ICO investigates Age UK after two data breaches

ICO investigates Age UK after two data breaches

by Kirsty Weasley for Civil Society online 22 January 2018

Age UK lost the personal details for current and former staff in two separate data breaches at the end of last year and has reported itself to the Information Commissioner’s Office.

The charity has written to current and former employees to tell them that there were two incidents at the end of last year which mean people’s names, addresses, date of birth and national insurance number have been lost.

Age UK said that no bank details or passwords were lost and it is “not aware of any actual or attempted misuse of any personal data”. No customer or supporter data has been compromised.

Two separate incidents

The charity was alerted by email monitoring software to a member of staff sending an email with personal and sensitive staff data to a non-secure address outside of Age UK.

It then discovered a second incident where two staff email addresses had been hacked and sensitive information emailed outside of the charity.

“We are very unhappy that these incidents have happened,” the charity’s chief executive Steph Harland said in a letter to people affected, seen by Civil Society News, “and we have already made changes to minimise the risks to you and prevent it happening again.”

Age UK has reported the breaches to the ICO and notified the National Fraud and Cyber Crime Reporting Centre. It also said it would provide referesher training to staff.

Age UK statement

Age UK did not confirm how many people had been affected by the incidents, but said it had informed everyone affected and was offering to pay for an additional level of protection.

A spokesman said: “We can confirm that Age UK has had two recent, unrelated data security incidents concerning information held by Age UK about Age UK employees. The information did not include bank details or passwords and we are not aware of any actual or attempted misuse of this personal data.

“We take any threat to data security very seriously and we have acted as swiftly and thoroughly as possible to reinforce our defences. We have informed all individuals affected and the relevant authorities and set up a helpline for any staff wanting more support or information. We have also offered to pay for CIFAS Protective Registration for two years for those involved, to provide an extra layer of security to personal information.”

The Information Commissioner’s Office confirmed that it was investigating.

An ICO spokesman said: “We are investigating an incident involving Age UK. We understand the organisation is informing staff if they have been affected.

“There are measures people can take to guard against identity theft, for instant being vigilant around items on their credit card statements or checking their credit ratings. There are more tips and information on our website.”