WordFly Incident and Response

21 Jul 2022

The Courtauld has been notified by WordFly, a third-party provider of email services to many arts and cultural organisations worldwide, of a cybersecurity incident.

WordFly has confirmed that the data compromised in the incident was low risk as it did not involve any sensitive data including credit card or payment information. Following our knowledge of this breach, we immediately launched our own investigation and wanted to inform our gallery visitors about the situation and the steps we are taking to ensure the greatest possible level of data security.

What happened

On July 10, 2022, WordFly was subject to a ransomware attack involving the export of data from their servers to an external location.

On the morning of July 15th, The Courtauld, along with many other major arts organisations worldwide, received an email from WordFly stating that an incident had taken place. In this statement, they said this data primarily included visitor names and email addresses.

What information was involved?

We would like to reassure our gallery visitors that:

  • The incident did not happen at a Courtauld facility or involve any Courtauld data handlers, and did not specifically target The Courtauld or our database
  • As our organisation uses WordFly solely to communicate information prior to and after a gallery visit, while visitor names and email addresses were included in the data, our visitors’ financial data (including credit card detail) is not compromised

The data accessed by the attackers may have contained some of the following information:

  • Name and title
  • Email

Safeguarding your data – what we are doing

Immediately following the update to The Courtauld as to the data breach, we immediately launched our own investigation and have taken the following steps:

  • We are notifying our gallery visitors so that you are aware of this breach of WordFly’s systems and, as best practice, remain extra vigilant
  • We have informed the ICO (UK data protection authority) of the breach
  • We are taking steps to understand how many other parties in the arts sector have been affected
  • We are working with WordFly to understand what actions they have taken to increase their security
  • Whilst this breach was as a result of a third-party attack, we are reviewing our internal practices and continue to take advice from our Data Protection Officer to ensure the greatest levels of data protection moving forward

We very much regret any inconvenience that the data breach by WordFly may cause. Please be assured that we take data protection very seriously and we are grateful for our visitors’ continued support and engagement.

Citations