Outdoor enthusiasts are being warned to be on the lookout for suspicious emails after a training website was hacked.
Spam containing a malicious link was sent out to those registered for qualification awards on the Mountain Training website.
The organisation oversees numerous national governing body awards, including Mountain Leader, Single Pitch Award and Mountain Instructor Award.
Mountain Training said: “On the evening of Saturday 12 November, someone gained unauthorised access to the website of our candidate management system via the administration account of a TahDah staff member.”
TahDah Verified is a north Wales company that runs the online registration and logbook system for candidates that replaced paper logbooks some years ago.
MT said a database, which sits behind the website, was not accessed. “The unauthorised person(s) replaced the log-in page so that no-one could gain access to the website and sent an email to ‘all candidates’, which contained a malicious link.”
The organisation, which has bases at Capel Curig, Manchester, Aviemore and in Northern Ireland, said: “Staff of Mountain Training and our database developer TahDah responded very quickly and were able to intercept the email, so that it was sent to a relatively small percentage of our candidates.
John Cousins, chief executive of Mountain Training UK, said: “TahDah also redirected the malicious link after a short period of time so that it could do no further harm.
“We are continuing to work closely with North Wales Police cybercrime unit and TahDah on this incident and have been informed that an arrest has been made, computers have now been seized and the individual is assisting the police with their enquiries.
“We are also continuing to work with the Information Commissioner’s office. Security is paramount in our operations and the nature of this breach is unusual, hence the speed with which an arrest was made.
“We have discovered that, during the breach, a report on the personal details of everyone on the database was downloaded from the website along with a payment report.
“There are no signs that the data has been shared or used beyond the download.”
The spreadsheet downloaded by the hacker contained personal details including candidate’s Mountain Training ID; name; email; date of birth; address; gender; ethnicity; and phone numbers.
Mr Cousins said: “Much of this information may be in the public domain but we have decided that it is important to notify every candidate directly.” All award candidates have been sent an email with details of the data breach. Other information downloaded included which provider award holders and candidates work for, and which membership organisations they belong to.
Mr Cousins said: “This spreadsheet did not include any usernames or passwords, training and assessment details, workshop or continuing personal development information, neither did it include any location data, internet-log files, web-browsing histories, or itemised call lists.”
He said candidates’ online log entries are unaffected. Bank and card details, which are kept on a payment system operated by a different company, were not accessed, MT said.
The organisation said it was advising those registered with it online to be vigilant against suspicious emails or other suspicious activity relating to personal details and specifically transactions made through its system. It said it had tightened its security since the hack so a similar attack cannot happen again.
The chief executive said: “Network security and malware prevention have been reviewed and data-protection training is being provided to our staff. Policies on home and mobile working and a strategy for monitoring our system are being developed.”
He told those affected: “I am truly sorry that this incident has occurred and assure you that we are very committed to keeping your information safe.
“We will keep our website updated with any relevant news and answers to frequently asked questions and will also use social media channels to keep as many people as possible informed.”
Registration with Mountain Training is compulsory for anyone undertaking awards ranging from Lowland Leader to Mountain Instructor Certificate.
Ian512
25 November 2016A sophisticate, user friendly database or website may unfortunately still have security issues.
If a database or website's security can be strengthened after the fact then clearly it could have been strengthened before the fact.
Perhaps a greater emphasis on site security (not saying it wasn't considered) should be factored in at early planning.
Ian512
25 November 2016For example - car manufacturers are good at designing computer programs for engine manage etc., but may not be so strong on software security.
In 2016 a security flaw allowed the Mitsubishi Outlander's software to be breached, allowing hackers to control the car's technology.