This website uses cookies for anonymised analytics and for account authentication. See our privacy and cookies policies for more information.





The voice of Scotland’s vibrant voluntary sector

Published by Scottish Council for Voluntary Organisations

TFN is published by the Scottish Council for Voluntary Organisations, Mansfield Traquair Centre, 15 Mansfield Place, Edinburgh, EH3 6BB. The Scottish Council for Voluntary Organisations (SCVO) is a Scottish Charitable Incorporated Organisation. Registration number SC003558.

Major cyber attack rocks big name charities

This news post is about 1 year old
 

It happened in August - but has only now come to light

High profile charities have been subjected to a devastating cyber attack.

It is believed that the personal data of donors well known organisations has been stolen following the breach.

Criminals are thought to have accessed the data through a survey company that many big UK charities work with.

Among those known to affected are Friends of the Earth, Dogs Trust, Cats Protection, Battersea and the RSPCA.

The Information Commissioner’s Office said it was investigating the breach, which is thought to have happened in August but which has only just come to light.

Hugh Knowles, co-executive director at Friends of the Earth, said: “We are taking this incident very seriously. 

“While we’re certain that no sensitive or financial data has been accessed, we have been contacting our supporters to let them know about the breach, the potential risks to look out for and who to contact if they’re concerned.

“Cyber attacks of this nature are an unfortunate reality in our digital world and Friends of the Earth has robust processes and procedures in place to protect our supporters’ data.

“We’re reviewing what happened and working closely with About Loyalty to understand the details and extent of the data breach.”

A spokesperson for Battersea said it had also contacted all donors that might have been affected by the hack “to offer support and advice”.

Technology lawyer, Rob Sheldon from law firm Fieldfisher, explains why it took so long to come to light, and why the charity sector is a target and why the criminals attacked the survey company.

He said: "Data-breaches are often orchestrated by criminal groups and they are likely to target organisations which are likely to hold sensitive data – recently, we have seen reports of police forces experiencing data-breaches. As charities will often have links to VIPs as donors, unfortunately charities are also likely to be targeted by these groups as they may hold sensitive information about the individuals they support or VIP donors/fundraisers or trustees. There have been many high-profile cases of VIPs' data being hacked such as the phone-hacking scandal which was highly intrusive."

He also explained why there was a time lag between the attack and the news coming to light:

"As with many data breaches, it looks as though the company which was targeted was in the supply chain used by various charities – this time a supplier engaged by a survey company used by the affected charities.

“If the survey company was engaged by the charities to provide these services as their 'processor', there is no specific timeframe set by law in which the processor must notify the controller of the data (here, the various affected charities). 

“The legal requirement is for a processor to notify 'without undue delay' – often, a specific timeframe (say 24 or 48 hours) is agreed in the contract, but we don't know the details here. Once the controller becomes aware of a personal data breach, it must notify the UK Information Commissioner's Office without undue delay and within 72 hours of having become aware of it (so, in this case, the charities may have notified within 72 hours of being made aware by their processor).

“As charities are affected, they will have also been required to notify the Charity Commission. In reality, it can take time to become aware that a security incident has occurred – once an incident has been identified, it needs to be assessed to determine what systems and data have been impacted by the incident and this can take time depending on the nature of the incident and often requires specialist support from cyber-security specialists."