A breach at the National Childbirth Trust (NCT) on Wednesday compromised the information of 15,085 users.
The NCT said the incident “regrettably, has caused some users of our website to have their registration details compromised”.
However, the NCT has emphasised that the loss was limited in both scope and depth. A spokesperson told SCMagazineUK.com that the 15,000 users represented only a portion of its user base, and the scope of the attack meant that the attackers didn't get anything more than basic registration details.
"These details are limited to their email address and the username and an encrypted version of the password that they created to register on the site. We stress that no financial or personal details are held as part of this data so no financial or personal details have been compromised.”
The NCT has informed all affected users by email and recommended that they change their usernames and passwords, in line with industry best practice following an incident of this nature.
"While your password is encrypted, as a precaution, I would advise you to change any password as soon as possible for other accounts or registrations that use these details,” users were told in a message signed by NCT chief executive Nick Wilkie.
The matter has been reported to the Information Commissioner and the police.
The spokesperson confirmed to SC that the data breach was the result of an external attack which also saw the attackers deface the front page of the organisation's website with an image.
The charity has been contacted by some concerned users but there is no evidence that the data has been offered for sale or otherwise used since the attack.
The NCT undertakes regular security reviews of its website and has engaged expert advisers to fix the security flaw.
Paul Kenyon, co-CEO at Avecto, praised the NCT's response and said he was comforted by the fact that organisations seem to be improving their responses to breaches. “NCT alerted its users on the day of discovery – sensibly recommending that they change their passwords – and quickly reported the matter to both the police and Information Commissioner. It also stored passwords in an encrypted format which gives an extra layer of protection.”
Simon Crosby, CTO and co-founder at Bromium, said the NCT should be providing as much information as possible about the breach: “This incident at The National Childbirth Trust will be a wake-up call for people. But it's not the first. Certainly it will provide a clear message to chief execs that if something like this happens then they can expect to be paraded in front of a voracious media – and they'd better have some good answers to some tough questions.”
Richard Cassidy, technical director,EMEA at Alert Logic,said, “It is becoming a great deal easier for hackers to exploit vulnerabilities on key data platforms, given the wealth of resources and information sharing on the cyber-criminal underworld. In many respects organisations need to shift their focus to the view of when and not if a data breach or attack will occur.”
Robert Capps, VP of business development at NuData Security, warned users to be more careful. “This is yet another reminder and opportunity, for consumers to implement the proper precautions when it comes to online security, and stop reusing the same username and password on more that one site – virtually eliminating the risk that the compromise of a single website will result in the loss of control of a number of online accounts owned by the same consumer.”
Paul Farrington, senior solution architect at Veracode, said, “We are still learning about the details of how NCT's security was compromised. In similar cases, we often learn that common, avoidable weaknesses in software code have been left in the application. These serve as a ticking time bomb, only to be exploited by a person who wishes to cause harm.”