RideLon-doh! Data breach probe as acceptance letters sent to wrong recipients

Organisers of RideLondon have said they are informing watchdog the Information Commissioner’s Office (ICO) about a data breach that has resulted in acceptance letters revealing personal details of successful entrants to the ballot for the 100-mile sportive in August being sent to the wrong addresses.

In the past day or two, a number of people who entered the ballot for RideLondon-Surrey 100 have taken to social media to tell of how their delight about being accepted for the sportive turned to dismay when they realised the letter was not intended for them, and concern about whether someone else had their personal details.

Home to an envelope addressed to me….. with someone elses personal successful ballet details inside. Very concerned my personal details are on someone elses doormat. Really hope this is being looked into urgently and is the problem you mention above.

— Jenny Hopper (@Wrenaroo) February 10, 2020

When you get the magazine you thought you’d never receive and start jumping up and down. Then you have to admit to your husband that you signed both of you up for it. When he asks – are you now a 34 year old male. Oh @RideLondon what a mess up. A big old GDPR mess up. pic.twitter.com/c8Xw4rn8rr

— Natalie Cosgrove (@NatalieCSwits) February 10, 2020

The mix-up, which according to organisers has affected around 2,000 people who applied for the heavily-oversubscribed event for which some 25,000 places are available through the ballot, has left many in the dark over whether or not they have been successful.

Hi Jane. Firstly, we’re really sorry that you were affected. You will receive an email tomorrow confirming whether you’ve been successful or not but we’d recommend you hold off from cancelling if possible. Thanks, PRL

— Prudential RideLondon (@RideLondon) February 11, 2020

@RideLondon What a monumental mistake. As a gesture of good will, please offer a place to those entrants affected by this. I am so disappointed.

— Andy Lakin (@andylakin) February 11, 2020

Yesterday, London & Surrey Cycling Partnership, which organises the event, posted a statement to Twitter saying it “is currently working to establish how many people have been affected and we believe it to be less than  per cent of the total of more than 70,000 people who entered the ballot.

“We are working with our contractors to establish the full facts but it appears that the issue was caused by an error in the collation of the acceptance letter and the addressed envelope in the final stages of the mailing process which led to the people affected receiving the name, address and date of birth of one other person.”

In other words, some letters ended up in the wrong envelopes.

“We apologise sincerely for this error and will be contacting all the people affected,” the statement added. “The ICO is being informed with full details of what happened and what we have done, following the timelines in their guidance.”

According to the ICO’s website, “Under the current UK data protection law, most personal data breach reporting is best practice but not compulsory,” although it adds that any breaches must be referred if there is a “risk to people’s rights and freedoms from the breach.”

RideLondon takes place this year on the weekend of 15 and 16 August, and will be the final time that the event has been sponsored by Prudential, which has backed it since the first edition in 2013.

> RideLondon looking for new headline sponsor from next year

Currently, Surrey County Council is holding a public consultation on whether it should continue to host part of the route of the sportive rides held on the Sunday of the event.

> RideLondon boss urges Surrey residents to back event in council’s consultation

The council’s current agreement with the event expires this year and it has said that it wants to continue to host it.

The consultation, which you can find here, is open until this Sunday 16 February.