Freely subscribe to our NEWSLETTER

The National Childbirth Trust (NCT) sent a message saying their email addresses, usernames and passwords had been "compromised". The incident has been reported to police and the UK’s data watchdog. The NCT stressed no other information had been accessed.

A spokesman confirmed 15,085 users were affected and said: "NCT has suffered a data breach which, regrettably, has caused some users of our website to have their registration details compromised.

If you are planning on covering this news, please see below for several comments from cyber security experts. You may have received some of these comments at the end of the day yesterday, but I am resending along with some additional ones. Feel free to use any/all of them in any stories you may be writing on this breach.

Simon Crosby, CTO and co-founder, Bromium:
“This incident at The National Childbirth Trust will be a wake-up call for people. But it’s not the first. Certainly it will provide a clear message to chief execs that if something like this happens then they can expect to be paraded in front of a voracious media – and they’d better have some good answers to some tough questions. Businesses have no excuse that they were not aware nor prepared for such attacks. They’ll need to prove that they took all reasonable steps to protect themselves. How they respond may be the difference between a damaging incident, and fatal disaster.

When we hear about attacks that have persisted on a compromised system for weeks or even months before detection, it is unlikely that hackers were waiting to take advantage of the breach, but far more likely that existing detection-based systems failed to properly respond to the attack. Organisations invest in a broad array of security solutions with the promise of actionable security insight, but the reality is that they are swimming in a sea of false alerts. Understanding hacker behaviour is as difficult as looking for a specific needle in a haystack that is 50 feet tall and made of other needles. When a hacker breaches a system, they will squeeze it for anything of value, including compromising endpoints for botnets, servers for bandwidth and of course the imminent threat of lost intellectual property or financial information. For end users and security teams this manifests as a noticeable decrease in system performance and unusual network connections, among other factors. If organisations are serious about keeping hackers out of their systems, they need to embrace proactive protection as the foundation of their security architecture. For example, hardening and isolating systems prevents data breaches, eliminating the need for costly detection and response.

Richard Cassidy, technical director, EMEA at Alert Logic:
“The breach at The National Childbirth Trust highlights the challenge all organisations face in today’s cyber threat landscape and reiterates the fact that a fundamental change in our approach to data security is required across the board. Attackers leave digital fingerprints in their network activity or system logs that can be spotted if you know what to look for, and have qualified people looking for it. Through monitoring systems 24x7 and being able to distinguish normal from abnormal, organisation can identify and act against sophisticated attackers.
In reality it is becoming a great deal easier for hackers to exploit vulnerabilities on key data platforms, given the wealth of resources and information sharing on the cyber criminal underworld. In many respects organisations need to shift their focus to the view of “when” and not “if” a data breach or attack will occur. CISOs and CTOs need to learn from the wealth of information available on past high-profile breaches, and align their Cyber Security Strategy accordingly.

We can no longer rely on our point security tools to remain effective in isolation against the proliferation of threats and exploits we are seeing today. Security strategy needs to be intelligence driven, combining big-data analytics poised to detect indicators of compromise combining the wealth of data across all security toolsets, identifying both “sledge hammer” and “needle-in-haystack” breach styles. Equally importantly how well organisations protect their “data at rest” will go a long way in helping give customers the assurance that the best was done to protect their data and limiting the collateral damage in the aftermath of such a breach. As organisations we can only do so much, but unfortunately not many are doing enough. Boardrooms need to put cyber security risk and strategy back at the forefront of their agendas.”

If you use any services whose data, if stolen and made public, could be used against you, then edit your profile now to include false information and a fake email address, or an alternative, randomised, non work email address from an online provider.”

Luther Martin, distinguished technologist at HPE Security - Data Security:
“Data thieves are highly effective at finding weak points in security strategies. Protecting the sensitive data within the online environment could have avoided this type of data loss. There’s simply no excuse today not to follow best practices of encrypting all sensitive personal data as it enters a system, at rest, in use and in motion. The ability to render data useless if lost or stolen, through data-centric encryption, is an essential benefit to ensure data remains secure.

Cyber criminals today are motivated to steal enterprise data, intellectual property and employee or customer information. Hackers are always looking for a way to exploit a system in a way that they can then turn stolen data into cold, hard cash. There is a definite risk if credit card or account information is obtained. However businesses need to also think about protecting personal information about their customers like name, full address, phone number and email address. Criminals could then use this information to open bogus accounts or sell it for use in more targeted larger-scale spear-phishing or identity theft attacks.

