News & Resources

Crew and Concierge data breach puts thousands at risk

  • Posted on

According to a report by Verdict, a data breach at UK-based Crew and Concierge Limited has exposed the personal data of 17,379 people working in the yachting industry. The discovery follows an investigation by Verdict, a company which offers news and editorial on topics such as technology, disruption, business and innovation.

What do we know about the Crew and Concierge data breach?

According to the report:

  • Crew and Concierge is an international recruitment agency. It secures staff for ultra-high-net-worth clients' yachts
  • The breach affects 17,379 people of 50 different nationalities - all of whom were on Crew and Concierge's books
  • The data appears to have been online and available for anyone to access without a password since February 2019.

Should yachting personal be worried?

Crew and Concierge has said that there is no evidence that its files have been maliciously accessed. However, if the report is accurate, the data exposed in this breach is highly sensitive. It includes:

  • Full names
  • Phone numbers
  • Emails
  • Nationalities
  • Visa details
  • Dates of birth
  • Work history
  • Professional qualifications
  • References
  • Maritime and drivers' licences
  • Military service records
  • Medical certificates (and some drug test results)

Of particular concern, according to Verdict, the breach also exposed 1,295 scanned copies of passports, around 1,000 of which are still in date. And, medical information is considered "special category" data and therefore particularly sensitive.

This is more than enough information for dedicated cybercriminals to commit identity theft and financial fraud.

How has Crew and Concierge responded?

In a statement to Verdict, Sara Duncan, director of Crew and Concierge, said:

"From the moment we learnt of the breach my team and I have worked tirelessly to identify the sources of disclosure, detect the areas of weakness, close the vulnerability, recover control of the data, identify precisely what data was compromised, and minimise the potential risk and harm to the affected individuals."

She added:

"We have been advised by the cybersecurity consultant that exploitation of S3 buckets is by no means a straightforward activity and that it appears likely that the individual or individuals responsible have developed advanced tools designed specifically to identify AWS customers and whether or not they have misconfigured instance that may leave it open to malicious attack."

"In our case, the confidence was placed in the team of developers we had hired, trusting that they would do a competent job and implement appropriate and proportionate technical and organisational measures to ensure the protection of the large volumes of information, including personal and sensitive personal information relating to our registered crew.

"We have since established that the breached AWS S3 bucket that we outsourced contained personal data stolen by a malicious actor/s based on a misconfiguration by a third party and published into the public domain.

"This impacts Crew and Concierge, and its valued clients and staff, for which we take full responsibility as the data controller. In the very short period, we have come to understand the true impact of a cyberattack, and we have learnt many valuable but hard lessons."

The ICO is aware of the breach and is assessing the information provided.

What can you do if you are worried about the Crew and Concierge data breach?

It is not yet clear whether Crew and Concierge has informed those affected by the data breach. But if you are at all concerned, we would urge you to contact the company directly for clarification. People living in the UK should also inform the Information Commissioner's office.

We would also urge anyone affected to take all necessary security measures to ensure that they do not become the victim of a crime following the breach of their data. You can find out more about how to do this here.

Making a data breach compensation claim

In today's digital world, your personal data is a valuable commodity. However, all too often negligent business processes, human error and cybercrime mean this sensitive data isn't as protected as it should be. And, the impact of data breaches goes much further than financial losses. Many victims go on to suffer from stress, anxiety and distress.

Crucially, if an organisation has failed to protect your personal data, you have a right to claim compensation. Even if you haven't suffered as a result.

In response, at Hayes Connor Solicitors, we help our clients with their compensation claims. We do this after their data was put at risk by the organisations they trusted to look after it.

If you have been the victim of a privacy violation due to an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. At Hayes Connor Solicitors, we've been helping people to do just that for over 50 years, so we know what it takes to make a successful data breach compensation claim.

Find out how our experts can help you with your claim

Make a claim