We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Bank details and email address revealed by company
zaza14
Posts: 25 Forumite
Hiya,
Was in touch with a motor company to purchase a new car.
There was an exchange of emails. My brother had paid a deposit for the vehicle, but the company emailed requesting his bank details in order to issue a refund, as they needed the deposit to be paid out of my account, and the account I was setting up a finance agreement with.
The request by them was sent by email, and due to my brother's restrictive work timings, the email with the bank details was sent across, and I was cc'd.
The lady then responded back to say that the refund for the deposit had been issued; however, within hours, someone outside of the organisation responded back saying "I think this email isn't for me."
Essentially, the email that was sent by the motor company to confirm that a refund had been processed, which had the trail of previous emails, which had my email and email address, my brother's email address and his full bank account details with the sort code, account number, amount of deposit, my work address etc.
I alerted them immediately, shocked and concerned by this. I was emailed an apology by the lady: "Sincere apologies that this has happened, it was sent to the wrong person with a simaler (yes that's how she spelled similar) name."
Still quite concerned by this, this got escalated, and the data compliance department investigated from the 12th or 13th of July.
Their response was received today and is as follows:
Dear Dr xxxxxxxx,
Personal data security breach
We are sorry to inform you of a breach of security that resulted in the unauthorised disclosure of your personal data.
The breach was discovered on the 1st July 2019 of which your sister was made aware of on the same day and relates to bank details that had been incorrectly sent to another customer with a similar email address.
As a result of our investigation of the breach, we have concluded that:
· The breach affects the following types of information:
· Name, Bank Account number and sort code.
· The information contains the following personal or sensitive personal data:
· The documentation included your full name, full bank account details such as account number and sort code.
· The information has been accidentally accessed by an unauthorised person
· The breach occurred under the following circumstances and for the following reasons:
· Bank detail information was incorrectly sent in error to an individual who has a similar email address to yours.
· We have taken the following steps to mitigate any adverse effects of the breach:
· Confirmation from recipient who received the email in error that the email has been deleted.
· You can obtain more information about the breach from any of the following contact points:
· xxxxxxxxxx – Local Compliance Officer
· address of head office
· xxxxxx@xxxx.com
· telephone number
· website
We recommend that you monitor the relevant bank account to identify any fraudulent activity linked to this breach.
We apologise for any inconvenience this breach may cause you.
Yours sincerely,
Data Compliance Team
I'm hoping that the clientele of the motoring company is such that they wouldn't do anything with the sensitive information, but still quite worried that it is very possible for that person to forward those details, or use the information in a negative and detrimental way.
What are your thoughts and is this acceptable? The only similarity between my brother's email and the person that was sent the email from outside the company is that the first two letters of their firstname are the same.. other than that, the email company is different and the style is different i.e. the outsider has the email format name.lastname@gmail.com and my brother's is namelastname@hotmail.com
I've also checked haveibeenpwned and yes, our emails come up as being breached, but I do not know if that was after the event or not. Up until last year, we were safe.
Was in touch with a motor company to purchase a new car.
There was an exchange of emails. My brother had paid a deposit for the vehicle, but the company emailed requesting his bank details in order to issue a refund, as they needed the deposit to be paid out of my account, and the account I was setting up a finance agreement with.
The request by them was sent by email, and due to my brother's restrictive work timings, the email with the bank details was sent across, and I was cc'd.
The lady then responded back to say that the refund for the deposit had been issued; however, within hours, someone outside of the organisation responded back saying "I think this email isn't for me."
Essentially, the email that was sent by the motor company to confirm that a refund had been processed, which had the trail of previous emails, which had my email and email address, my brother's email address and his full bank account details with the sort code, account number, amount of deposit, my work address etc.
I alerted them immediately, shocked and concerned by this. I was emailed an apology by the lady: "Sincere apologies that this has happened, it was sent to the wrong person with a simaler (yes that's how she spelled similar) name."
Still quite concerned by this, this got escalated, and the data compliance department investigated from the 12th or 13th of July.
