The Centre for Computing History (CCH) in Cambridge, England, has apologised for an “embarrassing” breach in its online customer datafile, though thankfully no payment card information was exposed.
The museum for computers and video games said it was notified that a unique email address used to book tickets via its website “has subsequently received a phishing email that looked like it came from HSBC.”
“Our investigation has revealed that our online customer datafile has been compromised and the email addresses contained within are now in the hands of spammers,” says the letter to visitors from Jason Fitzpatrick, CEO and trustee at CCH dated 19 October.
Credit card details, financial information, and passwords are not handled by the website so were not caught up in the leak, said the museum. The information that was exposed includes names, addresses, email addresses, and the name of the product or event that was purchased.
“We take security and your data extremely seriously, but sadly no online system can claim to be 100 per cent secure and we have been caught out. However, we have immediately made updates to our security system and blocked the way in which the data was accessed,” Fitzpatrick added.
The Information Commissioner’s Office is being informed of the breach.
A spokesperson at the ICO told The Register it has yet to receive a report from the CCH. “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.
“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.”
“All organisations using personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us.”
Although no financial information was unwittingly exposed, customers should remain on the lookout for dodgy emails from fraudsters.
This incident isn’t helpful to the CCH, which has welcomed back visitors after periods of lockdown but hasn’t managed to increase the number of events held on site that contributed to around half the museum’s annual revenues.
The Reg paid a visit back in July to lend our support to the institution.
Fitzpatrick concluded the letter with an apology, saying: “We are treating this extremely seriously and have acted immediately to ensure the website is patched and secure again.”
He added: “Whilst no online systems is 100 per cent secure, it is still of great embarrassment to us and we apologise unreservedly.”
According to Cisco, 86 per cent of organisations had at least one user try to connect to a phishing site, and the scam, along with ransomware and trojans, “averaged 10x the internet activity of all other threat types.” ®