ORCID Security Incident
Yesterday (February 18) we experienced a security incident with the web interface of the ORCID Registry that affected 46,823 users (~2.5% of ORCID records). ORCID record information marked as private, specifically email address(es), was exposed. No passwords were exposed. Works, funding, and affiliation data were not affected, nor were the ORCID APIs that connect the Registry to external databases. We have no reason to believe that there was any data misuse.
The exposure was limited to the online public view of ORCID records that were accessed during the incident timeframe (21:07 (UTC) 2016-02-17 to 13:35 (UTC) 2016-02-18). We have contacted all users who were directly affected and set up a dedicated email to deal with questions and concerns.
As an organization built around principles of openness and researcher control we are taking this incident very seriously. We have resolved the immediate issue, which we traced back to a software update to the website. We are reviewing the internal processes that led to the incident and will be putting in place additional procedures to ensure it does not happen again. In addition, we will be posting our Data Security Policy next week for public comment.
Please accept our apologies. Don't hesitate to contact me at Laure@orcid.org if you have any concerns, and let us know immediately if you become aware of any specific issues as a result of this security incident.