The Hack Letter from mobiles.co.uk

mobilejunkie

Maybe I'll join you - I'm in Newquay at present and the armchair nitwit can rant away to his or her heart's content.

agarnett

Now I'm concerned :rotfl:

Newquay was once much known for its pilchards.

gjchester

agarnett wrote: »

One way for us to help it along would be if they started receiving flack from a significant body of insistent customers demanding the right to cancel and to walk away from existing contracts arranged by CPW. The networks should be told by their disgruntled customers that it is not a customer problem to shoulder, and that the networks should hold their airtime sales agent to account.

Given in many cases CPW group hold data that is old and outdated how would tho be relevant? Customers who have long since closed and left the network that they first joined via CPW are affected as well as current customers.

The question is why did CPW retain the data which relates to the company policy more than any network issue.

I understated your point just don't see how the network can help.. Many large companies keep data long after the contact is initiated or even over that is the issue.. Go to any big store and buy any thing and they will know your details and order history as it's store on file

agarnett wrote: »

Now I'm concerned :rotfl:

Newquay was once much known for its pilchards.

Comments like this are not helping the opinion others have of you

agarnett

Given in many cases CPW group hold data that is old and outdated how would tho be relevant? Customers who have long since closed and left the network that they first joined via CPW are affected as well as current customers.

It is relevant to the 2.4 million I suspect are just the existing customers who might have the ability to demand cancellation. The complaint in their case is that CPW stored too much CRA type data in a vulnerable state.

The question is why did CPW retain the data which relates to the company policy more than any network issue.

This is an equally important question about why CPW kept the excessive data even beyond the period of their business relationships with customers and I agree that old expired business customers don't have the luxury of a network contract they might otherwise threaten to cancel.

Many large companies keep data long after the contact is initiated or even over that is the issue.. Go to any big store and buy any thing and they will know your details and order history as it's store on file.

Yes if a retailer wants to keep old personal data for marketing purposes then it had better be bloody careful with that data.

A computer systemful of personal data is of course a loaded gun and if handled negligently and not maintained properly it can as we have seen too often injure (millions of!) people.

Assisted by the soon to be expected EU GDPR we hope, if anything of this type does go wrong in future years that gun will explode in the face of the negligent companies storing the data and they will be fined up to 5% of their annual turnover for each breach. That might rub their noses in the problem more effectively.

This thread isn't about opinions others have of me or of anyone else, other than opinions others might have of big business riding roughshod over existing data protection law. It is about a very serious matter that affects all our rights as individuals which has been wrongly dismissed by some posters as something not worth worrying about.

gjchester

agarnett wrote: »

It is relevant to the 2.4 million I suspect are just the existing customers who might have the ability to demand cancellation. .

You may have the right to claim consequential loss from CPW for data loss, but that's nothing to do with the network. Your claim may well be the amount required to offset the cancellation charge of the contract, but you can't link the two.

As ever proving such a loss would be hard., and the EU act would only come into effect if its classed as adverse to a person. it does not define what is adverse..

The EU Act allows for fines UP TO 5% but that's the maximum and not likely to be used often. The act is to try and ensure companies take reasonable precautions, not put in place such a tight date regime that no one can ever use that data.

Its a balancing act between security and being useable, you would be pretty cheesed off if everything you called a company they had to verify your identity then they had to post a pass code to your last address to ensure you are who you say you are.. It would certainly increase security but at the cost of useability.

Paul_Herring

gjchester wrote: »

Its a balancing act between security and being useable, you would be pretty cheesed off if everything you called a company they had to verify [STRIKE]your identity then they had to post a pass code to your last address[/STRIKE] Occupational details, Occupational status, Years/months in current job to ensure you are who you say you are.. It would certainly increase security but at the cost of useability.

Let me know how that goes for you.

In the meantime, the DPA not only regulates how long data must be held (no longer than absolutely necessary - clearly broken here) but what data can be held (no more than absolutely necessary. Also clearly broken here.)

gjchester

Paul_Herring wrote: »

Let me know how that goes for you.

But the details you swapped in were list of what had been potentially leaked in this case. That's one of the problems.

If you want strong security you have to lose some of the convenience we want.

