At some point between 8 – 28 April, Merton Music Foundation’s website became infected with malware which affected the site’s operation. Some visitors to the site may have been prompted to complete a ‘security verification’. This verification message was not genuine and potentially malicious.

MMF leadership became aware of the issue during the morning of 29 April. Our serious incidents policy was enacted and a decision log created. As a precaution, the site was taken offline at 9:02am whist a thorough security scan was completed by a third-party consultant.

The scan identified some malicious code and an unauthorised ‘bot’ user account. Both the code and the unauthorised account were removed and all genuine administrator and user accounts to the site have been reset as a precaution.

Once the site had been confirmed secure, it was reinstated at around 5pm on the same day.

We are working closely with our website provider to confirm the cause of the infection and exact timelines so that we can more accurately assess any further potential impact of this infection.

We have increased security on our site by installing malware detection software and enhancing access restrictions and user verification protocols. We will continue to monitor operation of the site closely and take all steps necessary to prevent future attacks.

We are notifying the National Fraud Intelligence Bureau via Action Fraud.

A small number of users’ basic personal data may have been compromised by the incident. We are investigating this thoroughly and are contacting individuals affected. We have also discussed the incident with the Information Commissioner’s Office.

If you believe that you visited our site during this period and were subject to the malicious ‘security verification’ message, please take the following action:

• Complete a thorough virus and malware scan of your device, using a reputable virus scanner
• Remain vigilant against phishing or scam attempts, including unexpected communications asking for personal or financial information
• Don’t click on links or download attachments in suspicious emails
• Be aware that phishing attempts may appear to come from MMF when they have not. Emails sent from MMF will end in mmf.org.uk. You can contact us at dpo@mmf.org.uk if you are in doubt about whether an email or message has come from MMF.

Although password information has not been affected, we also suggest that you maintain a secure password and change your password regularly. Remember that we will never ask you to provide us with your password.