Personal details of 111 job applicants for a website developer role at Tate art galleries (including Tate Modern, Tate Britain, Tate St Ives, and Tate Liverpool) were leaked online in October 2023. The exposed data—spanning hundreds of pages—included sensitive information such as home addresses, current and past salaries, employer details, education history, referees' names, personal email addresses, and mobile numbers. The breach was discovered when a referee of one applicant (Max Kohler) was contacted by a stranger who found the data on an unrelated public website. The leak, attributed to potential staff mishandling or process errors, did not involve a cyberattack or ransomware but stemmed from internal negligence. The incident underscores systemic failures in data protection, with Tate denying a system breach while investigating the matter. The UK’s ICO mandates reporting such breaches within 72 hours if they risk individuals' rights, highlighting rising trends in accidental data exposures across organizations.
TPRM report: https://www.rankiteo.com/company/tate
"id": "tat3402734111525",
"linkid": "tate",
"type": "Breach",
"date": "10/2023",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '111 job applicants',
'industry': 'Arts & Culture',
'location': 'London, UK (with branches in Cornwall and '
'Liverpool)',
'name': 'Tate Galleries',
'type': 'Non-profit Art Organization'}],
'data_breach': {'data_exfiltration': 'Yes (published on unrelated website)',
'file_types_exposed': 'Application documents (likely PDFs or '
'text files)',
'number_of_records_exposed': '111 individuals',
'personally_identifiable_information': 'Yes (addresses, phone '
'numbers, emails, '
'employment details)',
'sensitivity_of_data': 'High (includes salaries, addresses, '
'and private contact details)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Employment history',
'Salary data',
'Referee contact details',
'Application responses']},
'date_detected': '2023-10-05',
'date_publicly_disclosed': '2023-10-05',
'description': 'Personal details of 111 job applicants for a website '
'developer position at Tate art galleries (including Tate '
'Modern, Tate Britain, Tate St Ives, and Tate Liverpool) were '
'leaked online. The exposed data includes addresses, salaries, '
'referee contact details (names, phone numbers, email '
'addresses), current employers, education history, and '
'application answers. The leak was discovered in October 2023 '
'when a referee of one applicant was contacted by a stranger '
'who found the data online. The cause is suspected to be a '
'staff or process error, not a system breach.',
'impact': {'brand_reputation_impact': 'Negative (public criticism, loss of '
'trust in data handling)',
'customer_complaints': 'At least one reported case (Max Kohler)',
'data_compromised': ['Personal addresses',
'Salaries',
'Referee names',
'Referee phone numbers',
'Referee email addresses',
'Current employer details',
'Education history',
'Job application answers'],
'identity_theft_risk': 'High (sensitive personal and financial '
'data exposed)',
'legal_liabilities': 'Potential (ICO investigation pending)'},
'investigation_status': 'Ongoing (Tate internal review; ICO may investigate)',
'post_incident_analysis': {'root_causes': 'Suspected staff/process error '
'(e.g., misconfigured file sharing, '
'accidental upload to public site)'},
'recommendations': ['Implement stricter data handling protocols for job '
'applications',
'Conduct staff training on data protection (e.g., GDPR '
'compliance)',
'Establish clear breach response procedures',
'Public apology and transparency report (per applicant '
'demand)',
'Regular audits of third-party vendors handling sensitive '
'data'],
'references': [{'date_accessed': '2023-10-06',
'source': 'The Guardian',
'url': 'https://www.theguardian.com/artanddesign/2023/oct/06/tate-job-applicants-personal-details-leaked-online'}],
'regulatory_compliance': {'legal_actions': 'ICO investigation pending '
'(72-hour breach notification rule '
'applies)',
'regulations_violated': 'Potential violation of UK '
'GDPR (General Data '
'Protection Regulation)',
'regulatory_notifications': 'Not confirmed (Tate '
'claims no breach of '
'systems)'},
'response': {'communication_strategy': 'Limited public statement; no apology '
'issued yet',
'incident_response_plan_activated': 'Under investigation (Tate '
'statement)',
'remediation_measures': 'Data takedown requested (per applicant '
'demand)'},
'title': 'Tate Art Galleries Job Applicant Data Leak',
'type': 'Data Breach (Unintentional Disclosure)'}