The cyber-attack on Prospect Union, the parent organization of Bectu, compromised the personal data of 150,000 members, including those in highly sensitive roles such as the Ministry of Defence, military suppliers, civil servants, nuclear sector, and national security agencies (e.g., DSTL). The breached data included bank details, contact information, birth dates, and protected characteristics, raising concerns about national security risks and potential exposure to hostile state actors. Members in defense and security-related professions criticized the four-month delay in disclosure, arguing that their personal security was jeopardized, especially for those handling classified operations. The attack’s scope suggests a targeted breach with severe implications, given the union’s representation of individuals in critical infrastructure and government roles. The Metropolitan Police’s cybercrime unit and the UK’s Information Commissioner’s Office (ICO) are investigating, with suspicions of possible state-sponsored involvement. The union has not confirmed whether a ransom was paid or if ransomware was involved, but the scale and sensitivity of the data indicate a high-severity incident with broad systemic risks.

Cybersecurity Breach at Prospect Trade Union Impacts Thousands Across Channel Islands A multi-jurisdictional investigation has been launched into a June data breach at Prospect Custodian Trustees Ltd, a trade union representing over 160,000 members, including scientists, engineers, and tech professionals. The incident, which exposed sensitive personal data—such as financial details, trade union membership records, ethnic origin, sexual orientation, disability, and religious beliefs—has prompted a joint probe by data protection authorities in Jersey, Guernsey, the Isle of Man, and the UK. The investigation will assess the scope of the breach, the potential harm to affected individuals, and whether Prospect implemented adequate safeguards to protect the compromised data. Authorities will also review whether the union complied with statutory notification requirements and whether its response effectively mitigated risks after the leak was discovered. Brent Homan, Guernsey’s Data Protection Commissioner, emphasized the need for cross-border collaboration, stating that international cyber threats require a unified response to uphold data rights. Paul Vane, Jersey’s Information Commissioner, noted the rising trend of multi-jurisdictional cyber and phishing attacks, underscoring the importance of coordinated enforcement to protect affected individuals. The outcome of the investigation could set precedents for data protection standards and breach response protocols across the British Isles.