executive of the Post Office, described the failure as a “truly terrible error,” highlighting the serious implications of mishandling personal data.
Representing the affected sub-postmasters, the law firm Freeths, which successfully litigated on their behalf in a landmark High Court case in 2017, facilitated the compensation process. Of the 420 individuals still in pursuit of reparations for the Horizon scandal, Freeths noted that 348 had already received payouts related to the recent data breach.
Chris Head, a former sub-postmaster, expressed relief at the Post Office’s acknowledgment of the data breach but criticized the organization’s prolonged response time. He emphasized the extensive emotional toll the incident has taken on those affected, remarking: “Post Office did not seem to understand how much this impacted those people.” The ramifications of the breach amplify existing traumas experienced by the victims due to the Horizon scandal over the past decade.
Compensation levels are set at either £5,000 or £3,500, contingent upon whether the individuals were residing at the disclosed addresses during the time of the breach. Additionally, the Post Office stated it would review special cases for anyone who believes they are entitled to further compensation.
In a recent statement, the Post Office communicated that they have addressed all affected individuals directly or through their legal representatives. They encouraged any impacted parties who have not yet been contacted to reach out for clarification.
Will Richmond-Coggan, a partner at Freeths specializing in data breach litigation, noted that the settlement was achieved without submitting formal claims, while still presenting victims with the opportunity to seek additional reparations. He acknowledged the progress made but also emphasized the ongoing need to address the severe impacts of the data breach on the affected individuals.
This incident underscores the critical importance of robust cybersecurity measures and the need for organizations to adhere strictly to data protection protocols to prevent the unauthorized disclosure of sensitive information. In terms of potential tactics that could have been leveraged during this breach, adversary techniques from the MITRE ATT&CK framework could include initial access through web application vulnerabilities and persistence tactics aimed at maintaining access to exposed systems.
