The Civil Service Sports Club (CSSC) has been forced to send out a letter warning its members that their personal information may have been stolen in a data breach that took place two years earlier.
The organisation sent out the letters on 23 November confirming that personal information such as addresses, phone numbers and National Insurance information had been compromised in the data breach. It did not say exactly how many members details were at risk in a media statement, or how the data was stolen.
"CSSC has been co-operating with the relevant authorities in a criminal investigation regarding the theft of some membership data supplied to CSSC. CSSC has been informed that some of this data was used for fraudulent purposes," CSSC said in a statement (PDF) on Monday.
Despite the lapse, CSSC, which has more than 100,000 members nationally, said it believed personal risk to individuals was low and the resulting "attempted frauds" were directed at the government.
Although did not mention when the data theft took place in the media statement, CSSC told its members that the data was likely taken in February 2010.
"Received letter saying my details probably stolen in Feb 2010, only now been told," Twitter user Mike Pobjoy posted on the social network on Tuesday.
Unsurprisingly Pobjoy wasn't alone in expressing his outrage at the delay in informing members of the potential information leak. "Nearly three years to notify members their personal details have been stolen! Not good enough #CSSC Explains a bogus benefit claim in my name!" said user Claire Jamieson.
CSSC said it had followed the advice of "relevant authorities". "However, investigations now reveal that our full membership database could have been stolen and we have decided that members would want to know about the theft," the organisation added.
The group said past members' details could also have been affected, but that details of members that joined after March 2010 are not at risk.