Roche customers who had registered their details with the firm
received the first edition of an email newsletter on Wednesday
which included a link via which they could update their personal
details.
Users who clicked on that link were directed to a Roche website
which displayed the details of someone else.
"I saw the details of the same person several times, then it
changed and I saw another person's details several times," said Tim
Trent, a newsletter recipient who is also a marketing and privacy
specialist. "In all I saw six other people's details."
Trent informed the people whose details he saw and the firm,
having received the email on Wednesday morning. Roche spokeswoman
Hazel Clarke said that the link was deactivated later that
morning.
"We did have that issue this week, on Wednesday," said Clarke.
"When we became aware of it we immediately acted to rectify the
problem. It lasted for a number of minutes, maybe 90 minutes at
most."
Clarke was unable to say how many people had had their details
exposed or had seen the personal details of others. She did not say
how the breach had happened or how many people the email was sent
to.
"The main issue to do with details was stopped immediately and
beyond that we need to ensure doesn't happen again, and that is
what we are working on now," she said.
The email was in relation to the Accu-Chek range of diabetes
testing products.
Trent said he had made a formal complaint to the Information
Commissioner's Office. "Some of the details I could access showed
that a person was on a particular kind of drug treatment, which
isn't good news," said Trent. "Loads of people follow the
exhortation to register with Roche Diagnostics, and probably even
gave consent to email marketing. But we didn't give them consent to
have their data records on public display."
