Frequently Asked Questions
1. What happened?
We have recently become aware that an unauthorised party accessed and may have acquired a database created in 2015 containing personal data associated with a number of RYA user accounts. The affected information included email addresses and RYA website passwords which were encrypted and therefore not visible.
2. What information was affected by this issue?
The affected information included name, email and hashed passwords the majority held with the salted hash function, which is used to secure passwords.
The affected data did not include any financial or payment information and in this stage in our investigation there is no evidence that this data has been misused it was legacy test data and it appears that the unauthorised party who gained access to a hosted server subsequently deleted that database.
3. What is a "hashed password"?
Hashing is a one-way mathematical function that converts an original string of data into a seemingly random string of characters. Salts are used to safeguard passwords in storage. Historically a password was stored in plain text on a system, but over time additional safeguards developed to protect a user's password against being read from the system. A salt is one of those methods.
4. What did the RYA do when it discovered the issue?
Once we became aware, we quickly took steps to determine the nature and scope of the issue and to ensure other similar data sources were secure. We are working with data security consultants to assist in our investigation and we have notified and are coordinating with the Information Commissioner's Office.
5. Do you know who did this?
We do not know the identity of the unauthorised party. Our investigation into this matter is ongoing and we have engaged leading data security firms, including forensic specialists, to assist in our investigation.
7. Who is being notified?
We are notifying identified users to provide information on how they can protect their data.
8. What is the RYA doing to protect my account?
We value your privacy and we take our obligation to safeguard your personal data very seriously and are alerting users about this potential issue so you can take steps to help protect your information.
We are taking further steps to protect our community, including the following:
9. What are the consequences for me?
In the unlikely event that the data was copied, and the more unlikely case that the password encryption was broken, the key risk would be the potential to access other systems where individuals had used the same email address and password (and not changed them in the last 5 years) or the ability to build a more complex individual picture to support a targeted digital attack or fraud.
10. I think I received an email about this issue. How do I know it is really from the RYA?
Please note that any email from the RYA about this issue (subject: Important notification regarding RYA Account Security) does not contain attachments and does not request your personal data. If you receive an email about this issue which suggests you download an attachment, or asks you for information, the email was not sent by RYA and may be an attempt to steal your personal data.
Avoid clicking on links or downloading attachments from such suspicious emails. Any link included in our email to users directs users to these Frequently Asked Questions, and does not request your personal data.
11. I think I received a message about this issue in the RYA SafeTrx app. What should I do?
The log-in error message on the RYA SafeTrx app and website is intended to ensure that all users update their SafeTrx password in the same way that we are advising RYA members and registered web users to update their RYA web account password.
12. What should I do to help protect my information?
Please reset your RYA account password immediately.
We recommend that you change your password for any other account on which you use the same or similar information used for your RYA account and review those accounts for any suspicious activity.
Please contact Dave Strain, RYA Data Protection Officer, if you have any immediate concerns via firstname.lastname@example.org.
You should always:
13. How do I change my password?
You can change your password by logging into our website at www.rya.org.uk. Once you've logged in, click the "Your Account tab, then "Edit Profile" then "Change Password."
The new process for changing passwords is as follows:
14. Will changing my RYA account password also update my RYA SafeTrx password?
In addition to our members and registered web users, we will be requiring RYA SafeTrx users to change their passwords and we urge all app users to do so immediately. Mobile RYA SafeTrx app users will need to reset their password using the "Forgot password?" option on the app's login screen.
Changing your RYA account password will not update your RYA SafeTrx password and vice versa. RYA SafeTrx website users can reset their password by entering their email address into https://safetrx.rya.org.uk/forgotpassword.html
15. How can I get help with my RYA password?
The Technical Support Hub is here to help you with any issues you may have with our digital products and services. If you need help with changing your RYA password, please contact email@example.com.
For all other enquiries about your RYA membership account, please contact firstname.lastname@example.org or telephone 02380 604159.
RYA Data Protection Officer
Dave Strain FCCA