Centre for Computing History apologises to customers for 'embarrassing' breach

Website patched following phishing scam, no financial data exposed

Updated The Centre for Computing History (CCH) in Cambridge, England, has apologised for an "embarrassing" breach in its online customer datafile, though thankfully no payment card information was exposed.

The museum for computers and video games said it was notified that a unique email address used to book tickets via its website "has subsequently received a phishing email that looked like it came from HSBC."

"Our investigation has revealed that our online customer datafile has been compromised and the email addresses contained within are now in the hands of spammers," says the letter to visitors from Jason Fitzpatrick, CEO and trustee at CCH dated 19 October.

Credit card details, financial information, and passwords are not handled by the website so were not caught up in the leak, said the museum. The information that was exposed includes names, addresses, email addresses, and the name of the product or event that was purchased.

"We take security and your data extremely seriously, but sadly no online system can claim to be 100 per cent secure and we have been caught out. However, we have immediately made updates to our security system and blocked the way in which the data was accessed," Fitzpatrick added.

The Information Commissioner's Office was informed of the breach yesterday morning, confirmed receipt of the notification and is processing this.

Although no financial information was unwittingly exposed, customers should remain on the lookout for dodgy emails from fraudsters.

This incident isn't helpful to the CCH, which has welcomed back visitors after periods of lockdown but hasn't managed to increase the number of events held on site that contributed to around half the museum's annual revenues.

The Reg paid a visit back in July to lend our support to the institution.

Fitzpatrick concluded the letter with an apology, saying: "We are treating this extremely seriously and have acted immediately to ensure the website is patched and secure again."

He added: "Whilst no online systems is 100 per cent secure, it is still of great embarrassment to us and we apologise unreservedly."

According to Cisco, 86 per cent of organisations had at least one user try to connect to a phishing site, and the scam, along with ransomware and trojans, "averaged 10x the internet activity of all other threat types." ®

Updated at 1219 UTC on 20 October to add

Fitzpatrick told us of a “minor update” to the situation. He said: “The single datafile that was accessed, contained email addresses and names. NOT postal addresses as I originally reported. This was a communication error between me and the tech department… We have been completely open and transparent with this and acted quickly to fix the issue and inform everyone affected."

Broader topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022