Posted on Facebook and emailed to all members on 23rd July 2019.
On Saturday 20th July we were made aware that a hostile takeover of this website www.birdline.co.uk had taken place. This occurred when the volunteer web developer who had initially setup the new website, contacted the company that provides the website software and formerly hosted the website (WordPress.com) and claimed ownership of the site. They were able to do this, as they had receipts showing that they had paid for the initial setup costs. Despite the fact that they had publicly and privately told us these startup costs were a donation to the charity. The volunteer has since resigned from the organisation and all their access rights were subsequently revoked by us.
What are we doing about it?
We have emailed all website users informing them of the attack and how their personal data may have been compromised. If you are registered on the website please look out for this email.
We have complained to WordPress and asked them to remove and delete all personal data stored on the website. They have agreed to comply with this request.
We have also written to the former volunteer informing them that they have unlawfully taken possession of Birdline’s intellectual
Property and the personal data held on the website, and in so doing they are in breech of Section 170 of the Data Protection Act 2018. We have asked them to delete any such data and to confirm in writing to us that this has taken place.
We are seeking legal advice on what further steps should be taken and have self- reported the incident to the appropriate regulatory body: The Office of the Information Commissioner. We are taking the ICO’s advice with regards to managing this situation, which they have helped us assess as a low risk to public safety.
We have brought in an expert in IT and website security to advise us and are accordingly moving our website to a more secure server, not connected with WordPress. This will ensure a similar incident can not happen in the future.