We’ll keep this page updated as more information becomes available. If your question isn’t covered here, you can contact us at yourshopdata@bfi.org.uk.
What happened with the BFI Shop website?
- On Wednesday, 1 April, we detected unauthorised access to the BFI Shop’s online payment page. Our investigation has since found that the individuals responsible may also have accessed the BFI Shop customer database. We took the website offline immediately as a precaution and are working with cybersecurity experts to fully understand what happened and ensure it’s safe before bringing the site back online.
Was my personal data affected?
- It’s likely that personal information stored in the BFI Shop customer database — such as names and contact details — were accessed. In some cases, this may also include payment-related information. We are contacting affected and potentially affected customers so they can take sensible precautions.
Was my payment information compromised?
- We believe that details entered on the BFI Shop payment page — including payment information that was input into the page — may have been accessed while customers were entering the information.
- As a precaution, we recommend keeping a close eye on your bank or card statements and contacting your provider if you notice anything unusual.
- We do not store full card details in our system, which means there is no further risk of access.
What should I do if I’ve made a purchase recently?
If you made a purchase on the BFI Shop around the time of the incident, we recommend the following:
- Change your password on any websites where you use the same login details.
- Monitor your bank or card statements for any unusual transactions.
- Stay alert to phishing emails or suspicious messages pretending to be from the BFI.
- If you are expecting a delivery from the BFI Shop and have not received it, please email the BFI Shop Team at bfishop@bfi.org.uk.
How do I change my password if the BFI Shop website is offline?
- While the BFI Shop website is temporarily offline, you won’t be able to change your password for that account just yet. However, if you’ve used the same or a similar password on other BFI platforms or non-BFI services, we strongly recommend changing those passwords now as a precaution.
Have you fixed the issue? Is it safe to use the BFI Shop now?
- The BFI Shop website remains offline while we continue to work with cybersecurity experts and our external supplier to resolve the issue and make sure the site is fully secure.
- It will not be brought back online until we are confident that it is safe to do so.
Have other BFI websites or services been affected?
- No. This issue is limited to the BFI Shop website.
- Our other websites and services — including www.bfi.org.uk, whatson.bfi.org.uk (our cinema booking system), and player.bfi.org.uk (BFI Player) — have not been affected.
Why wasn’t I told about this sooner?
- As soon as the issue was discovered, we took immediate steps to secure the site and begin an investigation. We’ve worked as quickly as possible to understand what happened and who may have been affected. We began to contact customers directly, as soon as we had a clear picture and the right advice to share.
What are you doing to stop this from happening again?
We’ve taken a number of immediate steps to protect customer data and strengthen our systems. These include:
- Taking the BFI Shop website offline as a precaution
- Introducing additional security measures
- Working with specialist cybersecurity experts to investigate the issue and identify how it happened
- Conducting a full review of the BFI Shop’s systems and infrastructure
- Working with our external supplier to fix the vulnerability and ensure the site is secure before it is brought back online
Have you reported this to the authorities?
- Yes. We’ve notified the Information Commissioner’s Office (ICO), as required under UK data protection law. We will continue to cooperate fully with the ICO and follow any further guidance they provide.
Who can I contact if I have more questions or concerns?
- If you have any questions or would like further support, please contact us at yourshopdata@bfi.org.uk. Our team will do their best to help.
I want to delete my data — how do I do that?
- If you would like us to delete your personal data from the BFI Shop, you have the right to request this under data protection law (known as the “right to erasure”).
- Please email our Data Protection Officer at dpo@bfi.org.uk. Our Data Protection team will contact you to explain the process and confirm once your data has been removed.
Where can I get extra support and information about keeping my data safe?
- The National Cyber Security Centre offers clear advice on staying safe online and what to do if your data may have been compromised.