Data breach update

Data breach – update

Thank you for your patience whilst we completed a thorough investigation into the recent data breach involving the loss of two disks containing historic personal data for some grantholders.

At the time of reporting the breach we stated the disks were either lost, stolen or destroyed. We can now confirm that these disks are either lost or stolen as there are no records of them having been destroyed by the Fund. This means the data held on these disks could potentially be at risk.

The breach relates to data provided to us between September 2013 and December 2019 by customers within our UK Portfolio, England funding and Building Better Opportunities programmes. We have been unable to place exact parameters against potentially affected customers so ask customers from these programmes to consider protecting themselves as outlined in our Data Breach Notice below. Customers through our Northern Ireland, Scotland and Wales funding programmes are not affected.

We have updated the FAQs and customers can also call our England Advice Team helpline (0345 4 10 20 30) or contact a dedicated email address data.breach@tnlcommunityfund.org.uk

Previous Update:
Thank you for your patience as we continue to look into this matter. We can now confirm that the data breach is due to two unencrypted disks being identified as missing from a secure, access-controlled location on our premises. Unfortunately, despite best efforts, we are unable to confirm whether they are lost, stolen or destroyed. All other information in the statement below remains the same, including which customers are affected.

We are sorry for any worry this may cause and want to assure all our grant holders, past, present and future, that we take your personal data seriously.

Following feedback from customers, we have also added two additional questions to the FAQS below. Customers concerned they are affected can also call our England Advice Team helpline (0345 4 10 20 30) or contact a dedicated email address data.breach@tnlcommunityfund.org.uk.

Important notice of a data breach

We have reported a data breach to the Information Commissioner’s Office (ICO). Please take the time to read the information below as it will help you to understand whether your data may be affected and what steps to take if it is.

The breach relates to data provided to us between September 2013 and December 2019 by UK Portfolio, England funding and Building Better Opportunities customers. Customers through our Northern Ireland, Scotland and Wales funding programmes are not affected.

By customers we mean those who were in the process of applying for a grant as well as existing grant holders supplying information to us at that time.

The data includes contact details (name, address, email and land and mobile numbers), date of birth, bank details (name of bank account, sort code and account number) and the applicant organisation’s address and website. It does not include bank account PINs, passwords or bank card details as we do not collect them.

This is an ongoing investigation however, and other personal data may be affected – we will update our website if this is confirmed.

We are looking into the matter fully to understand what has happened, but we need to make any UK Portfolio, England funding or Building Better Opportunities customers who supplied this type of information to us during this date range aware that their data could be at risk.

If you believe you may be affected, we would urge you to consider updating the passwords on your accounts (ensuring you use strong, unique passwords), look out for phishing emails or fraudulent activity on your bank account and consider running a credit check against your name and address to enable you to spot any fraudulent applications being made in your name.

You can find out more about protecting yourself from fraud here: https://www.actionfraud.police.uk/individual-protection. Your bank will also be able to provide you with protection advice.

If you have any concerns, please call our England Advice Team helpline (0345 4 10 20 30). We have also set up a dedicated email address data.breach@tnlcommunityfund.org.uk.

We are sorry for the worry and inconvenience this may cause and want to assure all our grant holders, past, present and future, that we take your personal data seriously. We will be working to ensure that our standards going forward are what you would expect.

We know that you will be keen to understand whether your personal information is involved or not. To help you, here are some Frequently Asked Questions (FAQs). Please don’t forget however that our England Advice Team (0345 4 10 20 30) and a dedicated email address data.breach@tnlcommunityfund.org.uk are there to support you with any concerns relating to this matter:

FAQs

I applied for funding through your Scottish funding programme during this timeframe – could I be affected?
No – the data breach does not involve anyone applying for or in receipt of a grant from our Scotland, Wales or Northern Ireland funding programmes. The breach relates only to data provided to us by England, UK Portfolio and BBO customers between September 2013 and December 2019. Data supplied outside of that date range or by customers of different programmes is unaffected.

I applied for a grant from your England funding programme last week – is my data at risk?
No – the breach relates only to data provided to us by England, UK Portfolio and BBO customers between September 2013 and December 2019. Data supplied outside of that date range or by customers of different programmes is unaffected.

If somebody calls me about this incident what should I do?
We will not be getting in touch directly with individual customers – if you are contacted please be very careful not to reveal any of your personal information (and particularly not Passwords or bank account PINS to the caller) as it could be a fraudster. Please do follow the advice we’ve outlined above so that you can protect yourself from fraud.

I am concerned and I need to talk to somebody about this – who do I contact?
Please call our England Advice Team helpline (0345 4 10 20 30). We have also set up a dedicated email address (mailto:data.breach@tnlcommunityfund.org.uk) to support you with any concerns relating to this matter. You can also find out more about protecting yourself from fraud here: https://www.actionfraud.police.uk/individual-protection and your bank will also be able to provide you with fraud protection advice.

If I apply to you now for funding, will my data be safe?
This is the first time we have reported a data breach to the ICO. We have a long track record of serving communities and our grant holders efficiently and securely – we have made a mistake here, and we want to reassure grant holders that we are taking this incident seriously and are committed to learning and improving from it.

Will I be contacted directly if my data is involved?
No unfortunately, despite our best efforts, we have been unable to identify specific individuals affected.

Is BBO participant data affected?
No – the breach does not involve BBO participant data.

When did the data breach occur?
We have pinpointed that the two disks went missing from a secure, access-controlled location on our premises between May and June this year (2021).

What size were the disks?
The disks were relatively small (containing 1TB of historic data).

What steps did you take to investigate?
Our priority throughout the investigation was to try to determine what had happened to the two missing disks and identify those customers directly affected so that we could provide them with tailored support.

We conducted a thorough search of our premises, interviewed staff and contractors to ascertain whether the two disks were removed in error as part of routine maintenance and reviewed all CCTV footage and security logs to identify unauthorised access. We have sought to recover legacy data held on other devices to identify affected data subjects and the data at risk. This included working with a specialist computer forensics company to seek to recover and repair data that had been previously deleted from our systems. Our Information Security team has also been tasked with monitoring the internet for any indication that data has been disclosed.