Paul_Herring wrote: »

In the meantime, the DPA not only regulates how long data must be held (no longer than absolutely necessary - clearly broken here) but what data can be held (no more than absolutely necessary. Also clearly broken here.)

I agree. However as often is the case while the law mentions a absolute minimum period it does not define it so it's hard to say when the data should be removed. How long should any company keep data after you cease to be a customer is not defined. For many stores it would be hard to say for example Amazon is it x months after last purchase better from a security point of view but not customer friendly.

agarnett

gjc wrote:

PH wrote:

gjc wrote:

Its a balancing act between security and being useable, you would be pretty cheesed off if everything you called a company they had to verify [STRIKE]your identity then they had to post a pass code to your last address[/STRIKE] Occupational details, Occupational status, Years/months in current job to ensure you are who you say you are.. It would certainly increase security but at the cost of useability.

Let me know how that goes for you.

If you want strong security you have to lose some of the convenience we want.

I think that argument is very weak when you consider what they might ever use that specific personal data to determine once a service contract/credit agreement is initially agreed. It is unacceptable for any retailer to behave either as a CRA data depository or like a bank without being licensed as such and without the strength of security you would expect of a CRA or bank.

To pass it off as an acceptable trade off of security standards versus some imagined and otherwise unattainable public desire for convenience just doesn't wash with me. What convenience or useability are you talking about that demands personal data of this type must be stored indefinitely or at all after original contract decisions based upon it have already been taken?

gjchester

agarnett wrote: »

I think that argument is very weak when you consider what they might ever use that specific personal data to determine once a service contract/credit agreement is initially agreed. It is unacceptable for any retailer to behave either as a CRA data depository or like a bank without being licensed as such and without the strength of security you would expect of a CRA or bank.

I guess it hinges on when do you cease to be a customer of the store. A company has the right to hold data on their customers, when does that end. They are permitted to do this, holding customer data is not against the law.

Remember Banks and CRA's get hacked like any other company, they are not super secure.

agarnett wrote: »

To pass it off as an acceptable trade off of security standards versus some imagined and otherwise unattainable public desire for convenience just doesn't wash with me. What convenience or useability are you talking about that demands personal data of this type must be stored indefinitely or at all after original contract decisions based upon it have already been taken?

Unfortunately the world we live in means if you don't like if then don't buy anything, use any bank, or ISP.

Not only does can the company hold the data, for their business use as long as they believe you are still a customer, they may also be subject to the government mandated rules that data is stored for potential later analysis.

UK laws oblige banks to keep financial data for seven years, so it follow companies probably have to hold data for the same time to comply with UK Law. Theres also the SarOx laws in the US that mandate a company keeps electronic data for 5 years and financial data for 7. And they may be US laws, but most major UK companies will be subject to them.

Your ISP will have to keep logs of your activity for at least 12 months.


You say it doesn't wash with you how we accept lesser security for convenience but let me give you a real world example.

Look at something like internet banking. Often its protected by asking for an account or reference number, and Password or Pin if you use a PC. Maybe even with something to do a second level of identification ie you need to enter a secret code generated form your card and a device as some banks use.

Then look at the banks mobile app. These are scaled down but tend to ask for lesser details to log on.

You may not like it, but the general public want convenience, and will give up security to get that.

Guys_Dad

What I can't quite grasp is, after the CPW hack, what exactly are customers supposed to do to protect themselves? I am not going to change banks, move house or anything else and if the hackers have all my personal data as in an earlier post on this thread, I can't change my history.

Yes, if I can prove that any subsequent damage or loss has arisen, I could try to sue CPW.

As for my current mobile contract. I have taken time to read what I agreed to and I signed a contract with O2 to supply me with a mobile service and CPW to give me a free phone. So I am keeping the phone but I have no right to cancel my airtime contract with O2 for which CPW were an intermediary.

I can put pressure on the Information Commissioner to demand that CPW remove my data from their systems on the grounds that as I have no current financial transactions with them, I am an ex-customer and, apart from details of my name and address, the other data is no longer relvant and they need to delete it.

In fact, that is the one thing that would hurt them most of all if the IC demanded that they remove all non current customer data from their systems.

I am afraid that agarnett is incorrect in his interpretation of the law as it is and is confusing it with how he might like it to be and, unfortunately, justifying his choice of avatar.