Age UK has handed itself in to the Information Commissioner’s Office after discovering a double data breach which has led to the personal details of current and former staff being compromised.
The charity has written to those concerned to inform them that there were two incidents at the end of last year which mean their names, addresses, date of birth and national insurance number have been lost. However, it has not divulged how many employees have been hit.
Age UK has also insisted that no bank details or passwords have been lost and says it is “not aware” of any actual or attempted misuse of the data. The breach does not affect the charity’s donor base.
The issue was flagged up by email monitoring software, which showed a member of staff had sent an email with personal and sensitive staff data to a non-secure address outside of Age UK, although it is not known whether this was a deliberate act or a mistake.
The charity then discovered a second incident where two staff email addresses had been hacked and sensitive information emailed to a third-party.
In a letter to those affected, which has been leaked to the media, Age UK chief executive Steph Harland said: “We are very unhappy that these incidents have happened, and we have already made changes to minimise the risks to you and prevent it happening again.”
Age UK has reported the breaches to the ICO and notified the National Fraud and Cyber Crime Reporting Centre. It also pledged to send staff on a data protection refresher course.
In a statement, the charity said: “We can confirm that Age UK has had two recent, unrelated data security incidents concerning information held by Age UK about Age UK employees. The information did not include bank details or passwords and we are not aware of any actual or attempted misuse of this personal data.
“We take any threat to data security very seriously and we have acted as swiftly and thoroughly as possible to reinforce our defences. We have informed all individuals affected and the relevant authorities and set up a helpline for any staff wanting more support or information. We have also offered to pay for CIFAS Protective Registration for two years for those involved, to provide an extra layer of security to personal information.”
The ICO has confirmed that it was investigating.
According to the most recent ICO Annual Report, there was a 31.5% increase in the number of data breach incidents self-reported by organisations in 2016/17, from 1,950 to 2,565 the previous year.
In total, ICO sought to impose a civil monetary penalty notice in just 1% (17) of the cases concluded last year. Organisations that self-reported were not required to take any action in 1,680 of the cases.
UPDATE: Age UK has now revealed that between 4,000 and 5,000 people might have been affected by the data breach, but added that it was still trying to establish the precise number.
25 million UK adults in the dark over theft of their data
Stephen Fry on alert as toffs’ data is stolen from club
Uber faces long arm of the law over 64m data breach
Finance firms face sustained attack on their data vaults
FCA launches investigation into Equifax breach farce
Millions of Instagram users hit by major hack attack
Data breach at games giant CeX hits 2m customers
Data breaches ‘hit shares, sales and growth for years’