Metrolinx investigating privacy breach after 2K email addresses of fined riders revealed

The email to more than 2,000 GO Transit riders was sent out Wednesday morning. Nick Westoll / File / Global News

Metrolinx, the transit organization that oversees GO Transit and UP Express, officials say they are investigating a privacy breach that saw more than 2,000 email addresses of riders who were fined publicly revealed in a mass email.

The email, entitled Tell us about your experience with compliance services at GO Transit, was sent out by market research staff with Metrolinx just after 10:45 a.m. on Wednesday. Staff were attempting to get feedback from riders on their interactions with the compliance services office, which processes tickets, fines and handles ticket disputes.

“If you participate in this survey, your responses will be kept anonymous and confidential. Answers will be reviewed only in aggregate to help us improve our services,” a copy of the email message provided to Global News said in part.

Story continues below advertisement

However, the email addresses were seemingly put in a public email address field versus the blind carbon copy field, allowing fellow riders to potentially identify who else was ticketed if the email address contained a name.

Anne Marie Aikins, a spokesperson with Metrolinx, told Global News the public listing of email addresses goes against the transit agency’s privacy policies.

She said an investigation was launched shortly after the email went out in order to identify how the email addresses were revealed and how to prevent a similar instance in the future.

“We unreservedly apologize,” Aikins said.

Click to play video: 'Metrolinx the target of North Korean cyberattack'
Metrolinx the target of North Korean cyberattack

“We have very, very strict policies and procedures in place to protect our customers’ privacy and confidentiality, and those procedures and processes weren’t followed in this instance.”

Story continues below advertisement

She said Metrolinx contacted Ontario’s privacy commissioner to ask for guidance on handling the privacy breach, and said they were told to encourage those on the email to not reply all and to delete the message.

Aikins said there were no further personal identifiers in the email aside from the addresses, such as the types of fines issued, full names and addresses or payment information.

Sponsored content