Summary
- An attacker gained access to the UKSEDS web server, which contains databases used by our main website and transaction system.
- They had access to the data stored in these databases, which includes customers’, attendees’, members’, branch leads’ and sponsors’ information (detailed separately).
- We don’t think they accessed this information. The evidence suggests their goal was adding spam links to our website.
- We have secured our web server, informed the relevant authorities and put in place procedures to prevent this from happening again.
What do you need to do?
- No financial data or login details have been compromised, so there is no immediate action you need to take
- Be vigilant regarding spam, phishing emails or signs of identity theft
- If you are worried, follow the advice recommended by Which?
On the 4th April 2018 we discovered that the UKSEDS website had been attacked on 19th March 2018. The attacker gained access to several databases used by UKSEDS services, including the WordPress platform used for our main website (www.ukseds.org), and all customer purchases, event registrations, and membership registrations. We do not know the identity of the attacker or how they gained access to our web server. Our logs suggest that they were focused on adding spam links to our WordPress site.
Personal data exposed
We have no evidence that any data was accessed, but cannot rule out the possibility that it was. The following data may have been compromised: Previous customers, event attendees, and members:- Name
- Email Address
- Billing Address (customers/event registrations only)
- University/Organisation
- Name
- Email Address
- Phone Number
- Shipping Address
- Contact Name
- Contact Email Address
- Contact Phone Number
- Invoicing Address