[BreachExchange] Charities warned about fraud risk after data breach at National Lottery Community Fund

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Thu Jul 22 11:51:31 EDT 2021


https://www.civilsociety.co.uk/news/applicants-personal-details-at-risk-after-data-breach-at-national-lottery-community-fund.html

Personal details linked to thousands of charities could be at risk
following a data breach at the National Lottery Community Fund (NLCF).

The data includes the names, dates of birth and bank details of people who
applied for funds from NLCF’s UK portfolio, England funding or Building
Better Opportunities programme between September 2013 and December 2019.

NLCF did not disclose details of how the breach occurred, but said that an
investigation was ongoing and that it was “too early to say” how many
individuals may be affected. The programmes concerned receive thousands of
applications every year.

The funder has reported itself to the Information Commissioner's Office and
urged people to watch out for fraudulent activity on their bank accounts or
phishing emails. It could not rule out the possibility that other personal
data had been affected.

NLCF has also set up a dedicated email address and phone number for anyone
with concerns or questions, and apologised to everybody affected.

Breach

In a statement posted online on Thursday afternoon, NLCF said it had become
aware of a breach relating “to data provided to us between September 2013
and December 2019 by UK Portfolio, England funding and Building Better
Opportunities customers”.

Applicants to NLCF programmes in Northern Ireland, Scotland and Wales are
not affected.

The statement continued: “By customers we mean those who were in the
process of applying for a grant as well as existing grant holders supplying
information to us at that time.

“The data includes contact details (name, address, email and land and
mobile numbers), date of birth, bank details (name of bank account, sort
code and account number) and the applicant organisation’s address and
website. It does not include bank account PINs, passwords or bank card
details as we do not collect them.

“This is an ongoing investigation however, and other personal data may be
affected. We will update our website if this is confirmed.”

When asked how many individuals had been affected, an NLCF spokesperson
said the funder is “still investigating so it’s simply too soon to say”,
and stressed that their priority was alerting customers quickly so that
they could protect themselves if necessary.

Warning about fraud

NLCF advised charities to change their passwords and be extra vigilant
about potential fraud.

The statement added: “We are looking into the matter fully to understand
what has happened, but we need to make any UK Portfolio, England funding or
Building Better Opportunities customers who supplied this type of
information to us during this date range aware that their data could be at
risk.

“If you believe you may be affected, we would urge you to consider updating
the passwords on your accounts (ensuring you use strong, unique passwords),
look out for phishing emails or fraudulent activity on your bank account
and consider running a credit check against your name and address to enable
you to spot any fraudulent applications being made in your name.”

Applicants with further concerns have been urged to call NLCF’s England
Advice Team helpline or use the dedicated email address
data.breach at tnlcommunityfund.org.uk.

NLCF said: “We are sorry for the worry and inconvenience this may cause and
want to assure all our grant holders, past, present and future, that we
take your personal data seriously.

“We will be working to ensure that our standards going forward are what you
would expect.

“We know that you will be keen to understand whether your personal
information is involved or not.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210722/bd671a4a/attachment.html>


More information about the BreachExchange mailing list