September 2018 - A couple of days ago The Floater reported that, despite promises from Jon Horsfall, Canal & River Trust’s Head of Customer Services, that the charity would “be in contact again one we have established the cause of the breach” no explanation has been made. It seems we were wrong and that the Trust has released more details... but, until now, only to the people directly affected, as Peter Underwood reports.
What the Trust has said publicly about the data breach has been severely limited with the short press statement updated earlier this week, late on the day that the first Floater story was written and at the time the breach got a mention in the pages of Private Eye.
The updated statement increase the number affected by the breach to 1,270 customers, as well as confirming C&RT has followed the rules and reported the breach to the Information Commissioner’s Office but doesn’t add much more to the original.
However, Canal & River Trust has now made available to The Floater the text of a letter sent out two days after the data breach by Tom Deards (head of legal and governance services) which was sent directly to those known to be affected by the breach.
It identifies the cause as a fault in the upgrading of the on-line platform owned by it’s sub-contractors who run the licence renewal system.
It also says the Trust’s own IT security has not been compromised and that C&RT suspended the licence renewal process as soon as it learned of the breach.
Tom Deards tells the victims that C&RT is looking at a new system that ‘avoids the need to send full renewal information by email’.
Mr Deards is the Trust’s Data Protection Officer in addition to his legal role. In the letter, reproduced below he also asks those who had been sent personal details of dozens of other boaters to “securely delete” the information.
The Floater asked the Trust whether there had been any response from the Information Commissioner’s Office and a press officer agreed to attempt to find out. At the time of writing we have not heard anything.
TEXT OF LETTER FROM TOM DEARDS (August 24):
Notification of a Personal Data Breach
As the Trust’s Data Protection Officer, I wanted to write to you individually as one of our affected customers, to clarify the extent and circumstances of this data breach and the actions we are taking.
On the morning of 22 August we discovered a data breach in relation to our automated licensing renewal process, affecting up to 1,270 of our boating customers. The cause of this breach was a fault in the upgrading of the on-line platform of Concurrent (our sub-contractor who administers the licence renewal system on behalf of the Trust) and resulted in the inadvertent sharing of your personal information held by the Trust with other leisure boating customers.
The breach affected the following types of information:
- Name/postal address/phone number (land line and/or mobile)
- Trust on-line portal user ID
- Boat name/index number/mooring location/boat length/boat safety certificate details
- Licence renewal details including price and current licence expiry date
- Insurance provider/policy number/expiry date
No bank or card details were disclosed.
The Trust’s own IT system security has not been compromised and it is not possible for your on-line Trust account to be accessed with only your User ID (i.e. without your password which can only be re-set through an email to your email address which was not disclosed). We do not believe that the personal information disclosed poses any significant risk of identity fraud.
The Trust suspended the licence renewal process as soon as we became aware of the data breach and we have since received satisfactory reassurance from Concurrent that the technical issue has been dealt with and will not re-occur. For future boat licence renewals we are looking at a system that avoids the need to send full renewal information by email.
We have today informed the Information Commissioner’s Office of the breach and we await their response.
You can obtain more information about the breach from the following contact points:
- Customer.Services@canalrivertrust.org.uk
- Trust Customer Services Team – 0303 040 4040 (which will be staffed from 10am to 4pm over the Bank Holiday weekend)
If you have received personal information of other Trust boating customers, we would ask that you securely delete this information.
Finally, I would like to apologise on behalf of the Trust for any distress and inconvenience this breach may cause you.
Yours sincerely
Tom Deards
Head of Legal & Governance Services
Currently C&RT is saying that it doesn’t think there is a link between the personal information of boaters being made public by the breach and the scamming of it’s boat transfer system, just days later, to falsely transfer ownership of six boats to various fake names.
Photos: Letter from Mr Deards the Trust’s Data Protection Officer.