Civil service apprentices studying at a major further-education college have been warned to be extra vigilant against fraud after their details were found on the dark web following a ransomware attack.
The Cabinet Office has written to apprentices signed up for work-related studies at Bridgwater and Taunton College in Somerset offering a package of support that includes a one-year subscription to a credit-checking organisation.
Although the attack took place in January, investigations into its extent are still ongoing. In a letter to civil service apprentices whose training is run by the college the Cabinet Office said it had been notified this month that some apprentices’ details had been discovered on the dark web, meaning personal information supplied as part of the enrolment process had been compromised.
The letter stressed that no civil service system had been breached and that the records system for learners had not been compromised. But it warned that individuals’ names, addresses, phone numbers, next-of-kin details, National Insurance numbers, and signatures were among the details obtained in the attack.
It urged staff affected to be on the lookout for signs of identity fraud, such as unusual payments or direct debits appearing on their bank statements, or important mail going missing. The letter said the Clearscore credit-reference subscription should be used to monitor credit scores, identity theft and exposure on the dark web.
The communication also advised apprentices to change their email passwords if they had used compromised addresses for other online accounts.
Civil Service World understands that there are around 130 civil service apprentices from 12 different departments enrolled at Bridgwater and Taunton College. Neither the Cabinet Office nor the college would confirm the figure.
The Ministry of Defence and the UK Hydrographic Office are among the government organisations the college works with. Bridgwater and Taunton College also hosts a state-of-the-art branch of the National College for Nuclear at its Cannington campus.
A statement from Bridgwater and Taunton College said investigations were still ongoing into the full extent of personal data compromised in January’s incident.
“As part of the investigation, our IT experts recently identified that enrolment data relating to a small cohort of students on the Business Administration Level 4 apprenticeship programme was impacted,” a spokesperson said.
“We take our data protection responsibilities incredibly seriously and informed KPMG without delay.”
KPMG is the civil service’s main learning provider.
The spokesperson added: “Understanding if any further data may have been impacted is a priority of the ongoing investigation and we will of course continue to comply with our regulatory requirements.”
A Cabinet Office spokesperson said: “We can confirm that a personal data breach involving a number of civil service apprentices occurred earlier this year.
“This breach, as a result of a ransomware attack, has been reported to the police and the Information Commissioner’s Office.
“All affected students have been informed and bespoke online security guidance and support has been provided.”
It is thought that January's incident was part of a national attack that targeted educational institutions.
PCS, the civil service’s biggest union, said the breach had left affected apprentices in a “threatening and distressing situation” and that the disclosure of their personal details as well as home addresses and contact numbers posed an unacceptable risk to individual and departmental security.
“These criminals are aware of a huge amount of information,” it said. “They are aware of names, home addresses, contact numbers, etc… This has left our members very open to threats from these criminals. This could also place the security of departmental or other systems at risk.
“With many working from home, all it would take is for someone to break in to individual homes to take a Surface Pro or other IT equipment.”
The union added that staff whose data had been compromised could potentially also be exposed to extortion attempts as a result of the breach.
“These scenarios may not occur in many cases, but it is just not acceptable to offer Clearscore as an acceptable resolution to this breach,” PCS said.
It added that a one-year subscription to the credit-check service was too much of a short term measure even to counter the risk of fraud, when professional criminals were savvy enough to sit on personal data for much longer.