Hard-headed, or just incompetent?

It's now three weeks since the RSGB sent an unsolicited e-mail to me due to, it claims, "malicious software" gaining control of Len Paget's RSGB e-mail account. There is no suggestion Paget acted improperly or even knew of the event.

Meanwhile, Twitter provides evidence of continuing IT problems at the RSGB, though no detail about what the "things" causing RSGB to be "extremely busy" is known.

In those three weeks, I've learned of, yes, the "malicious software" and that this somehow caused Len Paget's e-mail account to send what the RSGB termed "a phishing" attack, with an attachment. The RSGB further explained that, unless I had opened the attachment and entered details into it, there was no risk.

I did open the attachment (with active virus and malicious software protection enabled), and it did not appear to have any elements where data could be entered. Sure, opening it could have planted a virus, but there is no indication this happened.

So, the description of what was sent around by the "malicious software" doesn't really match what I found.  I asked the RSGB for an explanation.  I also asked them to explain why they claimed this event did not occur due to data processing by the RSGB when they, in the same e-mail, explained that it used old sent e-mail and/or stored contact addresses from Paget's account to do its dark work. 

The claim this event had nothing to do with the RSGB is simply unsutainable, and a surprising one for a data officer to make.

I also asked the RSGB to explain whether or not, in its view, my personal data, and possibly that of many others (I can't know this), was disclosed to a third party during the attack.

I sent that request for clarification to the General Manager of the RSGB. He has neither acknowledged nor answered it.

It's a real shame - but entirely predictable - that, when robustly challenged, the RSGB goes to ground.  I've since referred the case to the ICO; with no response, and the earlier information begging more questions than it answered, that is the only thing that can be done, at least for now.

I also asked the RSGB's Data Officer to erase all my personal data, as I have not been a member for many years, was not and hadn't been for some time in active contact with Paget about anything, and there was therefore no lawful reason to have held my data in the way the RSGB admitted it did.

Whilst the Data Officer acknowledged this and said "further information" on the process to be followed for erasure would be sent out, I haven't received any such details.

I've given the RSGB notice of my concerns about their failure to respond to any of the points of concern raised after their initial revelations, and that a further ICO referral will be made if this persists.

For now, it does rather appear that the RSGB's ability to comprehend, respond to and enforce secure data policies within its structure seems open to question. I hope that it addresses the issues at hand, rather than embark on some other kind of response.

RSGB 'hacked'

 

A strange thing happened at the end of last week. Completely out of the blue, I received a short, cryptic message, indicated as from Len Paget's RSGB e-mail account. Paget is one of the RSGB directors. 

There is no suggestion that Paget acted improperly, and may not have known about the event.

Paget's apparent e-mail simply sent a very short pointer to an associated, .eml type attachment, seemingly about some project or other. 

Given that I haven't been a member of the RSGB for several years, I asked the GM to explain why they held my private e-mail address, and why I had been sent the e-mail, apparently by Paget.

All went eerily silent for a week, when I had to poke the RSGB for a response, saying I would have to refer the matter to the Information Commissioner's Office if they persisted in not acknowledging my request, which was a formal Subject Access Request at that point.

This prompted the revelation by the RSGB's data protection staff that they had suffered a "malicious software" attack. The details are far from clear, and I've asked for clarification - which hasn't yet been given, and so I cannot give the RSGB's full position at the time of writing. The following is the initial position:

'Our apologies for the recent unwanted email.  The email in question was sent as a result of malicious software which had gained access to a user’s email account, and did not result from data processing by the RSGB.

This week we have conducted a thorough security investigation into the incident to avoid any recurrence.

The malicious software made use of contacts and old sent emails on the affected user’s machine.

Analysis of the bogus emails sent out shows they were a phishing scam designed to collect user login data – unless you opened the attachment and followed the link and entered data it should represent no threat to your devices.  If you still have the email, or more subsequently arrived, you are advised to delete them.'

On the face of it, this could be a case of using/accessing RSGB e-mail accounts from home computers, which can be entirely legitimate - if there are data security measures in place and people follow them.

The claim that there was no "data processing by the RSGB" is a little specious, as they are the Data Controller, and have the legal liability for what happens with data they process - data which they admit Paget had on his RSGB account as "contacts and old sent emails on the affected user's machine". This is the GDPR definition of 'processing':

Whilst holding such data might well be legitimate, there is also the need to ensure data that is not needed is not kept longer than strictly necessary. As a non-member, and not in any ongoing contact with Paget, there seems to have been no justification to hold my data at the point it suffered this attack.

Given what has happened, there are real questions about the RSGB's security measures, and whether they are applied consistently - or at all - if people are acting on behalf of the society from home equipment or, indeed, RSGB office computers. This is all the more important, given the increased likelihood of attack due, for example, to the RSGB's stance on Russian participation in their events.

For now, it is entirely unclear how many people were affected, and where their data has been disclosed, if anywhere. If, as it appears, there has been a data breach, then the RSGB must inform the ICO. There is as yet no indication that they have done so. I've advised them that, if they don't approach this incident with a view to addressing it properly, I'll be advising the ICO myself.

Update: from a discussion over on Twitter, the RSGB yesterday (13/05/2022) asked users of their new portal to set up passwords. It is unknown whether this is related to the hack discussed in this blog post. The screengrabs from the RSGB website (accessed 14/05/2022) confirm problems with the portal: