2 hours ago
5
Personal details submitted by applicants for a job at Tate art galleries have been leaked online, exposing their addresses, salaries and the phone numbers of their referees, the Guardian has learned.
The records, running to hundreds of pages, appeared on a website unrelated to the government-sponsored organisation, which operates the Tate Modern and Tate Britain galleries in London, Tate St Ives in Cornwall and Tate Liverpool.
The data includes details of applicants’ current employers and education, and relates to the Tate’s hunt for a website developer in October 2023. Information about 111 individuals is included. They are not named but their referees are, sometimes with mobile numbers and personal email addresses. It was not immediately clear how long the data had been circulating online.
Max Kohler, a 29-year-old computer programmer, discovered his data appeared in the leak on Thursday after one of the referees on his application was emailed by a stranger who had seen the data dump online.
Kohler found that it included his last salary, the name of his current employer, and names, emails and addresses of his other referees, as well as lengthy answers he had given to job application questions.
“It’s very disappointing and disillusioning,” he said. “You spend time putting in all this sensitive information, salaries from previous jobs, home addresses, and they don’t take care of this information, and have it floating around in public.
“They should take it down, apologise and there should be a report into how this happened and what they are going to do to ensure it does not happen again. It must be mistrained staff or process error.”
The number of data security incidents reported to the UK’s Information Commissioner’s Office (ICO) continues to rise. In 2022 there were just over 2,000 incidents reported per quarter; that has increased to more than 3,200 between April and June this year.
Kate Brimsted, a partner at the law firm Shoosmiths and an expert in data privacy, information law and cyber security, said: “A breach doesn’t have to be deliberate, and while the ransomware attacks get the headlines, the majority of breaches today are through error. It’s just as important to have checks and processes as part of organisations’ day-to-day practices. We are all fallible. It’s really hard work managing your own data. It is difficult and sometimes boring, but is important.”
after newsletter promotion
The ICO, which regulates data protection in the UK, said: “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms. If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it and be able to explain why it wasn’t reported if necessary.”
A spokesperson for Tate said: “We review all reports thoroughly and are investigating the matter. We have not identified any breach of our systems and wouldn’t comment further while the matter is ongoing.”
