The Woodland Trust, a charity dedicated to protecting woodland across the UK, has been the victim of a "sophisticated, high level cyber-incident" according to its website.
The attack happened after 7pm on 14 December, and the Trust is still feeling the effects (as of 17/02/21), stating on its website "we're currently experiencing technical difficulties, we're still here to help". It blames the cyber incident for the problem.
In an earlier announcement, it confirmed the charity had disconnected all its IT systems in an effort to prevent any further unauthorised access. It seems the attackers were able to hack the IT systems, but it is not yet clear if the criminals were able to grab the contact details or financial data belonging to Trust members.
However, as a precaution, the Trust does advise members "to be mindful of any suspicious activity, especially unexpected emails or phone calls from unknown sources or purporting to come from your bank". It goes on to recommend seeking advice from the Financial Conduct Authority on how to protect themselves from scams.
Reporting the incident to authorities
The charity is unable to give a date when their investigation will be completed, but on learning about the breach they did inform the police and the Charity Commission. They also informed The Information Commissioner's Office (ICO), which is a requirement of the General Data Protection Regulation (GDPR) and has to be done within 72 hours of an attack being noticed.
They have also taken steps to inform all those affected by the incident, which again is a GDPR requirement and needs to be done "without undue delay".
The organisation is working hard, alongside forensic IT specialists, to understand the nature of the attack and if any data has been compromised.
Sobering lesson from British Airways
In October 2020, the ICO fined British Airways £20m for failing to protect the personal and financial details of more than 400,000 of its customers. An ICO investigation found the airline was processing personal data without adequate security measures. The ICO claimed the failure broke data protection law and led to a cyber attack on BA during 2018, which the airline did not detect for more than two months.
The Woodland Trust sought to assure members that steps have been taken to further protect their data. As soon as they became aware of the incident, they disconnected all their IT systems, and no further data was put at risk. They claim on their website that disconnecting the systems protected them from any further attacks.