Vodafone sent the phone details of 1,700 News UK journalists to the Metropolitan Police, which had requested the records of just one reporter under the Regulation of Investigatory Powers Act (RIPA).
The police required the information regarding journalists who were Vodafone customers between 2005 and 2007 - under the controversial RIPA rules and as part of Operation Elveden, which entails an inquiry into alleged payments to public officials in return for information.
The internet service provider (ISP) blamed human error for the mistake while the Met claims to have sent the excess data – originally sent to the force in March – back to the company. A Vodafone spokesman said that the company urged Scotland Yard to delete the data, and the Met in turn agreed to use it for “a policing purpose, when it is in the interests of justice to do so.”
It also informed the Interception of Communications Commissioner's Office of the error on 27 June.
Martin Sugden, MD at Boldon James, said in an email to journalists: “Sadly, this kind of data breach is all too common, which makes it even more astonishing that many organisations continue to focus their data security purely on malicious attacks and the perimeter.
“With human error accounting for 50 percent of breaches (according to the ICO), organisations need to both raise user awareness of the sensitivity of the data that they handle and deploy technology that can prevent sensitive data being released in error. Vodafone was lucky that the recipients of this data were the Police and not someone with less lawful intentions.”
Earlier this month, The Times reported that the Met Police National Domestic Extremism and Disorder Intelligence Unit holds 2,000 records which relate to photographers and journalists. Six journalists have subsequently launched a legal challenge regarding this matter.