The hack happened on 23 January but was only reported by BAFTA on 30 January, after it had notified users of the breach, moved the website to new secure servers and deleted all data from the site database. The charity says it does not know who the attackers are, or their motives.
The breach hit the BAFTA Guru website, which offers advice to budding film directors and those interested in the TV and games industries from well-known industry figures.
BAFTA has reported the hack to the Information Commissioner's Office (ICO) which in turn confirmed to SCMagazineUK.com:
“We have recently been made aware of this possible data breach. We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.”
The charity insists the hack did not affect its BAFTA Awards or the data of its BAFTA membership, which is held on a separate database. A spokesperson told SC that “investigations are currently underway” but declined to say how many people were affected.
BAFTA said in a statement that it has “moved the site to a new server and securely deleted all email addresses and passwords from the website database”, adding that “the new servers have been independently tested to ensure that they are secure. Routine security checks will also continue as usual.”
The charity added that it has “requested a full and immediate investigation by the companies that designed the site and managed the server on which the site was hosted”.
The Guru website was created by digital agency and software development company, Illumina Digital, working in partnership with branding agency The Council.
SCMagazineUK.com contacted Illumina Digital but a company representative said they were providing “no statement”.
BAFTA says it has no direct evidence that data has been stolen, but alerted its users so they could change passwords if they felt it necessary. It said: “Personal data entered by our users during the registration process for the site included first and last names, email addresses, age and encryption-protected passwords.
“We believe it's better to be safe than sorry. We have contacted everyone who has registered on the site to make them aware of the situation so they can take any precautionary measures. This may include changing their password on any website where they have used the same user ID and password. As an additional precaution, all email addresses and passwords registered with the site have been securely deleted.”
Security expert Mike Loginov, chief cyber security strategist for HP ESS, said that it was important for the site users to change their passwords given the prevalence of cyber crime attacks based on collecting this kind of data.
Loginov told SCMagazineUK.com: “This has the hallmarks of a criminal intelligence-gathering exercise where data is captured for future use or targeted ‘spear phishing' attacks where the information on key individuals is collated for further exploitation.
“BAFTA have recommended that users of the site change any passwords they might use on other systems that are the same as the ones compromised as a first step - that's an imperative.”