Charity organisation Age UK has confirmed that personal details of as many as 5,000 present and past employees were lost to a couple of data breaches late last year.
The data breaches impacted all employees who were employed since January 2013 and compromised personal data includes names, dates of birth, e-mail addresses and national insurance numbers.
After it discovered the two breaches, Age UK informed the Information Commissioner’s Office as well as the Charity Commission, and also wrote to all affected employees, detailing the extent of the breaches and what steps it will take to minimise its impact.
Age UK has also agreed to pay £20 per person for CIFAS Protective Registration for all affected past and present employees.
‘We can confirm that Age UK has had two recent, unrelated data security incidents concerning information held by Age UK about Age UK employees. The information did not include bank details or passwords and we are not aware of any actual or attempted misuse of this personal data,’ said a spokesperson for Age UK.
‘We take any threat to data security very seriously and we have acted as swiftly and thoroughly as possible to reinforce our defences. We have informed all individuals affected and the relevant authorities and set up a helpline for any staff wanting more support or information. We have also offered to pay for CIFAS Protective Registration for two years for those involved, to provide an extra layer of security to personal information.’
While the Information Commissioner’s Office is presently investigating the breach, the Charity Commission said that they are assessing information to establish whether trustees met their legal duties and if they had any further regulatory role to play.
The news of the breach arrives only a day after the government’s Cyber Security Breaches Survey revealed that 56 percent of charities in the UK are still unaware about GDPR- a pan-European data security legislation that promises to impose fines of either 4 percent of an organisation’s annual turnover or €20 Million (whichever is greater) on erring firms. The GDPR will come into force on 25th May this year.
Of those charities who are aware of GDPR, just over a quarter have actually taken steps to prepare themselves for the upcoming legislation. Among those who made changes, just over one third of charities have made changes to their cyber security practices. In short, the total number of charities who have taken meaningful steps to be compliant to GDPR is miniscule compared to the number of charities presently operating in the UK.