Security breach at National Childbirth Trust spills personal details of 15,000

Personal data exposed by website security breach

The National Childbirth Trust (NCT) is at the centre of a major data breach that exposed the registration details of up to 15,000 people. The organisation has emailed the people affected in the security lapse and apologised for the loss.

In a statement, the NCT confirmed the incident but stressed that no financial information was at risk.

"[The leaked] details are limited to their email address and the username and an encrypted version of the password that they created to register on the site. We stress that no financial or personal details are held as part of this data so no financial or personal details have been compromised," it said.

"The breach occurred and was discovered on Wednesday, upon which we contacted everyone affected telling them about the breach and advising that they change their username and passwords."

It also confirmed it had informed the Information Commissioner's Office (ICO).

Not surprisingly, the security community has been quick off the mark with comment on the breach.

"This incident at the NCT will be a wake-up call for people. But it's not the first. Certainly it will provide a clear message to chief execs that if something like this happens they can expect to be paraded in front of a voracious media. And they'd better have some good answers to some tough questions," said Simon Crosby, chief technology officer and co-founder of Bromium.

"Businesses have no excuse that they were not aware or prepared for such attacks. They'll need to prove that they took all reasonable steps to protect themselves. How they respond may be the difference between a damaging incident and fatal disaster."

David Gibson, vice president of strategy and market development at Varonis, agreed that how the NCT reacts will be critical.

"Burying your head in the sand and hoping nothing bad will happen isn't an option these days, so companies should absolutely have a plan for what happens after they discover a breach," he said.

"Just like it would be silly not to have a plan for a fire in the building, it doesn't make sense not to have a response plan for a data breach.

"At a minimum, it's critical for companies to identify what may have been stolen or deleted and what their obligations are to customers, partners, shareholders etc.

"Different types of information have different disclosure requirements, so it's important for companies to understand what kind of data they store and what those obligations are so they can plan accordingly."

We have asked the NCT for its comments, and have checked with the Information Commissioner's Office about an investigation.

To hear more about security challenges, the threats they pose and how to combat them, sign up for Computing 's Enterprise Security and Risk Management conference taking place on 24 November - places are free to qualifying IT professionals