Thousands of Oxbridge alumni may have had their personal details compromised after it emerged that a hard drive containing the data was stolen from the headquarters of an elite club.
The exclusive Oxford and Cambridge Club is said to have written to its 5000 members this week urging them to check for suspicious activity on their bank accounts.
The theft of the back-up hard drive from a locked room at the club’s Pall Mall HQ was discovered on November 16 and a police investigation has now been launched, with private investigators also hired.
Alongside illustrious Oxbridge alumni such as broadcaster Stephen Fry and the Astronomer Royal, Lord Rees, 100 members of staff are also thought to have been affected. As honorary members, the Prince of Wales and Duke of Edinburgh are not thought to have had their details taken
Stolen information is said to include names, home addresses, phone numbers and some bank details.
A letter sent to members, and seen by the Sunday Telegraph, had the following:
“This situation has arisen as a result of the theft of a storage disk, and not as a breach of the cybersecurity system, and although the data contained on the disk is protected by multiple layers of security and heavy password protection, we have been advised by data specialists that there is a very remote chance that information could be obtained.”
Jon Fielding, EMEA managing director at Apricorn, argued that organizations must protect sensitive data at rest like this with strong encryption as a form of insurance against the costs resulting from a subsequent breach or data leak.
"Yes, encrypted drives carry a higher cost than those that are unencrypted but just look at the cost of the breach reported here — hiring of private investigators, the workload required to notify up to 5000 individuals compromised, to offer remedy and, potentially the most costly, the involvement of the of the Information Commissioner's Office (ICO),” he continued.
“The ICO has the authority to fine organizations it deems in breach of the UK Data Protection Act up to £500,000. This figure rises markedly to the greater sum of €20m or 4% of turnover in May 2018 when the General Data Protection Regulation (GDPR) comes into effect."