Highly sensitive personal information belonging to more than one hundred individuals who applied for jobs at the prestigious Tate galleries has been leaked online, the Guardian can reveal.
What Information Was Exposed?
The data breach involves personal details submitted by applicants during the Tate's search for a new website developer in October 2023. The leaked records, which span hundreds of pages, appeared on a website completely unconnected to the government-sponsored gallery group.
The exposed information includes applicants' home addresses, current salary details, and employment history. While the applicants themselves are not directly named, the data comprehensively identifies their referees, frequently listing their mobile telephone numbers and personal email addresses.
In total, information relating to 111 individuals was compromised. It remains unclear for exactly how long this private data had been publicly accessible online.
A Victim's Story: "Disappointing and Disillusioning"
The scale of the breach became apparent when Max Kohler, a 29-year-old computer programmer, was alerted last Thursday. One of his listed referees received an email from a stranger who had discovered Kohler's information within the online data dump.
Upon investigation, Kohler found the leaked file contained his previous salary, his current employer's name, and the full names, email addresses, and locations of his other referees. It also included extensive answers he had provided to specific job application questions.
"It's very disappointing and disillusioning," Kohler stated. "You spend time putting in all this sensitive information, salaries from previous jobs, home addresses, and they don't take care of this information and have it floating around in public."
He called for the Tate to remove the data, issue a formal apology, and conduct a full investigation into the incident to prevent future occurrences, suggesting the cause was likely "mistrained staff or a process error."
The Wider UK Data Security Context
This incident occurs against a backdrop of rising data security issues across the United Kingdom. Reports made to the UK's Information Commissioner's Office (ICO) have surged dramatically.
In 2022, there were just over 2,000 incidents reported per quarter. However, this figure climbed to more than 3,200 for the period between April and June this year alone.
Kate Brimsted, a data privacy expert and partner at law firm Shoosmiths, commented on the trend. "A breach doesn't have to be deliberate, and while the ransomware attacks get the headlines, the majority of breaches today are through error," she explained.
"It's just as important to have checks and processes as part of organisations' day-to-day practices. We are all fallible. It's really hard work managing your own data. It is difficult and sometimes boring, but is important."
The ICO has clear guidelines for such situations, stating: "Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms."
Tate's Response and Ongoing Investigation
When confronted with the leak, a spokesperson for Tate provided a brief statement: "We review all reports thoroughly and are investigating the matter. We have not identified any breach of our systems and wouldn't comment further while the matter is ongoing."
The galleries group, which operates Tate Modern and Tate Britain in London, Tate Liverpool, and Tate St Ives in Cornwall, has yet to confirm if the breach has been reported to the ICO.
