Updated The Centre for Computing History (CCH) in Cambridge, England, has apologised for an “embarrassing” breach in its online customer datafile, though thankfully no payment card information was exposed.
The museum for computers and video games said it was notified that a unique email address used to book tickets via its website “has subsequently received a phishing email that looked like it came from HSBC.”
“Our investigation has revealed that our online customer datafile has been compromised and the email addresses contained within are now in the hands of spammers,” says the letter to visitors from Jason Fitzpatrick, CEO and trustee at CCH dated 19 October.
Credit card details, financial information, and passwords are not handled by the website so were not caught up in the leak, said the museum. The information that was exposed includes names, addresses, email addresses, and the name of the product or event that was purchased.
“We take security and your data extremely seriously, but sadly no online system can claim to be 100 per cent secure and we have been caught out. However, we have immediately made updates to our security system and blocked the way in which the data was accessed,” Fitzpatrick added.
The Information Commissioner’s Office was informed of the breach yesterday morning, confirmed receipt of the notification and is processing this.
Although no financial information was unwittingly exposed, customers should remain on the lookout for dodgy emails from fraudsters.
This incident isn’t helpful to the CCH, which has welcomed back visitors after periods of lockdown but hasn’t managed to increase the number of events held on site that contributed to around half the museum’s annual revenues.
The Reg paid a visit back in July to lend our support to the institution.
Fitzpatrick concluded the letter with an apology, saying: “We are treating this extremely seriously and have acted immediately to ensure the website is patched and secure again.”
He added: “Whilst no online systems is 100 per cent secure, it is still of great embarrassment to us and we apologise unreservedly.”
According to Cisco, 86 per cent of organisations had at least one user try to connect to a phishing site, and the scam, along with ransomware and trojans, “averaged 10x the internet activity of all other threat types.” ®
Updated at 1219 UTC on 20 October to add
Fitzpatrick told us of a “minor update” to the situation. He said: “The single datafile that was accessed, contained email addresses and names. NOT postal addresses as I originally reported. This was a communication error between me and the tech department… We have been completely open and transparent with this and acted quickly to fix the issue and inform everyone affected.”