Skip to content

Website Security Information

In January 2014 it was brought to our attention that the security of our Kids' Vote website had been compromised.

The website you are now reading is housed on a new server with upgraded security measures in place.

Although there is no evidence to indicate that any data was taken, in the spirit of openness and transparency we have made users of the site aware of this situation so that they can take precautionary measures they feel appropriate, such as changing their passwords on any website where they may have used the same user ID and password.

As soon as we were made aware of the incident we launched an immediate investigation to understand exactly what happened. Our investigations have now concluded, and appropriate security improvements have been put in place. 

Users who were registered with the site or subscribed to our mailing list will have received an email from BAFTA notifying them of the situation.

No further emails relating to this have been sent and we will never use email to prompt users to disclose personal information. We ask you to remain wary of any suspicious emails purporting to be from BAFTA; if you do receive any such emails please inform us immediately at security@bafta.org.


Questions and Answers

 

What happened?
On 23 January 2014, BAFTA was informed that this site had been compromised by illegal means. This was done with the purpose of adding rogue content to the website with a view to boosting the search engine rankings for the sites referenced in the new content. Entry was gained via an automated attack on the administrator login of the WordPress site.

Do you know if any data was actually taken?
After extensive investigation, there is no evidence that any personal data was taken, however due to the nature of the attack, we are unable to say with absolute certainty that data was not taken.

What data could have been compromised?
We want to be clear that we have not found any direct evidence to suggest that any data was taken. Personal data entered by our users during the registration process for the site included first and last names, email addresses, age and encryption-protected passwords.

I subscribed to the newsletter. Is there anything else I can do? 
Even though there is no evidence to suggest personal data has been taken we believe it’s better to be safe than sorry. We have contacted everyone who has subscribed to the newsletter to make them aware of the situation so they can exercise increased vigilance with the emails they receive.

How many people does this affect?
There is no evidence that anybody has been affected, but as a precaution we have alerted all users of the site.

What steps did you take once you were alerted to the breach?
We requested a full and immediate investigation by the companies that designed the site and managed the server on which the site was hosted. The website was taken offline immediately, and increased security measures were put in place when the site was reinstated. We also commissioned an independent investigation into the attack and have taken advice on further measures that can be implemented to improve website security. 

How could this happen?
The attack was the result of a successful attack on the administrator login of a WordPress site hosted on the same server.

Have you reported this to anyone?
We take the matter extremely seriously and feel that the security of our users is paramount; therefore we have contacted the Information Commissioners Office (ICO) with details of the breach.

Has anyone claimed responsibility?
We have been able to establish that this was a sophisticated attack which took place from outside of the UK. It is unlikely that anyone will claim responsibility for the crime however the ICO will investigate if appropriate.

How can you ensure this doesn't happen again?
We have moved the site onto a server which has been independently tested to ensure that it is secure. Routine security checks will also continue as usual and additional measures have been put in place to increase the security of both the server and the website code.

Is the bafta.org website affected?
No. This site is held on a completely separate server.

Does this affect any of the BAFTA awards?
No. The systems used to collect and count votes for all BAFTA awards are entirely separate.

For further enquiries, please contact us here.