IT incident affecting site users providing their contact details prior to January 4, 2021
An IT incident has impacted Innovate UK EDGE’s website. You may have been using this website when Innovate UK’s advisory support service was known as Enterprise Europe Network (EEN) (https://enterprise-europe.co.uk/): Innovate UK owned and operated the EEN website and it relabelled its advisory support service as Innovate UK EDGE on January 4th, 2021.
On the day of the transition to the new web address, an authorised third-party supplier to Innovate UK erroneously placed files (back-ups of some EEN-era website data) in a folder that was invisible to everyday site users but technically publicly accessible. This error was notified to us by an independent information security firm called TurgenSec, operating the data breach reporting service, Breaches.uk which works with organisations to ensure any breaches are closed and mitigate any harms. We first became aware of its notification week commencing 22/2/21.
At the conclusion of our initial investigation, two user groups were affected:
- The files included a list of 16,440 email addresses entered during interactions with the old EEN site until January 4, 2021. A large proportion of these were spam email addresses generated by bots and not bona fide users. However, genuine user email addresses were included on this list.
- These files also included a subset of 2,401 user ‘first contact’ messages and contact information submitted on the EEN website contact form to our contact centre. Although there were numerous spam messages in this total, genuine user messages to us were included, along with their names, business names, postcodes, email addresses, message and potentially phone numbers if they included it.
There is no indication that passwords were stored in this data, because they are not collected by the affected part of our content management system.
An initial analysis shows that the data has been accessed by 15 different IP addresses.
We have contacted all affected website users by email on 26/2/21.
As an organisation we take incidents of this nature extremely seriously: We have contacted the ICO to report the breach and are keeping it informed.
Once the investigation, conducted in conjunction with our third-party supplier, is complete we will update this page in the event that other information was potentially exposed and we will contact any further affected users.
In the meantime we recommend that you remain alert for phishing attacks that could be targeted towards the email address you used to access the Innovate UK EDGE service. Innovate UK, UKRI and the Research Councils will never send an unsolicited email to users asking them to upload sensitive information to access our services.
We would encourage anyone with concerns to please contact us.
We would also like to highlight the following guidance available from the National Cyber Security Centre.
- Guidance for individuals on dealing with suspicious emails, phone calls and text messages and breaches which you can find here and here
- And, more generally, there are actionable steps people can take to protect themselves online here
Please note that this incident does not relate in any way to our consortium of Innovate UK EDGE (formerly Enterprise Europe Network) delivery partner organisations around the country that you may have dealt with when receiving advisory support. Their IT systems are entirely separate to our website content management system, where this problem was identified.
Deputy Executive Chair and Chief Business Officer