RSGB 'hacked'

 

A strange thing happened at the end of last week. Completely out of the blue, I received a short, cryptic message, indicated as from Len Paget's RSGB e-mail account. Paget is one of the RSGB directors. 

There is no suggestion that Paget acted improperly, and may not have known about the event.

Paget's apparent e-mail simply sent a very short pointer to an associated, .eml type attachment, seemingly about some project or other. 

Given that I haven't been a member of the RSGB for several years, I asked the GM to explain why they held my private e-mail address, and why I had been sent the e-mail, apparently by Paget.

All went eerily silent for a week, when I had to poke the RSGB for a response, saying I would have to refer the matter to the Information Commissioner's Office if they persisted in not acknowledging my request, which was a formal Subject Access Request at that point.

This prompted the revelation by the RSGB's data protection staff that they had suffered a "malicious software" attack. The details are far from clear, and I've asked for clarification - which hasn't yet been given, and so I cannot give the RSGB's full position at the time of writing. The following is the initial position:

'Our apologies for the recent unwanted email.  The email in question was sent as a result of malicious software which had gained access to a user’s email account, and did not result from data processing by the RSGB.

This week we have conducted a thorough security investigation into the incident to avoid any recurrence.

The malicious software made use of contacts and old sent emails on the affected user’s machine.

Analysis of the bogus emails sent out shows they were a phishing scam designed to collect user login data – unless you opened the attachment and followed the link and entered data it should represent no threat to your devices.  If you still have the email, or more subsequently arrived, you are advised to delete them.'

On the face of it, this could be a case of using/accessing RSGB e-mail accounts from home computers, which can be entirely legitimate - if there are data security measures in place and people follow them.

The claim that there was no "data processing by the RSGB" is a little specious, as they are the Data Controller, and have the legal liability for what happens with data they process - data which they admit Paget had on his RSGB account as "contacts and old sent emails on the affected user's machine". This is the GDPR definition of 'processing':

Whilst holding such data might well be legitimate, there is also the need to ensure data that is not needed is not kept longer than strictly necessary. As a non-member, and not in any ongoing contact with Paget, there seems to have been no justification to hold my data at the point it suffered this attack.

Given what has happened, there are real questions about the RSGB's security measures, and whether they are applied consistently - or at all - if people are acting on behalf of the society from home equipment or, indeed, RSGB office computers. This is all the more important, given the increased likelihood of attack due, for example, to the RSGB's stance on Russian participation in their events.

For now, it is entirely unclear how many people were affected, and where their data has been disclosed, if anywhere. If, as it appears, there has been a data breach, then the RSGB must inform the ICO. There is as yet no indication that they have done so. I've advised them that, if they don't approach this incident with a view to addressing it properly, I'll be advising the ICO myself.

Update: from a discussion over on Twitter, the RSGB yesterday (13/05/2022) asked users of their new portal to set up passwords. It is unknown whether this is related to the hack discussed in this blog post. The screengrabs from the RSGB website (accessed 14/05/2022) confirm problems with the portal: