UK debt relief charity Christians Against Poverty has begun writing to supporters following a data breach that exposed personal details – including phone and bank account numbers, and banking sort codes.
Unidentified hackers broke into the charity’s systems in late July. The intrusion was only detected a week later, as an alert by Christians Against Poverty (a charity that works to lift the poor out of debt) explains.
On 1 August 2016 we identified some suspicious activity on our computer systems that presents a potential security risk for those whose data is held by Christians Against Poverty.
Our investigations show that some, but not all, of our systems were compromised the previous week. As soon as we identified this we called in IT security experts who confirmed that although our servers and systems were well protected, we have been subjected to a sophisticated, illegal, external attack.
Unfortunately, this means that details belonging to supporters and clients (both current and former) may have been accessed. These details could include names, addresses, email, phone and bank account numbers/sort codes. I’m really disappointed that this has happened, but I want to reassure you that we are taking all possible steps to ensure the ongoing security of our systems.
Christians Against Poverty published the notice on 4 August, since when it has begun the process of contacting all affected parties, including supporters and poor families the charity helped with debt problems. El Reg became aware of the breach after an email notice sent to the elderly relative of a reader, Colin, was forwarded to us late last week.
Christians Against Poverty has set up a dedicated micro-site designed to respond to the concerns of affected parties. The charity’s handling of the breach has received a sympathetic response from supporters on Twitter, even though the extent of the problem goes beyond what’s sadly becoming a steady stream of login credential / password breaches.
It's unclear whether the exposed data was encrypted or not, nor why the charity itself was holding banking data on its own systems. In its FAQ, Christians Against Poverty sought to downplay the concerns of supporters and clients while admitting that they may be at heightened risk of phishing attacks.
“We are taking this issue very seriously and are continuing to investigate with the help of the police and external security experts,” it said. “Please be reassured that we are taking all possible steps to ensure the ongoing security of our systems.”
Christians Against Poverty has reported its breach to the Information Commissioner's Office, the UK’s data protection watchdogs. ®