Cyber Incident Victim: Multiple Sclerosis Society
Date:
Oct 2014
Location:
United Kingdom
Summary
The MS Society experienced a cybersecurity incident involving malicious software on its systems, potentially compromising personal details of individuals registered on its online forum, those who contacted the organization through its website form, or submitted information requests via email or telephone. Exposed data included names and contact details, though financial information remained secure as the breach did not affect donation processing systems. The charity notified relevant regulatory bodies, advised users to change passwords—noting encrypted credentials were unlikely to be decrypted—and established a dedicated helpline. Immediate security enhancements were implemented, and a full investigation was initiated to determine why existing protections failed against the sophisticated attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In October 2015, the Multiple Sclerosis (MS) Society discovered malicious software on its systems, indicating a hacking attempt had occurred. The incident potentially compromised personal details of individuals who interacted with specific sections of the charity’s website. Affected parties included users registered on the MS Society’s online forum, those who submitted inquiries through the website’s "contact us" form, and individuals who requested information via email or telephone. The compromised data consisted of names and contact details, but the charity confirmed no financial information was exposed because the attack did not involve its donation processing system. Upon identifying the breach, the MS Society promptly notified the UK Information Commissioner’s Office and the Charity Commission, adhering to regulatory obligations. The organization publicly apologized for the incident and advised potentially affected users to change their website passwords immediately, particularly if they had reused those credentials elsewhere. However, it emphasized that stored passwords were encrypted using a highly secure system, making unauthorized access unlikely.
The MS Society initiated a multi-faceted response to address the breach and mitigate its impact. Chief Executive Michelle Mitchell stated the charity acted swiftly to identify at-risk individuals and directly notify them, while also launching a full investigation into the incident. This investigation aimed to determine why existing security measures failed to block what Mitchell described as a "sophisticated, malicious attack." Concurrently, the organization implemented immediate upgrades to its website security systems to prevent future compromises, though specific technical details were not disclosed. To assist concerned users, the MS Society established a dedicated helpline with extended operating hours, accessible via two phone numbers provided in its communications. Mitchell reiterated the charity’s commitment to information security, calling it a top priority, and acknowledged the breach had caused significant operational disruption. The incident underscored vulnerabilities in the charity’s digital infrastructure despite prior safeguards, prompting both internal reviews and external regulatory engagement.