News and views
Go back
Cyber incident statement
Unfortunately, The Big Life group experienced a cyber-attack on 29 June 2023, in which our IT systems were hacked. During the cyber-attack, someone took information from our systems without our permission. Since then, we’ve been investigating this incident with the help of third-party IT security specialists and have been trying to understand exactly what data was taken, as well as minimise the impact of the attack.
This was a criminal act which happened even though we had security measures in place and we had also successfully achieved Cyber Essentials Plus accreditation before the incident. Unfortunately, however, cyber criminals are constantly seeking to discover ways to bypass organisations’ security, leading to an ongoing race between security organisations and criminals.
Our security measures stopped a lot of the attack. This meant that the criminals were only able to access legacy data stored on a remote desktop server, with the majority of our data having been moved to a secure cloud-based location.
We got expert support immediately and closed down any systems that could have been compromised as quickly as possible. We believe that these actions minimised the potential impact of the attack. We also worked with the relevant authorities, including the Information Commissioner’s Office, the National Cyber Security Centre (NCSC), the National Crime Agency and other regulatory bodies.
Understanding the movements of the cyber attackers to determine if any data was taken or copied from our systems has been a key part of the investigation. Unfortunately, our investigation has shown that some data was compromised, and we will be contacting approximately 62,500 people in relation to that. We know this will cause concern to our staff and to members of our community and we sincerely regret this.
We are continuing to follow regulatory guidance to notify relevant people, which we are doing via email and post (and in some cases via text). If you are reading this because you have received a notification from us, your wellbeing is our main concern and we have set up a customer support centre, details of which will have been provided.
We sincerely regret that this incident happened, and we are continuing to work with experts to continue to enhance our cyber and information security, which includes seeking to secure ISO27001 (a recognised international cyber security standard).