News

ICO ‘taking no action’ on arts data breach

Data watchdog decides regulatory action not required after arts organisations notify it of ransomware attack that resulted in customer's names and email addresses being stolen.

Patrick Jowett
4 min read

The watchdog in charge of ensuring people's digital data is kept safe will not investigate a major data breach affecting numerous arts organisations across the UK.

Institutions including The Courtauld and the Royal Academy of Arts have notified the Information Commissioner's Office (ICO) of a ransomware attack on Wordfly, which happened on 10 July.

The data breach resulted in names and email addresses of people on the mailing lists of arts organisations being taken. Arts organisations that use WordFly as a marketing email system were left unable to log into WordFly, send email or SMS campaigns, or use its CRM (customer relationship management) integrations for 19 days.

READ MORE:

A spokesperson for The Courtauld told ArtsProfesssional that after flagging the incident with the ICO, the watchdog told them regulatory action was not required.

An ICO spokesperson explained: “Not all data breaches need to be reported to the ICO. Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms."

It is not clear how many organisations in total have contacted the ICO regarding the incident.

WordFly reported a return to full service on Friday (29 July) and has maintained its previous assurances that there is no evidence customer data was compromised or misused, or that any financial information was involved. 

The recovery took longer than first expected, with original guidance from WordFly suggesting emails would be available from 25 July. In an update last Wednesday (27 July), WordFly said “the root cause of the issue we had been troubleshooting since the weekend” had been resolved and set a target return of the end of the week.

As of Friday, WordFly told affected organisations links in previously sent emails were working again, with data returning to their CRM.

The impact

Howard Buckley, Director of marketing and communications agency Make A Noise, said the impact of losing email provision during the summer would depend on the cycle of an organisation’s programme.

“There is no good time to lose your email functionality, on one hand summer is generally a quieter booking period for some live arts organisations, but many run summer programmes designed to get the family market in,” he said.

“Museums and galleries are looking for heavy footfall throughout the summer months, and organisations are gearing up for their autumn seasons and programmes and it may effect early bird booking announcements.”

While WordFly was offline, the software firm suggested organisations “plan accordingly” if they needed to send an email.

Buckley said the offline period may have given arts organisations the opportunity to look at their communications: “We can become over-reliant of e-shots as they are cheap and easy to produce in-house, but are you getting the returns?”

“Take this time to look at the open rates, click throughs and effectiveness – are you sending too many ineffective emails?”

The Courtauld, which uses WordFly solely to communicate pre-and post-visit information to gallery visitors, told ArtsProfessional it moved its communications to an alternative platform, but did not specify if the move was permanent.

Buckley said WordFly may lose customers following the breach. “If I had to swap email providers it certainly wouldn't be a short-term fix, it'd be a shift away,” he expained.

“Email providers need to be reliable, as soon as they lose that, they lose the trust of their users.”

Ransom paid

ArtsProfessional understands WordFly paid an initial ransom in return for its marketing email system.

One source, who informed ArtsProfessional of the ransom payment via the anonymous We Hear You platform on the ArtsProfessional website, said “pretty much every organisation that uses tessitura across the globe” will have been affected by the data breach, including the Sydney Opera House, Glyndebourne and Metropolitan Opera New York.

WordFly confirmed payment of a ransom during an online question and answer session with clients held shortly after the incident adding that money was paid to “mitigate the data leakage”.

ArtsProfessional has contacted WordFly Business Development Director Kirk Bentley to ask for confirmation of how much was paid, but is yet to receive a response.