RideLondon organisers apologise after data breach Published duration 11 February

image copyright Getty Images image caption The 100-mile ride through Surrey and London attracts thousands of amateur cyclists every year

Organisers of the RideLondon cycling event are "urgently looking into" a data breach involving potential participants' personal details.

Organisers believe "less than" 2,100 people have been affected by the issue which saw entrants receive other people's ballot results.

The events, due to be held in August, is open to 80,000 applications and last year 28,032 riders completed it.

London & Surrey Cycling Partnership has apologised for the error.

RideLondon, which claims to be the world's greatest festival of cycling, is a 100-mile, closed-road event which takes in streets in the capital and travels through Surrey.

Due to take place on 16 August, it is normally oversubscribed so a ballot system is used select the successful applicants.

The mix-up over data means some potential riders are still unclear if they have won a place or not.

Apologise sincerely

London & Surrey Cycling Partnership chief executive Nick Bitel said the company was "working to establish how many people have been affected", but it believed "it to be less than 3% of the total of more than 70,000 people who entered the ballot".

"We are working with our contractors to establish the full facts but it appears that the issue was caused by an error in the collation of the acceptance letter and the addressed envelope in the final stages of a mailing process which led to the people affected receiving the name, address and date of birth of one other person," he added.

"We apologise sincerely for this error and will be contacting all the people affected."

Chris Whitehead, from Rotherham, received what he thought would be his ballot result in the post on Monday.

But while the envelope was addressed to him, the letter itself contained someone else's full name, address and date of birth.

image copyright Chris Whitehead image caption Chris Whitehead received someone else's ballot result including name, address and date of birth in the post on Monday

"I was shocked," he told BBC News. "I felt shocked that in this day and age, a breach like that would happen and was left wondering who has my details.

"There is a chance my identity could be stolen. Why haven't they done any basic checking?"

The 36-year-old IT specialist added he was disappointed the organisers did not communicate the data breach more proactively.

"I first contacted them at 11:00 GMT and it took them until about 18:00 to post an update about it on Twitter."

Prudential RideLondon tweeted its apology for the "issue with a limited number of the Prudential RideLondon ballot results mailing" at 17:40 on Monday.

All applicants will be informed of their ballot results by Thursday, according to the event helpline, meaning more people might yet receive erroneous letter over the next two days.

Mr Bitel said the Information Commissioner's Office (ICO), Britain's data protection watchdog, was "being informed with full details of what happened".

The ICO said it had not yet received a data breach report from London & Surrey Cycling Partnership.

Under current data protection regulations, organisations do not have to report every data breach to the watchdog.

"Under the current UK data protection law, most personal data breach reporting is best practice but not compulsory," the ICO's website states.

Referrals must be made, however, if there is a "risk to people's rights and freedoms from the breach".

A spokeswoman for the ICO said this was judged in an internal audit by the organisation on a case-by-case basis.