A joint investigation has been launched by data protection authorities in the Isle of Man, the UK, Jersey and Guernsey into a cyber attack that compromised the data of the Prospect union.
Prospect reported a personal data breach to the Isle of Man Information Commissioner in relation to the cyber incident that took place in June this year.
The union has more than 160,000 members - with around 2,600 in the Isle of Man.
Prospect holds members’ personal information including financial data and sensitive data such as trade union membership, ethnic origin, sexual orientation, disability, and religious belief.
.png?width=209&height=140&crop=209:145,smart&quality=75)
It’s the first time that the data protection authorities in the four jurisdictions have joined forces to open an investigation.
The investigation will examine the scope of personal information exposed by the incident and potential harms to affected people and whether Prospect had adequate technical and organisational measures in place to protect the sensitive information it holds.
It will also look at whether the union upheld its notification obligations and took appropriate steps, in its initial response to the incident, to mitigate any identified risks posed to affected data subjects.
Information Commissioner Dr Alexandra Delaney-Bhattacharya said: ‘People place enormous trust in organisations when they hand over their personal information, and that trust must be honoured. By undertaking this coordinated investigation into the incident at Prospect, we are strengthening our collective ability to safeguard individuals’ data.’
She said the opening of this investigation should not be taken to mean that a conclusion had been reached that Prospect has, or continues to, infringe data protection law.
A Prospect spokesperson said: ‘In June 2025 the union experienced a cyber security incident affecting our servers. We took immediate action to secure our systems, and were able to prevent any impact on the services we provide to members.
’We take our responsibilities to our members incredibly seriously and are deeply sorry for any impact them. We have offered a package of support, including credit monitoring, to those who have been affected. These kinds of incidents are sadly becoming more common, and we encourage members to utilise the support we have offered if they have not yet done so.
’We informed the Information Commissioner’s Office about the incident in line with our obligations and have provided further information subsequently. We will continue to co-operate fully with their investigation as it continues.’
Each data protection regulator in UK, Guernsey, Jersey and Isle of Man will investigate compliance with the law that it oversees.
The island’s Information Commissioner said no further comment will be made while the investigation is ongoing.