Oxfam has apologised after it accidentally emailed a number of supporters saying £100 had been taken from their bank accounts to secure a place at an event they had not volunteered for.
The charity mistakenly included the contact emails of 22 supporters among 70,000 dummy email addresses that it was using to test the capacity of a new system at the end of February.
The test email said the supporters had been accepted as volunteer stewards at the Bearded Theory festival and mistakenly said a deposit of £100 had been taken from their accounts to confirm their places.
No money was taken from anyone’s account. But one supporter, who did not wish to be named, said he found the email extremely stressful because he thought he had gone overdrawn as a result.
The charity realised the error only when it was contacted by the supporter.
In a statement, Oxfam said "human error" was the reason for the breach and apologised for the mistake.
"We notified everyone affected as soon as we discovered the error and apologise for any concern caused by the incident," it said.
"Oxfam takes the protection of personal data very seriously and in accordance with statutory data protection regulations. Our festivals website is security tested and secured in line with Payment Card Industry standards."
Brian Shorten, chair of the Charities Security Forum, said the data breach demonstrated a "lack of process" at Oxfam. "The fact that no money was taken from anyone’s account is irrelevant," he said. "Live and test data should never be mixed".
The data expert Tim Turner of 2040 Training said data breaches usually had to be reported to the Information Commissioner’s Office, but Oxfam would be able avoid this if it could argue that there was no risk to the affected people.
"Sometimes, even with the best processes in place, human error cannot be entirely prevented, but Oxfam needs to do as much as it can to prevent or at least reduce that risk," said Turner.
"Only if it can show a balance of technical measures and human controls such as training, supervision and reminders can it argue that incidents like this do not represent a breach of Data Protection."
Turner reminded charities that personal data was a vital asset that needed to be protected and controlled as carefully and deliberately as money.
"Senior managers must take responsibility for creating a strong framework of measures to keep control of data, but also promote a culture using data intelligently, effectively and safely," he said. "This cannot be done with software and systems alone – every individual has a part to play."
It is not the first time Oxfam has breached data-protection rules. Last month it was investigated by the ICO after it circulated a copy of its 2011 report about sexual misconduct in Haiti that was "not securely redacted", meaning some individuals could be identified.
In 2017, it was among 11 other charities that were fined for inappropriate use of supporter data for fundraising purposes.