Ministry exposes names of 1000s of stipend recipients
(CNS): In what appears to be an administrative error by a member of the labour ministry’s ‘stipend team’, the email addresses of at least 3,000 people receiving the government’s tourism grant for displaced workers have been exposed. In many cases, this includes the full names of those receiving the public cash.
Although this is an easy mistake by the email sender, the consequences are likely to be very significant, given the controversy surrounding who is receiving the money. A reader contacted CNS earlier today to explain that they had been sent a notification from the government about the details of this month’s payments for those receiving the stipend and noticed right away the serious error made by the sender.
Rather than using the blind copy function to send out the information to all the recipients in a block-mail message, the civil servant posted all of the email addresses in the ‘send to’ area, allowing what that email indicated was 1,176 people to see each other’s details.
However, the government has since confirmed that over 3,000 names were exposed.
“The Ministry of Border Control and Labour acknowledges that a data breach occurred today between approximately 9:32am and 9:44am,” officials said in response to CNS inquiries. “A mass email sent to 3,329 individuals receiving the displaced tourism workers stipend to notify them of this month’s payment date inadvertently displayed the email addresses of all recipients.”
The breach was due to human error and the ministry has reported the matter to the Office of the Ombudsman, officials added. “An apology was sent to all email recipients advising them of the breach and notifying them that the ministry is making procedural changes to avoid such situations in the future,” the statement said.
While this type of data breach is not uncommon in government, under most circumstances the damage is limited. But in this case, the exposure of the email is only part of the problem for government.
The payments have been dogged with controversy, with allegations from the start that many of those receiving the money were not genuine displaced workers but people taking advantage of the circumstances, and this exposure will likely add fuel to that fire.
Given that all of the recipients had an expectation of privacy, the consequences for those on the list could be significant.
The message was sent to all the recipients around 9:30 Tuesday morning. According to the reader who received it and spoke with CNS, the sender had attempted to recall the message only to repeat the same mistake again. The message itself, which was sent from stipend@gov.ky, is just a regular notice explaining to the recipients that they will receive their payments on Friday 22 April.
While CNS is not publishing the list of names to avoid falling foul of the Data Protection Law, we are in possession of the full list. It is likely that the list has also been forwarded to others this morning, so the details of many of those receiving the government tourism stipend payment may be widely known across the country within the next few hours.
This is not the first data breach this month for government. The Department of Commerce and Investment (DCI) is investigating an incident that occurred on 5 April involving the personal data of some business licensees in the designated non-financial businesses and professions (DNFBPs) arena.
Those who were impacted were notified and the ombudsman has also been alerted. Officials said that the online registration portal contained some personal information that may have been visible to other individuals logging onto the site to register.
“The information gleaned to date indicates that one registrant may have had sight of your information which was stored on an electronic file,” officials said in a notification to those impacted, as it offered advice on what to do after admitting that the information exposed names, addresses, dates of birth, countries of origin, and the national ID number supplied to the department during their application process.
For more information on that breach contact the DCI compliance team by emailing compliance@dci.gov.ky or call 945-0943 or by mail:
Department of Commerce and Investment
PO Box 126
Grand Cayman KY1-9000
Cayman Islandsor in person at the Government Administration Building, 133 Elgin Avenue.
- Fascinated
- Happy
- Sad
- Angry
- Bored
- Afraid
Category: Government oversight, Politics
I am totally against the carelessness in government, however, the list of names should have been public from the get go, i.e names but no other personal information. These people are collecting public funds and we should know who they are. Tell us now who has been revoked please, but to the legitimate ones should not feel embarrassed or ashamed.
The NAU list? Yes, that’s the one that REALLY needs to go public.
That is “personal data” and is protected as a constitutional privacy right.
Clearly a mistake. For all of you people who think they can do better, sign up so you can also be torn down.
Admin error my rump-hXXX!! I am sure Saunders and all those connected to the scandal bag outlets are smiling. What a sad, evil, let’s destroy you environment we currently live in. Things like this is what makes me sometimes despise my home and want to get far far away. I hold every leader in our civil service, that continue to allow this wanton abuse of power to continue, accountable. Talk about another slap in the Caymanian people faces. The Caymanian people, especially those in need, deserves so much more respect and privacy. What a breed of people that seeks to purposefully and strategically hurt others. Another sad day in Cayman.
