It's now three weeks since the RSGB sent an unsolicited e-mail to me due to, it claims, "malicious software" gaining control of Len Paget's RSGB e-mail account. There is no suggestion Paget acted improperly or even knew of the event.
Meanwhile, Twitter provides evidence of continuing IT problems at the RSGB, though no detail about what the "things" causing RSGB to be "extremely busy" is known.
In those three weeks, I've learned of, yes, the "malicious software" and that this somehow caused Len Paget's e-mail account to send what the RSGB termed "a phishing" attack, with an attachment. The RSGB further explained that, unless I had opened the attachment and entered details into it, there was no risk.
I did open the attachment (with active virus and malicious software protection enabled), and it did not appear to have any elements where data could be entered. Sure, opening it could have planted a virus, but there is no indication this happened.
So, the description of what was sent around by the "malicious software" doesn't really match what I found. I asked the RSGB for an explanation. I also asked them to explain why they claimed this event did not occur due to data processing by the RSGB when they, in the same e-mail, explained that it used old sent e-mail and/or stored contact addresses from Paget's account to do its dark work.
The claim this event had nothing to do with the RSGB is simply unsutainable, and a surprising one for a data officer to make.
I also asked the RSGB to explain whether or not, in its view, my personal data, and possibly that of many others (I can't know this), was disclosed to a third party during the attack.
I sent that request for clarification to the General Manager of the RSGB. He has neither acknowledged nor answered it.
It's a real shame - but entirely predictable - that, when robustly challenged, the RSGB goes to ground. I've since referred the case to the ICO; with no response, and the earlier information begging more questions than it answered, that is the only thing that can be done, at least for now.
I also asked the RSGB's Data Officer to erase all my personal data, as I have not been a member for many years, was not and hadn't been for some time in active contact with Paget about anything, and there was therefore no lawful reason to have held my data in the way the RSGB admitted it did.
Whilst the Data Officer acknowledged this and said "further information" on the process to be followed for erasure would be sent out, I haven't received any such details.
I've given the RSGB notice of my concerns about their failure to respond to any of the points of concern raised after their initial revelations, and that a further ICO referral will be made if this persists.
For now, it does rather appear that the RSGB's ability to comprehend, respond to and enforce secure data policies within its structure seems open to question. I hope that it addresses the issues at hand, rather than embark on some other kind of response.
No comments:
Post a Comment