Personal information belonging to job applicants at Britain's prestigious Tate art galleries has been exposed online, revealing sensitive details including home addresses, salary information, and contact details of professional references. The data breach affects 111 individuals who applied for a website developer position at the government-sponsored organization in October 2023.
The leaked records, spanning hundreds of pages, appeared on a website completely unrelated to the Tate organization, which operates the renowned Tate Modern and Tate Britain galleries in London, as well as Tate St Ives in Cornwall and Tate Liverpool. The exposed information includes applicants' current employers, educational backgrounds, and detailed responses to job application questions. While the applicants themselves are not named in the leaked data, their professional references are identified, sometimes including mobile phone numbers and personal email addresses.
The breach came to light when Max Kohler, a 29-year-old computer programmer who had applied for the position, discovered his personal information in the leak on Thursday. He learned about the exposure after one of his listed references received an email from a stranger who had found the data dump online. Kohler's leaked information included his previous salary, current employer's name, and complete contact details for his references, along with his comprehensive answers to application questions.
"It's very disappointing and disillusioning," Kohler said about the incident. "You spend time putting in all this sensitive information, salaries from previous jobs, home addresses, and they don't take care of this information, and have it floating around in public." He called for immediate action from the organization, stating, "They should take it down, apologize and there should be a report into how this happened and what they are going to do to ensure it does not happen again. It must be mistrained staff or process error."
The incident highlights a growing trend in data security breaches across the United Kingdom. According to recent statistics, the number of data security incidents reported to the UK's Information Commissioner's Office (ICO) has increased significantly. In 2022, there were just over 2,000 incidents reported per quarter, but this number has risen to more than 3,200 between April and June of this year.
Kate Brimsted, a partner at law firm Shoosmiths and an expert in data privacy, information law, and cybersecurity, provided insight into the nature of such breaches. "A breach doesn't have to be deliberate, and while the ransomware attacks get the headlines, the majority of breaches today are through error," she explained. "It's just as important to have checks and processes as part of organizations' day-to-day practices. We are all fallible. It's really hard work managing your own data. It is difficult and sometimes boring, but is important."
Regarding regulatory requirements, the ICO, which oversees data protection in the UK, emphasized organizations' obligations in breach situations. "Organizations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms," an ICO representative stated. "If an organization decides that a breach doesn't need to be reported they should keep their own record of it and be able to explain why it wasn't reported if necessary."
A Tate spokesperson responded to the incident with caution, stating, "We review all reports thoroughly and are investigating the matter. We have not identified any breach of our systems and wouldn't comment further while the matter is ongoing." The duration of how long the sensitive data had been circulating online remains unclear as the investigation continues.