Clapclapclap. I was thinking the same thing. This is so low and calculating.
I was thinking of the unnecessary distributions …. and illegal payouts to friends and kin…….. and to themselves! It makes me sick!
It was genuinely human error. Unfortunately, there are some very careless and stupid people working in that ministry. With zero care and sensitivity. Several want the stipend payments to end merely to lighten their own workloads. So very world-class.
Are you saying that this was done intentionally?
Honestly, I feel bad for this person because basically, they put the e-mail addresses in the wrong e-mail section. They should have put it in BCC but accidently put it in the To section. It wasn’t me but I can see how it could have happened.
Maybe back in 1996 when modems were still dailing-in, but sorry, but it’s not an understandable error in 2022. We are a full generation into email functions now, and the rules of the road are well-understood. OfReg can assess a fine of KYD$10,000 per instance, x 3,000 this is a KYD$30mln error…in theory.
I bet a lot of aspiring politicians would love to get their hands on this ‘voters’ list.
So easy to avoid this by simply using Mail Chimp or Constant Contact.
On the 8th February, myself and 999 other people received an email from WORC regarding their Jobs Cayman portal. Also followed up with an apology(also to myself and 999 others-still not BCC’d), and they also reported themselves to the Ombudsman.
This seems to be a trend…
Maybe it might be better if they communicated with people via TikTok
At KYD$10,000 per instance, that’s only a KYD$9,999,000 error…chump change for this gov’t!
Now the hotels can write to them all offering jobs, bypassing the impossibly complicated and dysfunctional jobs.ky system, and in 6 weeks we can end the program. Done.
Government. STOP THROWING AWAY OUR MONEY!
Solving two problems with one solution! You should get into politics – I’ll vote for you
Everyone has known for a long time that the government is not capable of correctly securing and handling sensitive and private information. The incompetence of this world class civil service is the result of failed leadership and a lack of accountability at the top.
HM Customs requires package recipients to submit two pieces of gov’t ID, plus a copy of their paper birth certificate….why?!?! What do they do with that?
Well put 3:09 am
Stipend should be paid to people who are not working,also elderly people who can’t work.
Totally agreed with!
Not given to anyone especially those who has a full time Gov or HSA job!!
This would NOT have happened if the government was using proper software to manage its external communications. Let that sink in.
World class Jerry! World class!
Oh,Oh what a so called wanna be world class civil service we have in Cayman. Can the DG please inform us all who made this royal mess up. Everyone was told their personal information was safe. I hear a big lawsuit is coming to the so world class civil service. Everyone on the list should go down tomorrow morning to that waste of a government building and protest till someone higher up in WORC is fired. And why is it when the stipend money was approved in late March. Can the head of WORC, please advise why since they have taken over the stipend responsibility it is being paid later not sooner. My unemployed Caymanians need an urgent answer. I for one have had enough of this so called PACT Government. If you say you are for your people, them start by a apoligizing to all whose personal information is now widely available. Shame, shame on you WORC and PACT Government. Time for someone in the so called world class civil service is fired. Now get on with paying your Caymanians. They have bills to pay too. You can keep Cayman on lockdown forever. You are doing more harm than help to your own people and the tourism industry. And while your at it Mr. Premier can you please drop this stupid pre arrival testing. The rest of the Caribbean islands have long moved on and so should Cayman. Thank you.
Great. It should have been public in the first place. This is OUR money being spent. We have a right to know. This list should be Public in the media!
What a nosey foolish piece of nasty this mind is….smh. So busy trying to be up in people busy. I wish I could really describe just what I think of minds like this..
To Anonymous, 9:10am: What is your problem?! These are public funds. I agree with Anonymous 9:32pm – Yes, the list should be PUBLIC and published monthly! We need to be having job fairs monthly to get everyone back to work – in all fields, not just tourism, and the we can see the list getting shorter and shorter. If I worked in tourism all my life and now there is minimal tourism, does CUC care?! I take my skills and go work somewhere else. It stops being “people business” when it is paid with “public money”.
Get a clue!
