WARMS
As you may have heard, there has recently been a serious data breach caused by a UNISON branch using its employer’s email system to send mass emails rather than using WARMS. The personal data of over 900 members was disclosed in this breach.
To minimise these risks, it is advised that all branches use WARMS for all mass-mailings. A mass-mailing is an email containing the same message to multiple people in a pre-defined group, such as retired members or members of a specific committee.
Why WARMS and not just regular email lists?
WARMS will always send emails as BCC by default, ensuring that no members’ data is exposed in the process. It is not possible to accidentally copy all recipients and expose their email addresses using WARMS, making it far more secure than standard email.
In addition, if you use an employer-provided email system, creating lists of members may leave them visible to other, non-UNISON individuals via the global address book that many employer email systems share between all staff. This poses a risk by exposing individual members’ trade union membership status.
WARMS also automatically respects members’ contact choices, and remains up to date unlike extracts or lists which can rapidly become out of date and risk contacting lapsed members who have withdrawn their consent to be contacted. It will always automatically include unsubscribe links and a link to the privacy policy as well, to help UNISON meet our obligations under UK communications and privacy law.
Furthermore, the function to send the email to all intended recipients will not become active until a trial email has been sent to you. This gives you the opportunity to double-check the contents of the communication and the documents that have been attached. You are still able to cancel the mailing and prevent a data breach if it is found to have an incorrect attachment. It sends any attachment as a link, rather than a document, making any mistakes that have slipped past review easier to catch and mitigate.
If you have any questions about using WARMS, please contact the support team on w.support2@unison.co.uk
Phishing
UNISON has recently seen an uptick in the number of phishing attacks, with some requiring further investigation and IT support. Thankfully, so far no member data has been affected. However, going forward we must exercise a great deal of caution.
Phishing is an attempt to gain access to information, often through emails by posing as a legitimate source. These emails will often contain links disguised as documents which then ask for your credentials. Once entered, access to your inbox and other accounts may be in the hands of bad actors.
There are a number of things you can do to prevent yourself from becoming a victim of a phishing attack.
- Hover
If you hover over the link, you can often see that the URL is different or suspicious. URL’s can often be subtly different (for example mircosoft.com) in an attempt to fool you. Always check where a link is taking you.
- Get on the phone
If you have received an email from someone and you are suspicious, the best thing to do is to phone them and ask if it is something they have sent. Not only will this allow you to see if the email is legitimate, but if it is not, you will have alerted the person their email address has been compromised.
- Report and delete
Always report the email to your IT provider or employers IT before deleting it. IT services will be able to isolate it within the system and even delete it across an organisation, arresting the spread of the email before it can infect others.
If you have any concerns regarding with either bulk emails or phishing, you can contact the data protection team at dataprotection@unison.co.uk
2023 Data Protection Statistics
The Data Protection Team has been hard at work over the past year, and we have the statistics to show it:
As usual, email breaches lead the pack – sending things to the wrong recipient is the biggest breach type by a massive degree, with lack of WARMS/BCC in the top three. While there are fewer lack of WARMS-type breaches than wrong recipient breaches, it’s important to note that these breaches can be much more serious – lower numbers doesn’t mean less dangerous.
We want to emphasise again how important it is to ensure that email is always double-checked and sent via the most secure method, because email errors are the most common types of risk to our members. The WARMS trial email function can seriously reduce the risk of incorrect attachments and wrong recipients for any bulk mailing.
Despite the major increases in Subject Access Requests, data suppression and reported breaches, our team has had a fall in complaints, and even reduced the number of SARs that have overrun their legal deadline for response. The data protection team has been working harder than ever.
A key part of this is, of course, the branches and regions responding to us in a timely manner so that we can assemble SARs and address breach risks as quickly as possible. We work hard, but we could not do this without you!
If you have any concerns about safe emailing, have received a request for someone’s personal data, have spotted a breach, or have any other questions at all about safe personal data handling, please get in touch with us on dataprotection@unison.co.uk – our team can provide advice on mitigating breaches if they’ve happened, and help you find ways to avoid them in future.