troyhunt/mountain-training-breach-notice

## mountain-training-breach-notice
Dear [redacted],

This email is being sent to you about a recent security breach to Mountain Training's website and has been sent using Mail Chimp instead of our candidate management system. The reason for this is explained below.

Our candidate management system, powered by TahDah, recently suffered a security breach and I want to reassure you straightaway that no passwords, bank or card details have been accessed, or ever can be. On the evening of Saturday 12th November, someone gained unauthorised access to the website of our candidate management system via the admin account of a TahDah staff member. The database, which sits behind the website, was not accessed. The unauthorised person(s) replaced the log in page so that no one could gain access to the website and sent an email to ‘All candidates’ which contained a malicious link.

The staff of Mountain Training and our database developer TahDah responded very quickly and were able to intercept the email, so that it was sent to a relatively small percentage of our candidates. TahDah also redirected the malicious link after a short period of time so that it could do no further harm. We are continuing to work closely with North Wales Police cyber-crime unit and TahDah on this incident and have been informed that an arrest has been made, computers have now been seized and the individual is assisting the Police with their enquiries. We are also continuing to work with the Information Commissioner’s Office. Security is paramount in our operations and the nature of this breach is unusual, hence the speed with which an arrest was made.

We have discovered that during the breach, a report on the personal details of everyone on the database was downloaded from the website along with a payment report. There are no signs that the data has been shared or used beyond the download but I will summarise what was on this report and what you and Mountain Training can do to deal with this.

What was on the personal details spreadsheet?
The personal details on the spreadsheet were: MTID, Name, Email, Date of birth, Address, Gender, Ethnicity, Phone (day/evening/mobile). Much of this information may be in the public domain but we have decided that it is important to notify every candidate directly.

The spreadsheet included a TRUE/FALSE response with regards to whether each candidate has a web account (i.e. has logged in to their account either on the original candidate management system or TahDah), is a course director and works for a provider. It also details which associations each candidate is a member of (MTA, AMI, BAIML, BMG, TahDah Premium) and on what date their web account was created.

This spreadsheet did not include any usernames or passwords, training/assessment details, workshop or CPD information, neither did it include any location data, internet log files, web browsing histories, or itemised call lists. No data has been affected or changed in this security breach so your records and DLOG entries are unaffected (the database was never directly accessed and the information taken was acquired as a report from the website).

What was on the payment report?
The spreadsheet contained limited details of all transactions made between 3rd November 2015 and 12th November 2016, none of which involved you. It did not include anyone’s bank account details or card details, which are all managed via a separate payment gateway (Stripe, which is regulated by the Financial Conduct Authority) and not stored on the system.

What should you do?
We advise that you be vigilant against suspicious emails or other suspicious activity relating to your personal details and specifically the transactions you have made through our system. In case you are worried you can log in to the system and review your record of qualifications and experience and if need be email us at info@mountain-training.org if there are any anomalies.

You can review your email preferences and privacy settings by visiting the ‘Settings’ area within your account: click on your username (top right) when you are logged in and then click on Settings.

What have we done about the breach?
TahDah were able to intercept the email while it was being sent and therefore reduce the scale of candidates directly affected. The security of the system and particularly for our administrators (privileged accounts) has been increased and we have therefore ensured that the specific way that the security breach occurred can’t happen again. Network security and malware prevention have been reviewed and data protection training is being provided to our staff. Policies on home and mobile working and a strategy for monitoring our system are being developed.

I am truly sorry that this incident has occurred and assure you that we are very committed to keeping your information safe.  I want to reassure you that we will never ask for your financial information in any correspondence that we send to you. We will keep our website updated with any relevant news and answers to frequently asked questions and will also use social media channels to keep as many people as possible informed.

John Cousins
Chief Executive
Mountain Training UK
	Dear [redacted],

	This email is being sent to you about a recent security breach to Mountain Training's website and has been sent using Mail Chimp instead of our candidate management system. The reason for this is explained below.

	Our candidate management system, powered by TahDah, recently suffered a security breach and I want to reassure you straightaway that no passwords, bank or card details have been accessed, or ever can be. On the evening of Saturday 12th November, someone gained unauthorised access to the website of our candidate management system via the admin account of a TahDah staff member. The database, which sits behind the website, was not accessed. The unauthorised person(s) replaced the log in page so that no one could gain access to the website and sent an email to ‘All candidates’ which contained a malicious link.

	The staff of Mountain Training and our database developer TahDah responded very quickly and were able to intercept the email, so that it was sent to a relatively small percentage of our candidates. TahDah also redirected the malicious link after a short period of time so that it could do no further harm. We are continuing to work closely with North Wales Police cyber-crime unit and TahDah on this incident and have been informed that an arrest has been made, computers have now been seized and the individual is assisting the Police with their enquiries. We are also continuing to work with the Information Commissioner’s Office. Security is paramount in our operations and the nature of this breach is unusual, hence the speed with which an arrest was made.

	We have discovered that during the breach, a report on the personal details of everyone on the database was downloaded from the website along with a payment report. There are no signs that the data has been shared or used beyond the download but I will summarise what was on this report and what you and Mountain Training can do to deal with this.

	What was on the personal details spreadsheet?
	The personal details on the spreadsheet were: MTID, Name, Email, Date of birth, Address, Gender, Ethnicity, Phone (day/evening/mobile). Much of this information may be in the public domain but we have decided that it is important to notify every candidate directly.

	The spreadsheet included a TRUE/FALSE response with regards to whether each candidate has a web account (i.e. has logged in to their account either on the original candidate management system or TahDah), is a course director and works for a provider. It also details which associations each candidate is a member of (MTA, AMI, BAIML, BMG, TahDah Premium) and on what date their web account was created.

	This spreadsheet did not include any usernames or passwords, training/assessment details, workshop or CPD information, neither did it include any location data, internet log files, web browsing histories, or itemised call lists. No data has been affected or changed in this security breach so your records and DLOG entries are unaffected (the database was never directly accessed and the information taken was acquired as a report from the website).

	What was on the payment report?
	The spreadsheet contained limited details of all transactions made between 3rd November 2015 and 12th November 2016, none of which involved you. It did not include anyone’s bank account details or card details, which are all managed via a separate payment gateway (Stripe, which is regulated by the Financial Conduct Authority) and not stored on the system.

	What should you do?
	We advise that you be vigilant against suspicious emails or other suspicious activity relating to your personal details and specifically the transactions you have made through our system. In case you are worried you can log in to the system and review your record of qualifications and experience and if need be email us at info@mountain-training.org if there are any anomalies.

	You can review your email preferences and privacy settings by visiting the ‘Settings’ area within your account: click on your username (top right) when you are logged in and then click on Settings.

	What have we done about the breach?
	TahDah were able to intercept the email while it was being sent and therefore reduce the scale of candidates directly affected. The security of the system and particularly for our administrators (privileged accounts) has been increased and we have therefore ensured that the specific way that the security breach occurred can’t happen again. Network security and malware prevention have been reviewed and data protection training is being provided to our staff. Policies on home and mobile working and a strategy for monitoring our system are being developed.

	I am truly sorry that this incident has occurred and assure you that we are very committed to keeping your information safe. I want to reassure you that we will never ask for your financial information in any correspondence that we send to you. We will keep our website updated with any relevant news and answers to frequently asked questions and will also use social media channels to keep as many people as possible informed.

	John Cousins
	Chief Executive
	Mountain Training UK