igor - Fotolia

National Childbirth Trust breach shows all data needs to be safeguarded

Breach of more than 15,000 login credentials and email addresses at the National Childbirth Trust underlines that every sector must take cyber security seriously, say security pundits

Security experts say the exposure of the personal details of 15,000 people registered with the National Childbirth Trust (NCT) shows that all digital data needs to be protected.

The UK-based charity, which provides information and support in pregnancy, childbirth and early parenthood, has informed all those affected and urged them to change their passwords.

Police are investigating the breach and the Information Commissioner’s Office – the UK’s privacy watchdog – has been informed, reports the BBC.

According to the NCT, only the email addresses, user names and encrypted passwords of 15,085 people were compromised, but no other personal or financial data was exposed.

In the email to those affected by the breach, chief executive officer Nick Wilkie said: “While your password is encrypted, as a precaution I would advise you to change any password as soon as possible for other accounts or registrations that use these details.”

Cyber criminals routinely test stolen credentials on a range of online services to access accounts where the same credentials have been used.

Security experts are also advising those affected by the breach to change their passwords on any other website where they reused the compromised credentials.

“This attack proves that in the digital world it isn’t only international businesses that are at risk,” said Jason Andrew, general manager and vice-president for Europe at BMC Software.

“The fact that cyber criminals are targeting childcare charities is a reminder that all digital information is a potential target and why organisations should make every effort to secure all internal systems and protect customer data as a priority.”

Read more about data breaches

Paul Farrington, senior solution architect at Veracode, said charities and healthcare organisations are seen as a soft target because of the sensitivity of the data they hold and their perceived ability to protect information assets.

“We have seen a number of high-profile hospitals recently held to ransom with malware in the US, underlining that every sector needs to take cyber security seriously,” he said.

This latest crompromise of credentials again emphasises the problem of relying on passwords as the single form of access control, said James Romer, chief security architect at SecureAuth.

“Passwords alone are simply not strong enough, nor adequate to protect vital applications and data,” he said. “If organisations haven’t yet learnt this from the many data breaches in the past year, then this latest breach should be a hefty reminder that businesses need to stop deploying such a minimal approach to authentication and take note that if they have something valuable, they are at risk from attacks.”

Romer said organisations should strengthen their defences against cyber adversaries by layering multiple authentication methods, such as device recognition, analysis of the physical location of the user, or even by using behavioural biometrics to continually verify the true identity of the end-user.

“Individuals affected by this notification and those looking to improve their personal cyber security posture should be both vigilant and proactive about protecting their identities,” he said. “This includes steering clear of password reuse across multiple sites and adopting a password manager to allow for extremely complex passwords.”

Read more on Privacy and data protection