Skip to main content
Aled Roberts’s photo

Statement 18 February 2021

We are publishing this public notice in extraordinary circumstances to notify you that our information technology systems have been subjected to a serious cyber-attack. The attack came to our attention on the 10 December 2020. The impact was significant, although we have since been successful in re-establishing an IT system.

Under data protection legislation, we have a responsibility to notify individuals whom have shared personal data with us, to tell you know that data has been lost, released or in danger of being released. Although public announcements have previously been made, and where possible individuals have been contact personally, it has not been possible for us to contact everyone personally since we do not have their contact details.

We believe that the attack happened as a result of an email message that contained malicious software. The cyber-attack was reported to the Information Commissioner’s Office immediately following discovery of the attack in December and we continue to cooperate with them in relation to the incident. The incident was also immediately reported to the Police and they are also conducting a criminal investigation. We are supporting these investigations and are cooperating fully with the relevant authorities. The Police investigation is ongoing; therefore, it is not appropriate to make any further comments at this time.

As a rule, we hold the minimum possible amount of personal data, that is name, contact details, email or postal address and telephone number. However, there may be some cases when dealing with some matters that special categories of personal data have also been shared where they are relevant to the mater. As a result of the attack, there is a risk that your details could be released publicly. We do not hold any financial information (such as bank details) for individuals who use our services.

However, whilst the information has been locked, there is currently no evidence that any information that was in our possession has been shared externally or has been used for any malicious purposes.

We are continuing the work on recovering the information. In the meantime, immediate steps have been taken to reduce the risk of such an attack in the future. These include isolating the system affected and establishing a completely new and trusted IT system. When establishing the new systems, I received specialist advice on cyber safety.

We have commissioned an external investigation to determine how the attack happened and another to audit the robustness of the new systems.

We fully appreciate your concerns an encourage those affected to ensure that they read the most up to date and affective advice on cyber safety on the Cyber Aware website of the National Cyber Safety Centre.

If you believe that you have been the victim of fraud or of a personal cyber-attack you should notify Action Fraud through their website or by phoning 0300 123 2040.

If you are concerned regards your personal data or the personal data of a close member of the family and wish to discuss the matter, you are welcome to contact our office by emailing or by phoning 0345 6033 221

If you are unhappy with any aspect of the above information, you have the right to complain to the Information Commissioners Office using the following contract details:

Information Commissioners Office – Wales
2nd Floor, Churchill House
Churchill Way
CF10 2HH

0330 414 6421


Statement 23 December 2020

The Welsh Language Commissioner’s Office has recently suffered a cyber-attack including the possible loss of data. We are working with the appropriate authorities to investigate the matter and doing all that we can to recover the situation.

Although our website has been effected, our e-mail system is now safe and operational in addition to the usual ways of getting in touch with us over the phone or on social media.

If you are a member of the public, or an organisation, and feel that you may have been affected because you believe that we hold your personal or sensitive data, you can contact us on 0345 6033 221,, or by sending us a private message through our Twitter, Facebook or LinkedIn accounts. You can find a copy of our privacy policy which explains how we deal with your data at the bottom of this page.

You are also welcome to contact us through the above channels if you have any other questions.

For the most current and effective Cyber Protection advice please visit the National Cyber Security Centre’s Cyber Aware website.

If you believe you have been the victim of a cyber-attack personally, please report the matter to Action Fraud via their website, or via 0300 123 2040.