On the evening of Saturday 12th November, someone gained unauthorised access to the website of our candidate management system via the admin account of a TahDah staff member. The database, which sits behind the website, was not accessed. The unauthorised person(s) replaced the log in page so that no one could gain access to the website and sent an email to ‘All candidates’ which contained a malicious link.
What information has actually been taken?
We have discovered that during the breach, a report on the personal details of everyone on the database was downloaded from the website along with a payment report.
What was in the personal details spreadsheet?
The personal details on the spreadsheet contained: MTID, Name, Email, Date of birth, Address, Gender, Ethnicity, Phone (day/evening/mobile). Much of this information may be in the public domain but we have decided that it is important to notify every candidate directly.
The spreadsheet included a TRUE/FALSE response with regards to whether each candidate has a web account (i.e. has logged in to their account either on the original candidate management system or TahDah), is a course director and works for a provider. It also details which associations each candidate is a member of (MTA, AMI, BAIML, BMG, TahDah Premium) and on what date their web account was created.
This spreadsheet did not include any usernames or passwords, training/assessment details, workshop or CPD information, neither did it include any location data, internet log files, web browsing histories, or itemised call lists. No data has been affected or changed in this security breach so your records and DLOG entries are unaffected (the database was never directly accessed and the information taken was acquired as a report from the website).
What was in the payment report?
The spreadsheet contained limited details of all transactions made between 3rd November 2015 and 12th November 2016. It did not include your bank account details or card details, which are all managed via a separate payment gateway (Stripe, which is regulated by the Financial Conduct Authority) and not stored on the system.
The details on the spreadsheet were: MTID, Name (of the candidate who made the purchase), a TRUE/FALSE response with regards to whether or not the candidate had ticked to say they were insured and had a first aid certificate, Type (of purchase, e.g. Registration/Membership), Date and Time of transaction, Payment reference, whether or not the payment had been refunded, the current status of the payment and extra information about the purchase (e.g. which scheme was the registration for?).
How can the information be taken be used? What should I look out for?
The information could be used by a third party to send emails to you. We advise that you be vigilant against suspicious emails or other suspicious activity relating to your personal details and specifically the transactions you have made through our system. Mountain Training will never ask for your financial information in any correspondence that we send to you.
Has any data in the system been affected/changed by this? Have my DLOG entries been affected?
The breach did not access the database that underlies the website. The breach occurred via an administrator user account. Admin users have no access to the raw data that underlies the user interface. Therefore no information has been altered or deleted. Your personal details, DLOG records, CPD records, training and membership records are unaffected.
Could this happen again?
The specific way in which the unauthorised person(s) gained access to the system is no longer possible. Security has been increased on the administrator account log in process and is being reviewed across the whole system.
What is Mountain Training doing to resolve what happened?
The staff of Mountain Training and our database developer TahDah responded very quickly on the evening of 12 November and were able to intercept the email, so that it was sent to a relatively small percentage of our candidates. TahDah also redirected the malicious link after a short period of time so that it could do no further harm. We therefore reduced the scale of the number of candidates directly affected.
We are continuing to work closely with North Wales Police cyber-crime unit and TahDah on this incident and have been informed that an arrest has been made, computers have now been seized and the individual is assisting the Police with their enquiries. We are also continuing to work with the Information Commissioner’s Office. Security is paramount in our operations and the nature of this breach is unusual, hence the speed with which an arrest was made.
How is Mountain Training improving systems/processes/procedures to ensure this does not happen in future?
The security of the system and particularly for our administrators (privileged accounts) has been increased and we have therefore ensured that the specific way that the security breach occurred can’t happen again. Network security and malware prevention have been reviewed and data protection training is ongoing. Policies on home and mobile working and a strategy for monitoring our system are being developed.
Is my information safe and will it be safe in future?
Your information is safe. In this instance access was gained via an administrator account. Admin users have no access to the raw data so no information was amended, stolen or deleted.
We have increased security to our administrator accounts so that the specific way the breach happened cannot happen again. Network security and malware prevention have been reviewed and data protection training is ongoing. Policies on home and mobile working and a strategy for monitoring our system are being developed.
What about log in details – should I update these?
The website was accessed via an administrator user account. The information that was downloaded did not include any usernames or passwords, however if you wish to change your username and/or password you can do so by visiting the ‘Settings’ area within your account: click on your username (top right) when you are logged in and then click on Settings. You can also review your email preferences and privacy settings on this page.
How do I know which emails from Mountain Training I should trust?
Emails from Mountain Training carry our banner, logo and footer. They will never contain unexplained links or invitations to visit webpages that are unrelated to our business. They will never contain attachments. They will never ask you to disclose your financial information or personal details.
I want to stop all emails from the system – how do I do this?
You can review your email preferences and privacy settings by visiting the ‘Settings’ area within your account: click on your username (top right) when you are logged in and then click on Settings. You can also change your username and/or password on this page.