MARCH 2022
Are you now or have you ever been connected to Dance City in the following ways?
- Centre for Advanced Training (CAT) student or parent/guardian
- BA (Hons) Professional Dance student
- MA Advanced Dance Performance student
- BTEC Dance student
- Board Member
If so, please read on to find out more about a cyber attack at Dance City that may affect you due to historical data, potentially of a sensitive nature, being stored on the affected servers. Personal records were password protected. However, we cannot guarantee this has provided protection against the highly sophisticated cyber attackers.
We have carefully considered the likelihood and severity of the risk to people’s rights and freedoms, following the breach.
We are contacting as many individuals from the groups above as we can because there is a possibility that these individuals’ personal data has been exfiltrated from Dance City’s backup servers during the cyber attack. We have determined that this does increase the likelihood of risk to people’s rights and freedoms and therefore we should take action to alert and support you without delay.
Dance City is endeavouring to contact all individuals who may be affected by the data breach, however we are aware that some data has been lost to the attackers. If you have not received an email about the cyber attack please contact the relevant department (listed below under ‘WHO TO CONTACT AT DANCE CITY’) and we will do our best to support and advise you.
If you fall into one of the below groups:
- Attendee of classes/workshops/holiday dance camps
- Attendee of theatre performances
- E-Newsletter subscribers
- Artists
- Teachers
- Any other transactional relationship e.g. suppliers, contractors
Your personal data is stored and processed in a cloud-based Customer Relationship Management and Box Office system called Spektrix. Spektrix has NOT been affected by the data breach.
However, it has been identified during our investigation that customer lists have been created and downloaded for the purpose of, for example, class registers. These lists may include personal data limited to email addresses and telephone numbers. This type of personal data represents a lower risk to people’s rights and freedoms. There is additional information/links below about potential risks.
WHAT HAS HAPPENED
In late February 2022, Dance City became the victim of a cyber attack. Dance City staff became aware of the attack when servers and devices were encrypted and a ransom message was delivered.
The data breach does NOT include Spektrix, which is our cloud-based Customer Relationship Management (CRM) system and box office. This is where we hold all our customer data and how we process payments.
The data breach has NOT impacted on Office 365. This is our cloud-based Software as a Service (SAAS). We migrated to 365 from 2020 onwards.
The data breach relates only to Dance City backup servers and data stored between approximately 2008-2020.
THE PURPOSE OF THIS PUBLIC STATEMENT
This statement from Dance City is intended for public dissemination for the following purposes:
- Dance City wants to be transparent about what has happened
- Dance City wants affected individuals to be informed about the potential risk levels to them because of this data breach
- Dance City wants to offer support and advice signposting to individuals concerned about the impact of the data breach
- Dance City is continuing to investigate the data breach. To date we have not learned of any detriment has occurred to data subjects. We wish to invite individuals to inform us if they experience any detrimental impacts that are possibly connected to the Dance City cyber attack. To register any such reports please email Data Officer and Head of Communications caroline.greener@dancecity.o.uk
THE ACTIONS DANCE CITY IS TAKING
Dance City self-reported the events to the Information Commissioner’s Office (ICO) within 72 hours of learning about the breach. Following internal investigations, a second self-report has been submitted to the ICO and we are awaiting a response (at time of writing).
The Northumbria Police Cyber Crime Unit has been informed and is investigating.
In accordance with advice from our IT consultants and the police, we are not responding to the hacker’s demands for ransom to return the data. To do so would further increase the risks to individuals.
Dance City is undertaking to contact individuals whose data may have been stored on the affected servers.
Dance City is undertaking a review of cyber security.
INITIAL RULING BY ICO
The case was considered by the ICO under the General Data Protection Regulation (GDPR) due to the nature of the processing involved and that the incident occurred on or after 25 May 2018.
This initial report was made to the ICO using information about the data breach supplied to Dance City by our IT consultants. Based on this information the ICO decided that regulatory action is not required in this case. Below is an extract of the ruling by the ICO:
“We have considered whether Dance City has complied with the requirements of Article 5(1(f)) of the GDPR which states that:
‘Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)’
Our consideration of this case
After careful consideration based on the information that has been provided, we have decided not to take any formal enforcement action on this occasion. It is my conclusion that this case does not reach the requirements for regulatory action based on the information provided.
