News

Exclusive: Major arts organisations affected by ransomware data breach

Southbank Centre, Royal Shakespeare Company, Royal Opera House and The Old Vic among many UK arts organisations affected by huge data breach.

Neil Puffett
5 min read

A software firm that holds details of ticket buyers attending performances at major arts organisations in the UK has been the victim of a massive data breach, it has emerged.

WordFly, which sends emails on behalf of clients including the Southbank Centre, Royal Shakespeare Company, Royal Opera House and The Old Vic, was subjected to a "ransomware attack" on 10 July, which resulted in "some of the data" its customers use to communicate with subscribers being "exported".

The firm's services are currently down, with cyber security experts working to get them back up.

READ MORE:

WordFly has told its clients that they should consider using a different email marketing provider if they need to send emails before 25 July, and has moved to assure them that there is "no evidence that any customer data in WordFly has been compromised or misused".

The incident has been referred to the FBI and is now subject to ongoing criminal investigation. Meanwhile, WordFly's clients have been told that the firm is not notifying any UK or European Union data protection authorities as it is not the “controller” of the data under the General Data Protection Regulation, (GDPR). 

However, it said that customers wondering whether they need to notify authorities themselves – which in the UK would be the Information Commissioner's Office – should take steps independently to verify their legal obligations.

Names and email addresses

In a statement posted on WordFly's website, the firm's Business Development Director Kirk Bentley said the scope of the data affected primarily included names and email addresses.

"While this data was exported from the WordFly environment by the bad actor that perpetrated this incident, it is our understanding that as of the evening of 15 July 2022, that data has been deleted from the bad actor’s possession. 

"We have no evidence to suggest, before the bad actor deleted the data, that the data was leaked over the dark web and/or sent to any other public facing domain/disseminated elsewhere.

"Due to the generally non-sensitive and public nature of the data described above, as we currently understand it, we have no evidence to suggest that any of this information has been, or will be, misused to perpetrate harm to the rights and liberties of our customers or their subscribers."

Vicky Kington, Head of Communications at The Royal Opera House said her organisation was alerted last week to a "global outage" on WordFly's platform.

"We have been unable to email customers since WordFly notified us of this incident," she said. 

"The Royal Opera House is one of many UK arts organisations who have been affected and we will provide further updates in due course as more information becomes available."

Phishing emails

Catherine Mallyon, Executive Director at the Royal Shakespeare Company, said: "The Royal Shakespeare Company’s third-party marketing email provider, WordFly, is currently not operating due to a ransomware incident, which means that emails to RSC audiences cannot currently be sent via the WordFly email provider.

"WordFly's investigations are ongoing, but they have indicated that some limited customer data has been accessed. This includes name and email address records but not customer payment details, postal addresses, phone numbers or passwords as this information is not stored on the WordFly platform.

"We will provide further updates if any further relevant information becomes available. As always audiences are advised to be vigilant and aware of the potential for phishing emails."

WordFly has suggested that organisations that use its email service consider using other providers while it services are down. 

"We suggest looking at larger services such as Campaign Monitor, Constant Contact and MailChimp for a temporary fix," Bentley said.

But there is concern that there is little point arranging short-term cover because by the time arrangements have been agreed, WordFly will be operating again, leaving organisations unable to contact their customer base.

Louise Sinclair, Head of Marketing and Communications at Cheltenham Festivals, writing on a Facebook community page, asked other WordFly users what they are doing while the service is down. 

"We're wondering if it is worth temporarily finding another provider but worry it will be a lot of set up work and would probably end up WordFly was back by the time we're done," she said. 

"We're right in the middle of a festival so the timing of this is especially challenging for us from a sales point of view!"

Worst possible scenario

Martin Gammeltoft, Vice President of Commercial Operations for Activity Stream, another marketing firm for event organisations which has clients including the Barbican, Shakespeare's Globe and Manchester International Festival, described the incident as "the worst possible scenario".

"A horrible week. A company that I respect was hit by a cyber security attack and were locked out of their own service, hurting a lot of people and services," he wrote on Linkedin.

"Not because they did anything wrong, there was probably no reason they were the target. I can't imagine how painful it must be. A week of fighting to understand what happened, or trying to find a way back, and realising how everything you worked for had been hurt, bad.

"For software companies, this is the worst possible scenario, and I've spoken to people who felt like I did – that it could have been us."