As part of our investigations into an issue raised by one of our members, we have identified a potential security vulnerability in Compass. To our knowledge no breach has occurred but in line with our commitment to you that the confidentiality and security of our data is our number one priority, and in agreement with our development contractors, we have made the decision to turn Compass off with immediate effect. This is to ensure that the potential vulnerability cannot be exploited.
You will remember that Compass is only accessible to registered members of the Movement. We would like to thank our members for their vigilance and support in identifying this issue and welcome any input that helps improve the overall quality and integrity of Compass.
With the agreement of our contractors, we have engaged a global provider of information security that has the world’s largest security testing team at our disposal . This company has not been involved in the system security work up until now and will be performing a full audit of Compass at the source-code level, combined with in-depth penetration testing. It is expected that this will validate the security audit work already undertaken, whilst providing a valuable second opinion.
The system will remain offline until any and all security issues are resolved satisfactorily and we can turn on the system with the knowledge that the data held on it is secure. It is not clear at this stage just how long this will take but we will keep you updated regularly via the user forum on www.scouts.org.uk/compass and through the usual channels.
Leaders should continue to populate their youth data upload spreadsheets as before, ready to upload when advised. Work is being undertaken on the contingencies to enable us to complete census using the youth data upload facility, which remains secure and cannot be seen. We are also working to ensure that new volunteers and disclosure checks (for those in England and Wales) can continue to be processed.