Age UK has confirmed that it experienced two data breaches at the end of 2017 that compromised the personal information of up to 5,000 past and present employees.
The charity discovered the incident after it was informed by email monitoring software that an employee’s account was sending an email with sensitive data to a non-secure external email account. After investigating, it transpired that two staff email accounts had been compromised and, as a result, confidential information had been sent outside of the charity.
Affected data is said to include names, email addresses, dates of birth and National Insurance numbers. It has been confirmed that no banking information or passwords were affected, and Age UK has said that it is “not aware of any actual or attempted misuse of any personal data”.
Those affected by the breach have been informed, as have the relevant authorities, including the Charity Commission. Age UK has also referred itself to the Information Commissioner’s Office (ICO), which is investigating the incident.
A spokesperson for Age UK, said:
We can confirm that Age UK has had two recent, unrelated data security incidents concerning information held by Age UK about Age UK employees. The information did not include bank details or passwords and we are not aware of any actual or attempted misuse of this personal data.
We take any threat to data security very seriously and we have acted as swiftly and thoroughly as possible to reinforce our defences. We have informed all individuals affected and the relevant authorities and set up a helpline for any staff wanting more support or information. We have also offered to pay for CIFAS Protective Registration for two years for those involved, to provide an extra layer of security to personal information.
Although it has not been confirmed, it is likely that the breach was the result of a phishing attack. The most important line of defence against a phishing attack is the recipient. If staff can identify and correctly respond to a malicious email, the danger can be mitigated. It also reiterates the importance of staff awareness training to ensure that all employees who have access to sensitive data have the correct knowledge and a good understanding of information security and best practice.
For more information on phishing, take a look at our phishing infographic.
Our Phishing Staff Awareness Course helps employees identify and understand phishing scams, explains what would happen should they fall victim and shows them how they can mitigate the threat of an attack.