Cyber Incident Victim: Morgan Hunt

Morgan Hunt, a British recruitment agency serving sectors including charity, education, finance, government, housing, and technology, confirmed a cybersecurity incident impacting one of its databases around June 2022. An unauthorized third party gained access to the agency's systems due to a third-party software developer improperly storing credentials to the database. The breach was discovered by Morgan Hunt, prompting immediate action involving external IT cybersecurity experts to investigate, manage, and resolve the incident. The compromised database contained personal data belonging to contractors and temporary staff, including names, contact details, identity documents, proof of address documents (such as bank or building society statements), National Insurance numbers, and dates of birth. Morgan Hunt notified affected contractors via a letter sent by the end of June 2022, disclosing that their data may have been copied during the intrusion.

The agency acknowledged a theoretical risk that the exposed information could be exploited for identity theft or fraud, though it assessed this risk as low. Despite this assessment, Morgan Hunt advised impacted individuals to exercise increased vigilance regarding their personal details. The incident did not disrupt the agency’s operations, as containment measures were implemented swiftly after detection. No specific details about the attacker’s methods beyond credential misuse or the duration of unauthorized access were disclosed. The breach highlighted vulnerabilities stemming from third-party credential management practices, though Morgan Hunt did not publicly identify the software developer involved. Investigations focused on securing the compromised systems and preventing recurrence, with no reported evidence of misuse of the stolen data at the time of disclosure.