Sex abuse survivors’ charity One in Four victim of data breach

Derry firm Evide warns clients about possibility of sensitive information being leaked online

One in Four chief executive Maeve Lewis said she had contacted Evide to ask them to take out a legal injunction to stop the sharing of sensitive information. Photograph: Alan Betson
One in Four chief executive Maeve Lewis said she had contacted Evide to ask them to take out a legal injunction to stop the sharing of sensitive information. Photograph: Alan Betson

Charity One in Four is among dozens of such organisations that have been the subject of a major data breach involving a company in Northern Ireland.

Evide, based in Derry, manages data for around 140 charities and non-profit organisations. They have told the PSNI of the data breach and warned their clients of the possibility of sensitive information being leaked online.

One in Four chief executive Maeve Lewis said she had contacted Evide to ask them to take out a legal injunction to stop the sharing of sensitive information. One in Four deals with people who have been the subject of childhood sexual abuse.

She pointed out that One in Four had not been directly targeted so they could not initiate legal proceedings, but it was her understanding that the charity’s personal data had been accessed.

READ SOME MORE

“We were told by the cyber security experts that the data is very valuable because it can be sold to people who then go on to try and commit fraud by, for example, getting bank account details or other personal data,” she said.

Personal information

Ms Lewis added that documents that were attached to the data had not been accessed. One in Four believed the data of about 1,000 clients had been hacked. They had contacted 500 clients and were continuing to get in touch with people. They can also access the charity’s website at www.oneinfour.ie.

“We would also just urge people to be careful of any unusual email or text messages that come through,” she told RTÉ's Morning Ireland.

The data which was stolen included personal information such as short records of people’s engagement with One in Four’s services. “So we really don’t know what the situation is with that data. We do know that any attachments, any letters and any reports, for example, to child protection services, they have not been accessed,” she added.

Ms Lewis said that the people they had contacted had been “remarkably generous”, while, obviously, some had been quite distressed “because we are dealing with some very vulnerable people. Sadly, in this day and age, people are accustomed to being contacted by dodgy calls, dodgy emails. So people are generally aware of what they should do if they get an email from an unusual source. We are continuing to offer support. And if anybody out there is concerned, we urge them to look at our website and then find the details of how to contact us.”

Ms Lewis said One in Four had been told that the most valuable information was personal data, which criminals then try to sell on to others who want to try to defraud people by contacting them via email or text message trying to get bank details.

Minister of State at the Department of Communications, Ossian Smyth TD has said that the nature of the information stolen remains unclear. Mr Smyth told RTÉ radio’s News at One that the cyber attack remained a live criminal investigation for the PSNI. Increasingly cyber attackers were targeting data storage facilities rather than organisations directly, he said.

The people who were the users of the support organisations had shared their data with those organisations. “I can understand that they would be very worried and worried that they have shared the most confidential, intimate information”.

Mr Smyth cautioned that the investigation was at an early stage and that some of the information circulating was untrue. The nature of the attack was likely to be financial and the numbers impacted would be “a very small proportion”. When asked if there was a role for the Data Protection Commissioner in the investigation into the breach, Mr Smyth, said yes there was, but he did not know if it would be the Irish Commissioner as the breach occurred in Northern Ireland.

Evide said it found out about the data breach when unusual traffic was detected on its network.

The company added: “As soon as we became aware that a third party had accessed our systems we immediately contacted the PSNI and engaged the services of experienced cyber security specialists to assist us to contain the issue, support recovery efforts, and conduct a thorough investigation.

“We have provided notifications to all relevant stakeholders and clients and also notified the relevant authorities, including the Police Service of Northern Ireland who notified An Garda Síochána. The incident is now also subject to a criminal investigation.”

Minister of State at the Department of Communications Ossian Smyth said the nature of the information stolen remained unclear.

Increasingly, cyber attackers were targeting data storage facilities rather than organisations directly, he told RTÉ Radio’s News at One. The nature of the attack was likely to be financial and the numbers impacted would be “a very small proportion”, Mr Smyth added.

Ronan McGreevy

Ronan McGreevy

Ronan McGreevy is a news reporter with The Irish Times