The names, addresses, bank details and signatures of some Wightlink customers have been compromised following a sophisticated cyber attack on the cross-Solent operator’s IT infrastructure, it has been revealed.
Wightlink is in the process of contacting affected customers about the data security incident and has reported the matter to the Police, with the South East Regional Organised Crime Unit currently investigating the matter.
The company says that it was on 7th February this year that it discovered Wightlink had been the victim of a criminal cyber-attack via unauthorised activity on the company’s IT systems, which has resulted in some customer personal information being accessed.
Security experts are said to have been carrying out extensive investigations into the incident, with confirmation that compromised data may include customer’s first name, last name, bank account number and sort code, address and signature.
In a statement issued tonight, Wightlink has told Island Echo:
“Unfortunately, despite Wightlink taking appropriate security measures, some of its back office IT systems were affected by a cyber attack last month. However, this criminal action has not affected Wightlink’s ferries and FastCats, which have continued to operate normally during and following the attack, nor were its booking system and website affected.
“As soon as the incident was discovered, Wightlink engaged specialist cyber security experts to investigate and assess the situation and reported the matter to the Information Commissioner’s Office (ICO). Wightlink is also liaising with the South East Regional Organised Crime Unit.
“Wightlink does not process or store payment card details for bookings. However the investigation has identified a small number of customers and staff for whom other items of personal information may have been compromised during the incident.
Article continues below this advertisement
Wightlink Chief Executive Keith Greenfield says:
“This was a highly sophisticated criminal attack on an essential service. I would like to thank all my colleagues at Wightlink who responded quickly ensuring that the impact to customers was minimised and that cross-Solent travel and bookings were unaffected.”
Wightlink says it will be making no further comment at this stage as the matter is an ongoing criminal investigation.
Why on earth has this taken over a month to come out. Diabolical considering customers are possibly effected!
7th of feb and we have just been told?? And good news they haven’t been affected when the customers bank details have been taken….. lucky Wightlink’s want one of them
Over 1 month to tell us, your customers, that our bank details and personal information etc may have been compromised!! Disgraceful.
I bet this “highly sophisticated” attack was someone clicking on a link in a phishing email!
Or log4j and their website not sanitising user input. Drop a special string on their site and get full access.
xkcd 327 🙂
The ICO says:
At a glance
Part 3 of the DPA 2018 introduces a duty on all organisations to report certain types of personal data breach to the Information Commissioner. You must do this within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
Could this be people who asked for multi link pass refunds due to covid travel ban perhaps ? I have had the ‘I’m affected’ email from them and checked back in my emails and they wanted bank details and signature posted to them with the passes for a refund .. It would be useful to know the exact group of customers affected as this might ( slightly ) reassure those who were not affected !
The more I think about this the more angry I become. This could ruin lives e.g. loans being taken out against our names. Wightlink how about also paying the £25 fee for us to register for cifas registration. ( identity fraud ). Not that £25 will make much difference if we lose thousands and lose our ‘ identities’. We all know the police and authorities do nothing about identity and financial fraud.
Yet another extremely strong case to bring back the booking office and booking clerk and to hell with all this on-line rubbish we are continually plagued with. And then when there is a critical crew member missing (the booking clerk) free travel will be available. That won’t happen for sure!
Wight.ink will loose or claim if any loss or take it on the chin they can afford to but the poor paying customers can’t .
compensation is due as this will play havoc on people’s minds , worrying etc
Who says it’s “SOPHISTICATED”? Maybe an inexperienced developer may think that but a script kiddy will say it was childs play.
Give details of how it was done and let us decide if it was “SOPHISTICATED”
Over a month to publicize this-absolutely disgusting. Wightlink obviously care nothing about their customers, only how this news might effect future bookings.