Home Group, one of the UK’s biggest housing associations, has suffered a data breach in which thousands of personal details are believed to have been stolen.
Customer names, addresses and contact information of about 4,000 people are thought to have been compromised. No bank or payment details were affected.
The Newcastle-based charity, which provides rented homes to 116,000 people in England and Scotland, said it closed the breach within 90 minutes.
The Home Group data breach first came to light after being spotted by a third-party security researcher.
It was first reported by Times & Star after the housing association sent an email alerting its customers. The breach affected customers in England, including those in North East, North West and Yorkshire.
A Home Group spokesperson told the BBC that the culprit would have required “expert cybersecurity knowledge”.
Home Group data breach affected 3.4% of customers
In a statement, John Hudson, chief financial officer at Home Group, said: “At Home Group we take the safety and security of our customers extremely seriously. We were made aware of a potential data vulnerability and immediately responded to and resolved the issue. This affected a very small proportion of customers and did not include any financial data.
“We have a robust incident response protocol in place to deal with situations such as this, which meant the vulnerability was identified and fixed extremely quickly.
He added that Home Group follows “strict” data sharing and cybersecurity guidelines and protocols.
Robert Wassall, director of legal services at cybersecurity firm ThinkMarble, pointed out that while the breach represents just 3.4% of its customers, many of the tenants are classed as vulnerable citizens.
He added that the personal data being in the possession of malicious hackers is “potentially serious” for those affected.
Javvad Malik, security awareness advocate at cybersecurity firm KnowBe4 said:
3 Things That Will Change the World Today
“It’s unclear at this moment how the company was breached, but it is encouraging to see the company was able to quickly respond to the breach, and inform its affected customers once notified by a third party.
“However, companies should be building their own detection capabilities so that they are not reliant on third parties to disclose any breaches. Similarly, while the company claimed to have resolved the issue within 90 minutes, that is still ample opportunity for records to be accessed and copied.”