This decision is due to the particular facts of this case, the low number of affected Data Subjects, the quick recovery of the affected data, and the remedial measures set out in the breach report which we would expect to be implemented in order to prevent a reoccurrence.”
Dance City is continuing to investigate the data breach, and has been keeping the ICO informed of any new information that comes to light. Our second self-report to the ICO (submitted 15 March 2022) included details of the sensitive personal data held by some departments.
We have not received a reply from the ICO at the time of this message.
In light of the possible exfiltration of historical personal data, we have taken the decision to contact affected individuals as a precaution and offer support.
POTENTIAL CONSEQUENCES OF THE DATA BREACH
Damage resulting from the malicious processing of personal data includes, for example, the risk of:
- becoming a victim of fraud, e.g. your email address or telephone number being used in a phishing scam (more information about phishing and how to prevent it is here https://www.ncsc.gov.uk/collection/phishing-scams )
- financial losses
- social disadvantage, such as damage to reputation
- unauthorised reversal of pseudonymisation.
Legitimate emails from Dance City will come from two sources:
STEPS YOU CAN TAKE TO PROTECT YOURSELF
You may wish to take some precautionary steps to protect yourself, and be aware of unusual requests or activity purporting to come from Dance City.
- Carry out a password reset on hardware and software
- Use strong, unique passwords
- Look out for phishing emails or fraudulent activity
There is a good step-by-step guide on the government’s National Cyber Security Centre website https://www.ncsc.gov.uk/guidance/data-breaches
FURTHER INFORMATION RESOURCES
The ICO website offers a comprehensive set of information, advice and support for individuals concerned about their personal data being mis-used. Dance City is in contact with the ICO and complying fully with any regulatory requirements. We recommend that you visit the website and familiarise yourself with the information. www.ico.org.uk
Dance City Privacy Policy https://www.dancecity.co.uk/privacy-policy/
WHO TO CONTACT AT DANCE CITY
If you would like to contact us about this issue, to ask questions or to report a possible detrimental impact relating to the data breach at Dance City please contact:
Caroline Greener, Data Officer and Head of Communications
caroline.greener@dancecity.co.uk.
Please also feel free to copy in the relevant departmental contact.
CAT
Hannah Moreno, CAT Manager
Training Academy
Adam Dutton, BA & MA Coordinator
Artistic Team
Alex Anslow, Producer
CYBER ATTACK & DATA BREACH FAQs
Q: Has my data been hacked?
A: We may not be able to find out for sure because some data has been lost during the cyber attack. Provide your name, email address and connection to Dance City and we will do our best to find out. In the meantime visit https://www.ncsc.gov.uk/guidance/data-breaches for advice and guidance on steps you can take if your data may have been breached.
Q: What is a data breach?
A: A data breach occurs when information held by an organisation is stolen or accessed without authorisation.
Q: What might happen?
A: Criminals can then use this information when creating phishing messages (such as emails and texts) so that they appear legitimate. The message has been designed to make it sound like you’re being individually targeted, when in reality the criminals are sending out millions of these scam messages. Criminals may even send messages pretending to be from an organisation that has suffered a recent data breach.
Even if your details are not stolen in the data breach, the criminals may exploit high profile breaches (whilst they are still fresh in people’s minds) to try and trick people into clicking on scam messages.
Q: Why wasn’t I informed immediately?
A: Dance City has been conducting investigations into the cyber attack since we learned of it. It has taken some time to discover what data may have been affected. We are still not certain what data has been exfiltrated because of the amount of historical data (up to 12 years) which has been locked by the cyber attackers. Dance City is conscious not to cause undue worry to our contacts, and has been awaiting advice from the ICO. However, in the absence of an official response from the ICO to our second self-report, Dance City deemed it necessary to make a public statement so that people who have potentially been affected can take steps to protect themselves.
WE WILL UPDATE THIS PAGE WITH FURTHER FAQs AND INFORMATION