Investigation at Oasis Sports Centre over bank details data loss
Employee's email said: '[We] have been searching for these high and low and can’t find any mandates'
30 March, 2017 — By William McLennan
The lido at the Oasis Leisure Centre in Holborn
BANK account details of an unknown number of customers at a council-owned sports centre have been lost, leading to allegations of a major breach of data security, it can be revealed today (Thursday).
The sensitive financial information of some visitors to Oasis Sports Centre, which in the wrong hands could be used to facilitate fraud, has gone missing, according to internal emails seen by the New Journal.
It is not clear exactly how many people are affected – the Holborn pool’s operators said it could not release that information – but potentially records for all those customers who signed up during 10 months of 2013 cannot be found.
The popular gym and rooftop lido, in Endell Street, is run by private firm Greenwich Leisure Limited (GLL), under the name “Better”, on behalf of Camden Council.
The loss came to light when a customer, who was in dispute with GLL, asked for a copy of his direct debit mandate form – needed to set up monthly membership payments.
He made a “subject access request” under the Data Protection Act – which allows people to ask for copies of any personal data a company holds.
Instead of receiving his mandate form, he was sent an email thread that showed managers and lawyers realise the information had been lost.
In one message, sent in July last year, a GLL staff member told a manager: “[We] have been searching for these high and low and can’t find any mandates from March . In fact, the only ones there are for 2013 is April and May.”
This email was then sent to the head of GLL’s legal team, along with the message: “I will also have a look when I’m at Oasis tomorrow to make doubly sure if it’s there or not but wanted to give the current position which you won’t like.”
Iain McHenry, who discovered the breach, told the New Journal: “They have lost an unknown number of mandates, one of which is mine. It looks like they’ve sat on it, they’ve not actually declared that they’ve lost it.
“I’ve since raised it with them and they said they’d get back to me in 28 days. I don’t think that’s appropriate, given that if mine is lost, potentially other people’s are, with all bank details ready for a direct debit to be set up. They should be moving slightly quicker and being a bit more honest about it.”
The 30-year-old undergraduate student said: “I take the worst case view that that document in the wrong hands could be used for the wrong purposes. It could be in a drawer, but if they don’t know where it is, it could equally be in a briefcase somewhere outside the centre.”
He called on GLL to tighten up its security. “We place a lot of trust in these organisations to do things for the benefit of the people,” he said.
“They are running public services. Just as much as we scrutinise local government for their behaviour, we should also scrutinise these companies.”
A spokesman for GLL said it was carrying out an internal investigation.
“GLL takes the handling of its customers’ data very seriously and, following the outcome of the investigation, will take action where required to ensure its data-handling processes are as robust as possible,” he added.
Councillor Abdul Hai, cabinet member for customers, communities and culture at Camden Council, said: “This is a very serious issue. It is vital that leisure centre users’ data is handled correctly and securely. GLL are investigating this and we will maintain a close eye on the findings and seek regular updates from them, as the security of customers’ data is of paramount importance to us.”