IRM - independent review mechanism GDPR breach - National Union of Professional Foster Carers

Dear Carer,

The following email from the IRM affects you if you have ever sent information to the independent review mechanism.

If you have, you need to use the following details within their email to make a complaint to the IRM and ask if your information has been leaked.

If your information has been leaked, then you need to make a complaint to the Information Commissioners office using the link within the IRM email.

If you feel you are affected by the breach, bearing in mind that foster carers do not only give the IRM their personal information, their family information their financial information their contact information but also lots of details which could be damaging to their reputation if released into the public domain.

If you are a member, you must contact us at enquiries@nupfc.com once you get a response from IRM so we can refer you to a suitable solicitor.

IF YOU ARE NOT A MEMBER YOU CAN STILL JOIN US NOW AT WWW.NUPFC.COM/JOIN and we can still give you advice and help.

Best regards

Robin Findlay

General Secretary

The National Union Of Professional Foster Carers.

START OF EXAMPLE EMAIL YOU MAY RECEIVE FROM IRM

The IRM was victim of a cyber-attack from hacker(s) in the early hours of Thursday 21^stof August 2025. The investigation has shown that the hacker(s) took copies of the information held on the affected IRM server, and we are currently working to ascertain which files have been affected and what information has been copied.

We regret to inform you that the IRM server that was hacked contained your case files and therefore may have been copied by the hacker(s).

We would like to take the opportunity to wholeheartedly apologise to you and inform you that we have reported the incident to the Information Commissioner’s Office (ICO), and we are in discussions with the Department for Education (DfE) who fund the IRM service.

The personal information that is possibly at risk may include your name, address, email, phone number and any other information that was included in the documentation provided by yourself and your agency to the IRM.

The potential impact or consequences of the breach could include:

Your personal information being posted on the dark web for others to see and use
You could be targeted further by the same hacker(s), or other hackers, or opportunists
Someone unknown to you, might try to use your identity to join memberships, open accounts or purchasing goods as examples

What can you do to protect yourself;

Monitor your email accounts
Look out for phishing scams which may come via your email account(s)
While your banking information has not been disclosed, you can speak to your bank and ask for their advice/assistance in the event that they spot any unexpected activity
Look out for any unexpected MFA (multi-factor authentication) or 2FA (two-factor authentication) alerts that might come to your phone or email inbox and report them
If possible, switch to using an alternate email address to the one that has potentially been exposed in this breach for important work, services, etc., such as banking

The following resources provide information, advice and guidance that you may find useful:

During the attack, the hackers attempted to access multiple servers, however, they only managed to gain access to one server. Full containment measures were quickly put in place after the hack, and the IRM data has been restored and moved to a new, secured server. We are also in the process of contacting relevant agencies and/or local authorities to ensure that they are on alert in case of further attempts to steal your personal data.

We fervently hope that your rights and freedoms will not be affected, but we felt that you needed to be informed of this potential risk so that you can take any measures you feel necessary to protect yourself.

If you wish to discuss this matter further, please contact irminformation@irm.org.uk

Should you wish to complain, you can complain to dataprotection@coram.org.uk You also have the right to contact the ICO directly to make a complaint at https://ico.org.uk/make-a-complaint/

Yours sincerely

Maureen O’Loughlin
Service Manager
Independent Review Mechanism

The IRM operates a primarily digital service and all communication should be via email where possible. Phone lines (01132022080) are open between 9.30 to 12.30. Monday to Friday

END OF EMAIL FROM IRM

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

IRM – independent review mechanism GDPR breach

Recent Posts

Recent Comments

QUICK LINKS

CONTACT US

POLICIES

CONNECT