Between the dates of Friday 28th March and Tuesday 1st April, Disability Sheffield suffered a data breach.
Summary
An unknown person recently gained temporary access to a Disability Sheffield staff member’s Microsoft Account. As a result, this person had access to a portion of the data stored by Disability Sheffield, including emails, documents and files. At this time, we cannot say with certainty which files were accessed by the unknown person.
The data on the Microsoft account which was potentially accessed includes but is not limited to the personal data of service users, clients, staff and partner organisations. This includes but is not limited to the following categories of data:
- Diversity Monitoring data, e.g. ethnicity, gender, sexual orientation
- Health data
- Basic personal identifiers, eg name, contact details, addresses
- Identification data, eg usernames, passwords
- Economic and financial data, eg credit card numbers, bank details
- Official documents, eg driving licences
- Criminal convictions, offences
The data stored by Disability Sheffield was provided with consent of the individuals we work with and our employees. It is our duty under GDPR to be transparent about the nature and content of the data that may have been accessed as a result of this breach.
Phishing Email
The unknown person used the email account of the Disability Sheffield staff member to share a Microsoft OneNote document with a number of email contacts. This shared document contained a link, which when clicked led to a phishing website asking for the recipients email address and password. Individuals who received this email have been emailed from the info@disabilitysheffield.org.uk email account. These recipients are encouraged to:
- Reset your email password
- Update or turn on two factor authentication for your email or accounts associated with that email address
- If the email address which received the malicious email is a work or business email address, then please contact your IT department and ask them to investigate a possible data breach
Measures Taken to Address the Breach
The Microsoft account was locked, preventing access to the data available to the account
The Microsoft OneNote document was deleted and removed from the Microsoft Account
Access to the Microsoft Account was reset
The data breach was reported to the Information Commissioners Office (ICO)
A full review of Disability Sheffield security and data protection procedures and practices will take place
The Likely Effect to the Individual
At this moment in time, we are unable to predict the likely effect to individuals whose data may have been included in this data breach. We would encourage anyone with concerns that they may have been affected by this breach to reset their email passwords, stay alert to suspicious activity on all accounts and to refer to the below section ‘How Individuals can Mitigate any Possible Adverse Impact’.
How Individuals can Mitigate any Possible Adverse Impact
The National Cyber Security Committee has published information to help individuals stay secure online. We encourage anyone who believes they may be affected by this breach to read the below guidance:
- ‘Top Tips for Staying Secure Online’
- ‘Data Breaches Guidance’
- ‘Dealing with Suspicious Messages Guidance’
- ‘Infected Devices Guidance’
- ‘Hacked Accounts Guidance’
Accessible Resources
LEAD Scotland has produced a range of accessible cyber security and online safety resources in various accessible formats, detailed below:
- BSL Videos – Top Tips for Staying Secure Online
- Easy Read – Online Safety Booklet
- Staying Secure Online – Non-English Language Resources
The information in this article can also be viewed as a PDF – Disability Sheffield – Data Breach
