The visa service run by the UK’s Home Office has made an official apology for a recent data breach. The leak resulted in the email addresses of private individuals and legal professionals being erroneously copied into a circular email, exposing the personally identifiable information (PII).

Data breach error reported

Email addresses of over 170 people were copied into an email message on April 7. The circular-style missive pertained to a location change for visa appointments held by the UK Government’s Visa and Citizenship Application Service, or UKVCAS for short. The service is operated on behalf of the UK Home Office by a private contractor known as Sopra Steria. While a selection of the email addresses included in the message seemed to be privately owned Gmail accounts, with others belonging to a selection of lawyers based at a number of different firms.

A day later, on April 8, an email was sent out that referred to the incident as a “data breach error”. The message also apologised in the event that the breach had caused any inconvenience. The apology email read:

“This email included the email addresses of other customers, which is not our usual practice. It did not include any other personal information. At UKVCAS we take data protection very seriously. We are reviewing our internal processes to prevent this error from occurring in the future.”

The email that was originally transmitted was recalled when the mistake was detected, and a corrected version issued.

One of the solicitors whose address was included in the email, MTC Solicitors’ Naga Kandiah, condemned the mistake in a statement:

“If the Home Office wishes to outsource biometric appointments to a third-party company they have to ensure that their partner is providing a service which is both legally compliant and good value for money.”

The solicitor argued that UKVCAS was charging an excess on what was formerly required to be paid for appointments held at the Post Office, but the product is now inferior. Kandiah added that for this high price, those using the service should not expect loss of data or GDPR breaches.

Past email data breaches at the Home Office

The recent data breach is not the first of its kind. Back in April 2019, the Home Office was required apologise to hundreds of citizens of the EU for mistakenly sharing email addresses. That same month, Caroline Nokes, an ex-immigration minister for the UK, apologised when approximately 500 email addresses were shared by mistake with recipients of a dedicated mailing list set up for the scheme for compensation.

Commenting on the incident, the Information Commissioner’s Office (ICO) said that it had no record of a report of a data breach for the recent leak. However, it pointed out that not every breach required reporting to the ICO – for example, if an event poses no risk to the freedom or rights of data subjects. It added that if an organisation believes a breach does not require reporting, it should always keep a record and have the ability to state why it felt it was unnecessary.