Cyber Incident Victim: Centre for Computing History

On or around October 19, 2021, the Centre for Computing History (CCH) in Cambridge, England, discovered a breach of its online customer datafile after being notified that a unique email address used for ticket bookings received a phishing email impersonating HSBC. An investigation revealed unauthorized access to a single customer datafile containing names and email addresses, which subsequently fell into the hands of spammers. Initial communications from CEO Jason Fitzpatrick erroneously stated postal addresses were also compromised, but this was later corrected to a communication error between management and the technical team, confirming only names and email addresses were exposed. No payment card details, financial information, or passwords were affected, as the museum’s systems did not store or process those elements. The compromised data specifically included the names of purchased products or events alongside customer email addresses.

CCH immediately implemented security updates to patch the vulnerability and block the attacker’s access method. The Information Commissioner’s Office (ICO) was notified of the breach on the morning of October 19, with confirmation of receipt and processing of the report. Fitzpatrick issued a public apology, emphasizing transparency, prompt remediation, and the embarrassment caused by the incident. The breach occurred as the museum was recovering from pandemic-related lockdowns, which had reduced on-site events contributing to approximately half its annual revenue. While no direct financial fraud risks existed due to the nature of the exposed data, customers were advised to remain vigilant against phishing attempts leveraging the stolen email addresses. The museum reiterated its commitment to data security but acknowledged the inherent risks of online systems.