Beyond the threat to sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line. A data-centric approach to security is the industry-accepted cornerstone needed to allow companies to mitigate the risk and impact of cyberattacks and other attempts to get this information.”

Robert Capps, VP of business development at NuData Security:
"This newly reported breach comes hot on the heels of a plethora of >other data breaches. Yet another stark reminder that personal data is a desirable target for cyber criminals. A recent CyberEdge Group report uncovered a shocking statistic: 52% of security professionals surveyed, say their organisation will likely fall victim to a successfully cyber attack in the next 12 months. Security teams are finally waking up to the new reality when it comes to hacking - it’s more of a question of ’when’, and not ’if¹ they will be breached. No matter how diligent an organisation is in its’ efforts to protect personal data, the data is still getting out there.
It is imperative that consumers who were subject to the recent breach verify they are not using the same compromised user credentials on other sites, and if they are, change them as soon as possible. This is yet another reminder and opportunity, for consumers to implement the proper precautions when it comes to online security, and stop reusing the same username and password on more that one site - virtually eliminating the risk that the compromise of a single website will result in the loss of control of a number of online accounts owned by the same consumer.

Consumers should also get in to the habit of enabling available multi-factor authentication technologies provided buy any online services, such one-time codes sent via SMS to a legitimate consumer’s mobile device. While such authentication techniques introduce a level of friction and poor user experience that consumers often find distasteful, they are an effective deterrent against the most common methods of inappropriate access to legitimate accounts until better solutions for positive identify verifications are more broadly rolled out across online services.
As the amount of stolen personal data continues to skyrocket, traditional authentication techniques such as static usernames and passwords, and other fact-based authentication, will become far less effective. How we address the usefulness of this data, will greatly shape the quantity and scale of future data breaches, and related identity crimes to come, so it’s well beyond time for the online services themselves to evolve in the methods used to authenticate users, moving away from static usernames, passwords, and secondary knowledge based authentication questions such as the color of your first car, or derived from public records or a consumer’s credit file. Such static data has long been insufficient in providing an appropriate level of authentication and substantiation that the user trying to access an online service is the legitimate consumer that owns the online account. Established technologies such as continual behavioural analytics and passive biometrics, have proven themselves as strong solutions for increasing the accuracy of online authentication by evaluating hard-to-replicate and impossible-to-steal user behavioural signals, while decreasing the friction presented to consumers in the process."

David Gibson, VP of strategy and market development at Varonis:
“Hardly a day passes now without a breach of some sort, and it makes those of us embedded in the security and data protection world wonder when organisations will demonstrate a sense of urgency. Our observations suggest that businesses – just like individuals – are still struggling to get the basics right when it comes to securing their data. There are so many basic vulnerabilities that organisations need to address – external and internal. The number of reported breaches will no doubt continue to increase. More companies are keeping more information from consumers and business partners, which increases the value of a potential breach. In order to be productive, company networks can’t be 100% isolated, and no matter how much time and money you spend on security tools, nothing is fool-proof, especially when the weakest links in the chain are the people who are supposed to have access to data in order to do their jobs. Spear phishing attacks that provide hackers with valid credentials are increasing in frequency and sophistication, so administrators and security practitioners should assume that if their networks aren’t already breached, there’s a good chance they may be some day.

When you work under the assumption that your outer defences will be breached, it frames the data security challenge somewhat differently. Instead of pouring all of your energy into building a very high, very strong fence, spend more time making sure that once someone is inside, their activities will be observed and controlled. Just because you have a great lock on your front door doesn’t mean that cameras and motion sensors aren’t also a good idea. Similarly, monitoring user access and analysing it properly will help organisations identify attackers on their network and hopefully mitigate any damage.

Burying your head in the sand and hoping nothing bad will ever happen isn’t an option these days, so companies should absolutely have a plan for what happens after they discover a breach. Just like it would be silly to choose not to have a plan for a fire in the building, it doesn’t make sense not to have a response plan for a data breach. At a minimum, it’s critical for companies to identify what may have been stolen or deleted and what their obligations are to customers, partners, shareholders, etc. Different types of information have different disclosure requirements, therefore it’s important for companies to understand what kind of data they’re storing and what those obligations are so they can plan accordingly.”