@9:43am….so you want a list of names for NAU as well then? I didn’t think so…
In regards to “public funds” you do realize that the Government is funded by revenue from fees relating to Tourism, Work permits, finance transactions and import duties? Did you miss the part where I said “revenue from fees relating to Tourism? For donkey years Government has profited from Tourism so don’t come with none of that public money bullshit. ALL PERSONS that work in Tourism and have stuck it out (caymanian or expat) deserve the help that they are getting.
12.01 It is still public money but I guess you think its yours.
It was so embarrassing to see my name on that list so many times.
9.24 But at least you got away with all your aliases!.
Yeah – I was smart. I registered in both my maiden name and my married name, and separately used my middle name as my first name (everyone knows me by that anyway). This way I get paid 3 times to my three different accounts and no name is on there more than once.
Couple of years ago you could buy a vote with a fridge now it’s $1500 a month! Now that’s inflation for ya.
Idiot@cig.gov
Thanks, now I know who to send my anonymous FOIs to.
🤣
7.19pm Do you realise that goes to every single civil servant?.
I have a theory about this.
Share please!
Well, this is Cayman. Stuff happens.
This was whistleblowing.
Makes no difference. Our law enforcers are deaf. They hear no whistles, no matter how loud or frequently they are blown.
This is a big deal because Cayman has a Data Protection Act. And this is a clear breach of that law. DCI did the same thing in December….exposed email addresses of all in their database. And email addresses are considered private information which must be protected.
Its no big deal im sure everyone on the list is entitled lol.
This isnt the first time they have done this and wont be the last.
Didn’t the Chief Officer also preside over that huge loss of data at the RCIPS years ago when he was in Computer Services?
Don’t be naive folks – this has all the appearance of a deliberate leak – perhaps someone with an axe to grind because they didn’t get a freebie hand out.
Deliberate leak – you send the list to Sandra, or CNS, or an opposition MP with a one off e mail address or leave it under their wiper. You press the button on that e-mail, you are on record as the person who leaked, inadvertently or otherwise. Nah – just good old human error.
Hanlon’s razor.
Why hide the names? Tourism workers are already identifiable for the most part. There is no shame in needing help. I wish I was in tourism to get help. I would have no problem with people knowing unless I had something to hide like not genuinely needing the stipend. I deserve to know who is getting my taxes.
Precisely. There should be CIG + private sector-sponsored employment fairs monthly, with the list published two weeks after, so we can see it getting smaller and smaller… If it is not decreasing, then we know that people are simply not making an effort to find gainful employment, even if it is outside the tourism industry.
Please bear in mind that in some cases emails do not necessarily mean that those persons are the recipients of the stipend. Many people do not have their own email address and so family members, friends, coworkers, and businesses have been receiving and remitting information on their behalf.
Lol. Have you been in a coma since 1999? Many people don’t have email huh?
More incompetence at the CIG. Trim the fat!!!
Are all these 3000 genuinely in need? I thought the numbers had reduced. If this serves to identify the fleecers, so be it. I am sure there are some who have gotten jobs and still are collecting the full amount even though they don’t need it.
No
People are too careless. I work in a government agency and just recently someone sent around an email with listed persons’ dates of birth.
The dates of birth were for a specific purpose unconnected with the reason to send out the list.
My date of birth was among them, and I was annoyed but said nothing as I didn’t want to rock the boat. These thoughtfulness, careless actions happen all the time.
If I remember correctly, a missent email was what triggered the Tempura debacle. I understood that the minutes of the RCIPS Gold Command were inadvertently sent to the media. When contacted, all media recipients (except one–guess who) agreed to delete.
That one media house naturally began to have news scoops and the rest is history.
It was at the cost of lives being derailed and damaged, and millions that had to be paid out in damages.
People, focus on your work and check it over several times before hitting that send button.
Seems that CIG is habitually, whether intended or not, acting unlawfully and compensatory damages are having to be paid for public officials mistakes.
It is the taxpayers money and we should be able o see who gets it. Why all the secrecy. Oh I guess I know
It’s happened before.
Anyone remember Mac’s right hand man being a little careless with a Fax machine..?
Yes a human error, but rule 1 with email is check everything carefully before hitting send. Even with internal messages.
I guess now that those who should not be on the list to will be exiting quickly.
