Post Office betrays postmasters yet again: Fury as bungling Post Office publishes names and addresses of SPMs.

I'm not writing much about the Post Office Horizon Scandal these days.  The Inquiry is progressing, but if you tired (as I did) of watching the corporate amnesia rife at the top of Post Office Ltd, affecting directors, Chief Counsel, other lawyers, and other senior managers, take a look at the evidence yesterday of Second Sight's Ron Warmington and Ian Henderson.

But today's news online today and in print tomorrow I should think, is from Sam Greenhill at the Daily Mail.  

 

In the latest example of staggering incompetence when all eyes are on them, Post Office Ltd has published on its website a very private 'Confidential Settlement Deed' - with unredacted details of 592 former sub-postmasters including full names and addresses of people who are shortly (or not so shortly) likely to receive substantial sums of money.

The article in full (my highlighting).

The bungling Post Office has published the names and home addresses of the postmasters it persecuted during the Horizon scandal.

In what appears to be a staggering data breach, 'cavalier' workers printed their private details on its website for anyone to see, the Mail can reveal.

Having already ruined many lives by falsely accusing them of stealing, the Post Office's latest betrayal has been branded an insult to injury – and furious victims alerted by the Mail are vowing to 'make them pay'.

On the very day its IT specialists are being grilled at the Horizon inquiry, the alleged data breach marks yet another breathtaking IT failure for the organisation. It published on its corporate website a dossier of 592 wronged postmasters who were involved in suing the Post Office in 2019 - showing their full names and home addresses including postcode, making it easy for anyone to find them. Many are poised to receive significant sums of money in compensation for Britain's biggest ever miscarriage of justice, and told of their anger at their home addresses being exposed.

Humiliatingly, the document containing the details is entitled 'Confidential Settlement Deed' and spells out in black and white that its contents are private. It is even signed by the Post Office's own senior lawyer – and yet it has been posted onto its website in full.

After the Mail informed the Post Office this afternoon, it changed its website to remove the offending list. But former postmasters are 'incandescent'. And the embattled Post Office now potentially faces another investigation, this time by the Information Commissioner who takes breaches of personal data extremely seriously.

Last year the commissioner levied a £1million fine on the Ministry of Defence for losing the data of 245 people.

The 592 former postmasters whose home addresses have been published were among the group involved in bringing High Court class litigation against the Post Office in 2019. Hundreds of innocents were bankrupted, jailed or driven to suicide after being wrongly accused of plundering their own tills between 1999 and 2015, when money appearing to be 'missing' from their branch accounts was really the result of glitches in the company's Horizon computer system.

The list includes those who brought the scandal to life in ITV's acclaimed four-part drama Mr Bates vs The Post Office which triggered national outrage at the way the former pillars of their communities were tormented.

Wendy Buffrey, 64,who ran a branch in Cheltenham, Gloucestershire, with her husband Doug until their malfunctioning Horizon terminal invented a £36,000 shortfall and she was prosecuted as a thief, said: 'I'm incandescent. I'm just so angry. We all thought they couldn't do any more to us than they've already done.

'They need to pay for this. It's yet another thing they've done that could potentially destroy one of our lives. They just don't stop, do they?

'People out there in the outside world know that we're all going to get compensation payments - and all our home details are out there? It's absolutely horrendous.'

Nichola Arch, 53, falsely accused of theft at her Chalford Hill post office in Gloucestershire, said: 'They seem to be completely incompetent. Our personal information is out there for anybody, and that is absolutely disgusting. To say it's adding insult to injury is the understatement of the year.

Nichola Arch, 53, was falsely accused of theft at her Chalford Hill post office

'People know that, due to the extent of this scandal, people are going to get compensation. Now if they've got our names and addresses, people know exactly where that money is, and that can bring out all sorts of anxiety to victims because they'll be thinking, 'God is somebody going to break in?' It's horrific.'

Deirdre Connolly, 54, who ran the post office in Killeter, Northern Ireland, with her husband Darius until they were falsely accused of stealing – and was even asked if they had 'taken the money for paramilitaries' - said: 'I can't believe it. My home address is on that website? My home, my family - what the f***?'

Her husband, 53, claimed: 'It's absolute incompetence. The fact that they can't keep people's names and addresses private tells you all you need to know about how they run their computer system.'

Ron Warmington, the forensic investigator whose firm Second Sight was hired to probe the faulty Horizon system in 2013, said: 'As if we needed to see another example of Post Office incompetence! This is an extraordinary breach of the confidentiality undertakings with which Post Office so heavy handedly insisted that we must all - and for all time - comply. It seems that Post Office deploys far greater firepower in protecting its own data than it does in protecting data that names its victims.'

Lord Arbuthnot, the peer who has championed the postmasters for years, told the Mail: 'I long ago stopped expecting much, if anything, from the Post Office, but for them to publicise the personal details of the group litigation claimants is incompetent.

'Amongst so many other criminal offences committed by the Post Office, this alleged data breach is yet a further intrusion into the privacy of sub-postmasters and their ability to put the matter behind them. And it answers the question as to whether the Post Office has learnt and improved: it hasn't.'

The names and home addresses are listed in a 47-page legal agreement, signed on 10 December 2019, which brought the High Court class action to a settlement mid-way through the trial. The Post Office apparently intended to publish on its website a 'redacted' version of the legal agreement, with personal details covered by a censor's black ink. But instead, the document was posted with everyone's personal details on full display.

Raoul Lumb, a partner at law firm SMB who specialises in data protection, said it appeared 'a remarkable breach' of the UK's data protection laws known as GDPR and showed 'a cavalier disregard for the rights of sub-postmasters'.

He said: 'The document, which is clearly marked as confidential, exposes the names and addresses of every sub-postmaster who was a claimant in the Alan Bates and others v Post Office litigation.

'It is particularly embarrassing for the Post Office because clause 12 of the document is a clause which explicitly obliges all the parties to 'keep [it] confidential'. Given that, it's difficult to see any justification for the Post Office to have made it public in a completely unredacted form.'

He said the Post Office has a duty to report the breach to the Information Commissioner's Office (ICO), and added: 'The leaking of it will no doubt cause further distress to sub-postmasters who have already suffered enough. You would expect the ICO to take an extremely dim view of the breach given the clear expectation of confidentiality and the vulnerability of the data subjects named in it. It would not surprise me if the commissioner levied a fine to penalise the Post Office for this seemingly very basic failure to manage its data securely.'

The Post Office said: 'The document in question has been removed from our website. We are investigating as an urgent priority how it came to be published. We are in the process of notifying the Information Commissioner's Office of the incident, in line with our regulatory requirements.'

The ICO said: 'We have not received a data breach report on this matter. Organisations must notify the ICO within 72 hours.'

No words from me are necessary.

---