Cyber incident update
Dear Members,
Following our previous communications, detailing the attack on our IT systems, we are now writing to give a more detailed update for you based on information we have available as of today.
We recognise the style and content of this email is not your typical communication on a workplace or trade union issue. This is because everything set out below is based on the advice of cyber and legal experts we have brought in to make sure our reaction to the cyber-attack is timely and professional.
The purpose of this letter is to make you aware of what has happened, what will happen next, and what steps you can take to protect yourself. This communication includes important information and advice that you should read carefully and action accordingly.
What has happened?
We can confirm The CWU has been the victim of a cyber security incident, which we believe may have affected your personal and confidential information stored electronically by the Union.
On Tuesday 19 March, we became aware that an illegal third party had gained unauthorised access to the Union’s IT systems.
We responded quickly and took immediate steps to stop the unauthorised access. We appointed specialist cyber security advisers to investigate what happened and what may have been affected. We are following best practice guidelines set out by the UK National Cyber Security Centre, and have appointed a Cyber Incident Response Level 2 Assured Service Provider to advise the Union through this process. We have notified the Police and the UK data protection regulator, the Information Commissioner’s Office.
The incident has temporarily disrupted the Union’s IT systems. We are confident that this disruption will be resolved quickly and that there will be no long term interruption to the Union’s work and support to members. Please be assured there has been no interruption to the Union’s existing and ongoing legal case work support to members, which is managed on a different IT system that has not been disrupted.
How member data and information may be affected
Our specialist advisers continue to investigate what has happened and we cannot yet confirm precisely what data and/or information held on our systems may have been affected. We currently cannot say when this process will be completed. Please be assured all parties are working hard to complete investigations as quickly as possible.
At this stage, we cannot confirm whether your individual personal information has been affected. However, whilst we do not have concrete evidence yet, it is possible that your data could have been impacted.
This means your personal data and/or information may have been accessed illegally by third parties who may seek to misuse it. As part of this, it is possible that those responsible will post samples of stolen data to the dark web (parts of the internet that are not accessible to typical internet users via normal web browsers). This has not yet happened. If this does happen, our specialist advisers will work quickly to investigate what information may be affected. Those responsible may also post samples of data to the deep web (another part of the internet that is also not easily accessible through typical internet search engines). If this happened, Union legal advisers would act quickly to have the information removed from that website, via legal means.
What information could be affected?
As a trade union, the CWU holds data and information on all members. This includes the fact that you are a member of trade union, names, addresses, email addresses, mobile phone numbers. For members that pay union fees by Direct Debit, we will hold bank information also (bank name, account number and sort code). At this stage we cannot rule out these information types having been accessed and we are therefore writing to inform you of this and advise on security steps to take.
What actions should you take?
Do not be unduly alarmed. There are a range of steps that you should take to reinforce your personal data security.
· Be vigilant: Please watch for any suspicious or unexpected emails, phone calls or text messages you may receive. Cyber criminals can use ‘phishing’ techniques to send viruses to your electronic devices and illegally obtain access to your information. Take care if you receive unexpected emails with links or attachments. Always double check who the sender is before clicking on any links in emails you receive. Never give out your personal details over the phone unless you are sure who you are speaking to. If in doubt, hang up and Google the website of the organisation the caller claimed to represent. Use the contact details on that website to verify the caller’s identity – do not rely on a website address they give to you.
· Check your bank: Although none of the information held by the Union would enable a third party to access your bank accounts, criminals can use such information to trick you into providing them with further details or access. Remember: check your bank, credit card, and store card statements regularly for any unusual payments that you do not recognize. If you see or suspect anything unusual, or are contacted by someone claiming to be from your bank or card issuer, you should contact your provider immediately using the authentic contact details on the provider’s website, or on your card or bank statements.
· Use strong password security: Using strong and secure passwords is essential in your personal and professional lives. Always use strong passwords and change them as regularly as possible. Ensure your new passwords are at least eight characters in length. Use a varied range of random numbers, upper case letters, lower case letters and symbols, to ensure your password is secure. Do not re-use old passwords and do not use everyday familiar words that can be easily predicted. Use multi-factor authentication whenever it is available. Details of how to set this up will usually be found in the account/profile section of any online accounts you have.
· Monitor your credit report: It is important to check your credit report regularly, to identify any unexpected activity.
· Follow expert guidance: Guidance is available online which details how you can ensure cyber security in your day-to-day activities. Read this useful resource on cyber security and data breaches from the UK National Cyber Security Centre: https://www.ncsc.gov.uk/guidance/data-breaches.
Next steps
It is extremely regrettable that the Union has become victim to illegal cyber activity. We take the security of our members’ data and information extremely seriously and we understand this incident may cause concern.
Be assured that our specialist advisers are working as quickly as possible to investigate what has happened and to fully resolve this situation. Please be aware that investigations like this are complex and can take time to complete. Thank you for your patience as all parties work around the clock to manage this situation and ensure minimum disruption to members.
We will update you if and when we have significant new information to provide.
If you have any questions right now, please contact us here https://www.cwu.org/cwu-it-questions/
Yours sincerely,
Dave Ward, General Secretary
Tony Kearns, Senior Deputy General Secretary