Bosses at a Perthshire holiday resort have been accused of an “inexcusable” security breach after posting the personal emails and phone numbers of more than 2,400 members on their website.
The Loch Rannoch Highland Club, which counts former Tory leader Sir Iain Duncan Smith amongst its visitors, was reported to data protection watchdogs after publishing 243 pages of sensitive information.
The blunder has angered some timeshare owners who have already fallen out with the club committee over a series of redundancies and walk-outs.
Club chairman Cliff Hunter said the members’ details were removed “within hours” of going online and insisted only a small number of people had viewed them.
Investigation
The Information Commissioner’s Office (ICO) has confirmed it is probing the incident and has urged anyone with concerns to get in touch.
Until it was shut down, the members section of the Loch Rannoch Highland Club (LRHC) website – which was fully accessible to the public – contained a lengthy list of timeshare owners’ email addresses and phone numbers, alongside their club reference numbers.
The list was reported to the ICO by owner Ann Blythe, who is proprietor of the Perth-based UK Resort Exchange.
She said: “One of the other owners had alerted me. He came across it by accident.
“I couldn’t believe what I was seeing. The club has some very prominent members and I’m sure they would be horrified to know their details have been put out there like this.”
Apology demand
Among the best known guests was politician Iain Duncan Smith, who visited the timeshare complex at least once in 2016.
He asked for an apology from the club after details of his visit appeared in a newsletter sent to members.
“I seem to have been used unwittingly as part of a marketing promotion without my permission,” he wrote at the time. It is not clear if his details were among the 2,400 published on the website.
Another owner, Ian Taylor said the members’ list was an “inexcusable breach” of GDPR rules and regulations.
“The personal information of all members was available to all and sundry throughout the world. This is gross negligence and it is totally irresponsible for the LRHC website to publish personal and private data, without the consent of the individual.”
Mr Taylor has written to Mr Hunter, urging him to resign and call an extraordinary general meeting to elect a new committee.
Mr Hunter told The Courier: “As soon as the club was made aware of what had happened, this small loophole was immediately closed.”
He said: “The page was only visible by searching the site for that particular page, which was only accessible through the members area and was never available as a menu item or click on the public-facing portion of the site.
“Additionally, this section of the website had only been online for a matter of hours, and that page had only been viewed a couple of times.”
Page spotted
The Courier understands the page was spotted on Wednesday night and was shut down at about 3pm the following day.
Mr Hunter said he had spoken to club lawyers and a representative from the ICO, claiming they were “satisfied with the explanation of what had occurred, that the loophole had been closed and no further action is necessary.”
A ICO spokeswoman told The Courier: “We are aware of a potential incident at Loch Rannoch Highland Club and are making enquiries.
“Anyone with concerns about how their data has been handled can report them to us and we will look into the details.”