And before you start with “we should see who is getting it since we pay for it” Data Protection is a real thing. You wouldnt want your personal data in the public realm. Its the Government’s job to keep data protected AND to ensure by their own due diligence that the recipients are genuinely in need.
I doubt this was leaked. More to come.
There’s quite clearly a difference between someone’s Healthcare records and records of assistant grants.
We need more whistle-blowers!
This was whistleblowing.
Kind of like Bernie Bush.
1) Love the cartoon!
2) If the disclosure of the names of stipend recipients produces evidence of fraud or corruption I hope that the Auditor General and/or law enforcement will take appropriate steps to claw back the unlawful payments.
What’s next? Everyone’s private medical files? It’s no wonder people will not test for Covid as it means the government can get their hands on the info.
I would guess that anyone who belongs on that list has nothing to hide; they are the people for whom we want to be giving a stipend, but not those who are merely exploiting the weakness in the verification system.
Good. Wonderful own goal. Now that the RCIP, WORC, and CBC can access the list, could they please comment on:
Whether it is right that relatives of politicians and senior civil servants are on it.
Why a number of non Caymanians are on it.
Whether anyone should have their immigration permissions revoked by virtue of being on it.
Whether anyone who has imported and licensed a new car in the last year is on it.
Why my fully employed colleague in the financial services industry is on it.
Carry on.
Bcc is email 101. Many property managers can’t figure this out either.
sheer madness that they aren’t using a CRM system with safeguards to prevent this.
Representative action suit waiting to happen. Stipend recipients might end up getting more 💵 $$$ from CIG.
Not uncommon. The courts did the same thing with notary public this year, 700-800 email addresses at least.
Notary Public list is published, don’t get your point.
My point is that the courts accidentally cc’d all their emails rather than bcc’ing them.
Emailed them to where, to who?
But email addresses are private data. Defined that way in the law.
If anyone is receiving a stipend and is ashamed that their name will become known….well, perhaps they shouldn’t be getting the stipend in the first place.
This is ridiculous and soooo easily avoided. The IT department should have their heads slapped for not even using the tolls they have in even the most basic of tools?
Gov.ky is using “Gartner approved” Top Security SaaS and basic outbound spam prevention via bulk email is not even set up?
Email Security Administrator Topics Other Features Inbound and Outbound Email Limits
Table of contents:
Situation -You need to send a large amount of outbound mail, or are receiving a large amount of inbound mail, and want to know what our policies are regarding limits on outbound and inbound mail.
Solution – See below for explanations on our limits and what those limits specifically are.
Why Outbound Limits?
Sending “spam” through “xxx Gatner Top Quadrant” Saas is strictly prohibited.
xxxxsaaS does not condone the use of our platform to send bulk mail. Most users respect our fair usage policy and use dedicated email marketing systems to send out bulk mail campaigns. Proofpoint Essentials protects the system as a whole, as well as the reputation of the user and customer.
Detailed Limits
For more detailed limits on our inbound and outbound controls, please see: Acceptable use policies for email
Outbound Limits To Control Bulk Mail Abuse
In order to prevent the sending of spam and bulk mail through our system we have the following limitation in place:
Standard Users: permitted to send out 500 emails over a 10 minute period or 2500 emails over a 24 hour period (All users are created by default as ‘Standard Users’). If you have a business need to increase an account’s limits, please see see any bulk KB article.
Hire Caymanian!
Haven’t they had a Caymanian for long time hired from large law firm.
Grabs popcorn. Hopes for someone to post it here.
civil service can’t go 5 mins without making themselves look like a bunch of clowns
What are they supposed to look like? They are what they are.
Looooolllll boyyyy I would hate to be that employee right now.
The aftershock of this will be palatable.
Palpable?
pal·at·a·ble
/ˈpalədəb(ə)l/
adjective
(of food or drink) pleasant to taste.
You mean bites down and breaks all teeth?
The shock gave me palpitations
#worldclass
Typical Gov incompetence.
I’d like to see the names of those on it as I bet there are quite a few that are millionaires.
Just an FYI, I would have been eligible to receive but I don’t need the money so I did not apply as I have a conscience not so sure about others.
Why because so many have been fleecing the system for such a long time