Their response was received today and is as follows:
Dear Dr xxxxxxxx,
Personal data security breach
We are sorry to inform you of a breach of security that resulted in the unauthorised disclosure of your personal data.
The breach was discovered on the 1st July 2019 of which your sister was made aware of on the same day and relates to bank details that had been incorrectly sent to another customer with a similar email address.
As a result of our investigation of the breach, we have concluded that:
· The breach affects the following types of information:
· Name, Bank Account number and sort code.
· The information contains the following personal or sensitive personal data:
· The documentation included your full name, full bank account details such as account number and sort code.
· The information has been accidentally accessed by an unauthorised person
· The breach occurred under the following circumstances and for the following reasons:
· Bank detail information was incorrectly sent in error to an individual who has a similar email address to yours.
· We have taken the following steps to mitigate any adverse effects of the breach:
· Confirmation from recipient who received the email in error that the email has been deleted.
· You can obtain more information about the breach from any of the following contact points:
· xxxxxxxxxx – Local Compliance Officer
· address of head office
· xxxxxx@xxxx.com
· telephone number
· website
We recommend that you monitor the relevant bank account to identify any fraudulent activity linked to this breach.
We apologise for any inconvenience this breach may cause you.
Yours sincerely,
Data Compliance Team
I'm hoping that the clientele of the motoring company is such that they wouldn't do anything with the sensitive information, but still quite worried that it is very possible for that person to forward those details, or use the information in a negative and detrimental way.
What are your thoughts and is this acceptable? The only similarity between my brother's email and the person that was sent the email from outside the company is that the first two letters of their firstname are the same.. other than that, the email company is different and the style is different i.e. the outsider has the email format name.lastname@gmail.com and my brother's is namelastname@hotmail.com
I've also checked haveibeenpwned and yes, our emails come up as being breached, but I do not know if that was after the event or not. Up until last year, we were safe.
0
Comments
-
While of course it shouldn't happen, one person being randomly sent one stranger's details really isn't something to be overly concerned about. The response seems to be adequate, I would just move on.0
-
To put things in context - the account number and sort code are on every cheque you (or he) has ever issued.0
-
I'd say they've dealt with it very well. Mistakes happen and nothing bad is likely to happen due to your details being shared with another customer, who immediately let them know what had happened! They presumably know who they emailed; it's not like they wouldn't know exactly where to look if something did happen. That person is obviously honest anyway.
haveibeenpwned won't show somebody accidentally emailing your details to somebody else. It's nothing to do with what's happened so deal with that separately if needed but it's not related to this in the slightest.0 -
Phew.. thank you
0 -
That's a good response from the company. They have admitted the mistake and apologised, rather than trying to stonewall you or covering it up.
As the data was only shared with one person, the likelihood of something bad happening is pretty low. The vast majority of people would just delete the email. There isn't much you can do with just an account number and sort code anyway.
In the unlikely event that something bad did happen, you could seek damages/compensation from the company.0 -
GDPR claims are going to be the new whiplash claims.0
-
-
Potbellypig wrote: »GDPR claims are going to be the new whiplash claims.
Except that the ‘victim’ doesn’t receive the money.0 -
Except that the ‘victim’ doesn’t receive the money.
You're thinking of the ICO's fines rather than claim for damages.
Similar to the banks & PPI - they received a regulatory fine and then separately received claims for refunds/damages.You keep using that word. I do not think it means what you think it means - Inigo Montoya, The Princess Bride0 -
unholyangel wrote: »You're thinking of the ICO's fines rather than claim for damages.
Similar to the banks & PPI - they received a regulatory fine and then separately received claims for refunds/damages.
Sure, but GDPR hasn't changed anything in this regard. You've always been able to sue for damages, however you actually need some losses to quantify.
You can't just sue a company for the loss/misuse of your data.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 354.6K Banking & Borrowing
- 254.4K Reduce Debt & Boost Income
- 455.5K Spending & Discounts
- 247.5K Work, Benefits & Business
- 604.3K Mortgages, Homes & Bills
- 178.5K Life & Family
- 261.8K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.7K Read-Only Boards