• Share on Facebook
  • Share on Facebook
  • Share on Linkedin
  • Share by email
  • Share on Facebook
  • Share on Facebook
  • Share on Linkedin
  • Share by email

Southbank Centre, Royal Shakespeare Company, Royal Opera House and The Old Vic among many UK arts organisations affected by huge data breach.

The Royal Opera House is one of many UK arts organisations affected by the data breach
Photo: 

Peter Suranyi

A software firm that holds details of ticket buyers attending performances at major arts organisations in the UK has been the victim of a massive data breach, it has emerged.

WordFly, which sends emails on behalf of clients including the Southbank Centre, Royal Shakespeare Company, Royal Opera House and The Old Vic, was subjected to a "ransomware attack" on 10 July, which resulted in "some of the data" its customers use to communicate with subscribers being "exported".

The firm's services are currently down, with cyber security experts working to get them back up.

READ MORE:

WordFly has told its clients that they should consider using a different email marketing provider if they need to send emails before 25 July, and has moved to assure them that there is "no evidence that any customer data in WordFly has been compromised or misused".

The incident has been referred to the FBI and is now subject to ongoing criminal investigation. Meanwhile, WordFly's clients have been told that the firm is not notifying any UK or European Union data protection authorities as it is not the “controller” of the data under the General Data Protection Regulation, (GDPR). 

However, it said that customers wondering whether they need to notify authorities themselves - which in the UK would be the Information Commissioner's Office - should take steps independently to verify their legal obligations.

Names and email addresses

In a statement posted on WordFly's website, the firm's Business Development Director Kirk Bentley said the scope of the data affected primarily included names and email addresses.

"While this data was exported from the WordFly environment by the bad actor that perpetrated this incident, it is our understanding that as of the evening of 15 July 2022, that data has been deleted from the bad actor’s possession. 

"We have no evidence to suggest, before the bad actor deleted the data, that the data was leaked over the dark web and/or sent to any other public facing domain/disseminated elsewhere.

"Due to the generally non-sensitive and public nature of the data described above, as we currently understand it, we have no evidence to suggest that any of this information has been, or will be, misused to perpetrate harm to the rights and liberties of our customers or their subscribers."

Vicky Kington, Head of Communications at The Royal Opera House said her organisation was alerted last week to a "global outage" on WordFly's platform.

"We have been unable to email customers since WordFly notified us of this incident," she said. 

"The Royal Opera House is one of many UK arts organisations who have been affected and we will provide further updates in due course as more information becomes available."

Phishing emails

Catherine Mallyon, Executive Director at the Royal Shakespeare Company, said: "The Royal Shakespeare Company’s third-party marketing email provider, WordFly, is currently not operating due to a ransomware incident, which means that emails to RSC audiences cannot currently be sent via the WordFly email provider.

"WordFly's investigations are ongoing, but they have indicated that some limited customer data has been accessed. This includes name and email address records but not customer payment details, postal addresses, phone numbers or passwords as this information is not stored on the WordFly platform.

"We will provide further updates if any further relevant information becomes available. As always audiences are advised to be vigilant and aware of the potential for phishing emails."

WordFly has suggested that organisations that use its email service consider using other providers while it services are down. 

"We suggest looking at larger services such as Campaign Monitor, Constant Contact and MailChimp for a temporary fix," Bentley said.

But there is concern that there is little point arranging short-term cover because by the time arrangements have been agreed, WordFly will be operating again, leaving organisations unable to contact their customer base.

Louise Sinclair, Head of Marketing and Communications at Cheltenham Festivals, writing on a Facebook community page, asked other WordFly users what they are doing while the service is down. 

"We're wondering if it is worth temporarily finding another provider but worry it will be a lot of set up work and would probably end up WordFly was back by the time we're done," she said. 

"We're right in the middle of a festival so the timing of this is especially challenging for us from a sales point of view!"

Worst possible scenario

Martin Gammeltoft, Vice President of Commercial Operations for Activity Stream, another marketing firm for event organisations which has clients including the Barbican, Shakespeare's Globe and Manchester International Festival, described the incident as "the worst possible scenario".

"A horrible week. A company that I respect was hit by a cyber security attack and were locked out of their own service, hurting a lot of people and services," he wrote on Linkedin.

"Not because they did anything wrong, there was probably no reason they were the target. I can't imagine how painful it must be. A week of fighting to understand what happened, or trying to find a way back, and realising how everything you worked for had been hurt, bad.

"For software companies, this is the worst possible scenario, and I've spoken to people who felt like I did - that it could have been us."

Author(s): 

Comments

Surely one of the most worrying aspects of this is responsibility for the breach of customer data being disclaimed because it’s “lost” between two different jurisdictions? The US firm says it’s “nothing to do with us, guv” because they’re not the data controller, despite holding all the records that have been hacked, leaving numerous UK arts organisations to take the potential flak under GDPR. With Brexit muddying the waters even further, the risks of future data piracy being “nobody’s problem” may get even worse, with records potentially being processed in any of a huge range of countries and, hence, under multiple legal systems otherbthan the UK’s. In this case it doesn’t look as though too much damage has been done, but where would the RSC, ROH et al be if credit card and address details had been stolen and a US (or EU) supplier just washed its hands of any responsibility?