Home Group, one of the biggest housing associations in the UK, recently suffered a data breach that may have compromised personal information such as names, home addresses, and contact details of about 4,000 customers.
Even though Home Group did not issue any statement on its website concerning the cyber security incident, it sent emails to a large number of affected customers, informing them about the incident and reassuring them that their payment information was not compromised.
“We wanted to let you know we have been made aware of a potential data vulnerability on one of our technical systems and we’re really sorry this happened. We are letting you know because your details were included. This information does not include any of your bank or payment information,” the email read.
According to Times and Star who first reported the data security incident, the organisation was informed about a potential breach of customer records by a third-party security consultant and then proceeded to fix the issue within 90 minutes.
Data breach affected customers in properties all over England, says Home Group
A spokesperson from Home Group told BBC that the cyber security incident affected “customers in properties all over England, including those in North East, North West and Yorkshire” and that hackers who carried out the cyber attack would have needed “expert cyber security knowledge”.
“At Home Group we take the safety and security of our customers extremely seriously. We were made aware of a potential data vulnerability and immediately responded to and resolved the issue. This affected a very small proportion of customers and did not include any financial data,” said John Hudson, chief financial officer at Home Group.
“We have a robust incident response protocol in place to deal with situations such as this, which meant the vulnerability was identified and fixed extremely quickly.
“We have contacted all customers affected and I want to reassure all our customers that their information is secure at Home Group and that we follow strict guidelines and protocols when it comes to data sharing and cybersecurity,” he added.
Javvad Malik, security awareness advocate at KnowBe4, said that while it is unclear at this moment how the company was breached, it is encouraging to see the company was able to quickly respond to the breach, and inform its affected customers once notified by a third party.
“However, companies should be building their own detection capabilities so that they are not reliant on third parties to disclose any breaches. Similarly, while the company claimed to have resolved the issue within 90 minutes, that is still ample opportunity for records to be accessed and copied,” he added.