Claire's Accessories Data Breach

linz81

Hi all

I’m looking for some guidance/advice in relation to raising a complaint and requesting compensation due to a data breach. Apologies if I’ve added this chat to the wrong section of the forum!

On 30th June 2020 Claire’s Accessories emailed me to confirm that my data, including payment card information, had been obtained during a data breach of their site. The email told me not to cancel my payment card but to keep a close eye on my account. In hindsight I should’ve cancelled the card but it was during lockdown, my husband and I were key workers and as a result it totally slipped my mind.

Following this email I’ve been bombarded with spam emails and calls and had numerous unhappy family and friends contact me to let me know “I” had been sending them spam emails (most have been ok with my apology and explanation but one friend has really taken offence and sends me a weekly update of the spam emails  ).

In August I started receiving numerous spam calls from what purported to be my banks fraud team (quite clever really as they were calling me from the inbound fraud team phone number) but this led me to check my account more closely. I then discovered later in August that my account had numerous fraudulent transactions made on it (after my husband and I had a domestic over who'd overspent from the joint account! ) After an investigation with my bank these were eventually refunded, card was cancelled and a new one was issued etc.

I understand that Claire’s should have notified customers within 72 hours of being notified of the data breach. However after I’ve researched this a little more, I found that Sky News reported on Claire’s data breach on 15th June 2020, a whole 15 days before they emailed me - which is substantially longer than the 72 hour timescale.

Basically I’d just like some advice on how to proceed with this complaint:

• Should I log the complaint directly with Claire’s and a complaint with ICO? Or would I log the complaint with Claire’s first and then the ICO following a response from Claire's?
• What’s the best way of doing this, e.g. is there a recommended template letter, any specific points I should raise in the complaint, should I post it or email it etc.?
• Should I request compensation? If so, how do I put a cost on the financial and non-financial loss (technically the financial loss was eventually refunded by the bank)

Thanks in advance for your advice and comments

[Deleted User]

They needed to inform the ICO within 72 hours of discovery - not you.  There should be no need for you to report to the ICO yourself, as it will already have been done.

Compensation isn't generally payable for a breach, especially where there is no loss, but you could try for a goodwill gesture of a few vouchers.

Sandtree

linz81 said:

• Should I log the complaint directly with Claire’s and a complaint with ICO? Or would I log the complaint with Claire’s first and then the ICO following a response from Claire's?
• What’s the best way of doing this, e.g. is there a recommended template letter, any specific points I should raise in the complaint, should I post it or email it etc.?
• Should I request compensation? If so, how do I put a cost on the financial and non-financial loss (technically the financial loss was eventually refunded by the bank)

The ICO is already aware of the data breach so what do you hope to gain by complaining that there was a data breach? Given card details were included in the data its an inevitability that at least some will subsequently suffer card fraud.

Post or Email is fine, I am strongly against template letters in most cases so just clearly state what your issues are  and importantly how you want it resolved.

Up to you if you want compensation, not sure what else the complaint will be about if not though given you are complaining about a known issue that they have already apologised for. The financial losses clearly do not include the fraudulant transactions - its not a "technicality" that they have been refunded.

I am curious however how your friends and family have received spoof emails from you? Whilst I understand that the data breach will have included your email address and so its easy for them to send an email appearing to come from you (which they could have done even without the data breach) but how did they get your friends and family details? I can only guess its a "refer a friend" type scheme and you sold all your friends details to Clares?

If that isnt the case I would strongly recommend double checking your email account is still secure, especially if you use the same password for clares website as you do for your email account. 

linz81

Sandtree said:

linz81 said:

I am curious however how your friends and family have received spoof emails from you? Whilst I understand that the data breach will have included your email address and so its easy for them to send an email appearing to come from you (which they could have done even without the data breach) but how did they get your friends and family details? I can only guess its a "refer a friend" type scheme and you sold all your friends details to Clares?

If that isnt the case I would strongly recommend double checking your email account is still secure, especially if you use the same password for clares website as you do for your email account. 

Thanks for this. 
I'm not too sure how my friends and family details have been accessed, I definitely didn't "refer a friend"! 
It's possibly just a coincidence that these spam emails started arriving around the same time as the data breach email notification. 
My email account has a security key rather than a password and I can't seem to find a way of checking the security of this or changing it. I might switch it off and go back to a password and change it for now just in case (just thinking out loud now!)

davidmcn

Sandtree said:

linz81 said:

• Should I log the complaint directly with Claire’s and a complaint with ICO? Or would I log the complaint with Claire’s first and then the ICO following a response from Claire's?
• What’s the best way of doing this, e.g. is there a recommended template letter, any specific points I should raise in the complaint, should I post it or email it etc.?
• Should I request compensation? If so, how do I put a cost on the financial and non-financial loss (technically the financial loss was eventually refunded by the bank)

I am curious however how your friends and family have received spoof emails from you? Whilst I understand that the data breach will have included your email address and so its easy for them to send an email appearing to come from you (which they could have done even without the data breach) but how did they get your friends and family details? I can only guess its a "refer a friend" type scheme and you sold all your friends details to Clares?

If that isnt the case I would strongly recommend double checking your email account is still secure, especially if you use the same password for clares website as you do for your email account. 

Or could be a coincidence, or somebody else you know (with everybody's emails in their address book) who has been hacked - often spam emails are faked to appear to come from a random address which isn't actually that of the person who has been hacked.

Sandtree

linz81 said:
Thanks for this. 

I'm not too sure how my friends and family details have been accessed, I definitely didn't "refer a friend"! 
It's possibly just a coincidence that these spam emails started arriving around the same time as the data breach email notification. 
My email account has a security key rather than a password and I can't seem to find a way of checking the security of this or changing it. I might switch it off and go back to a password and change it for now just in case (just thinking out loud now!)

If you didnt give your friends details to Clares then the hackers cannot have gotten them by accessing your account data from Clare's servers. If they'd accessed your email account via a shared password then they could have easily gotten who you'd been email but you dont use a password so thats not the source.

Did your friends say the emails reportedly came from you or is it just random junk they are getting from random "people" and they've added 2 + 2 and got 239531.3 ?

Have you found a load of bounce emails coming into your inbox or junk folder? I've had people try and hijack my domain and send thousands of emails from random thing @mydomain.com to whatever list they've found and inevitably some of the "to"s are invalid and as I have a catchall mailbox all the bounces come into that mailbox... based on all the offers of bursaries and deathbed gifts that are being offered we are a company of very generous (and sick) people.

JJ_Egan

One way all your contacts are available is the old send a message or joke etc to all your contacts . Not use the blind copy means each one gets all your contacts and if they forward that to another .

dinglebert

With regards to the emails it would seem to me that you are the victim of someone elses phone and email being hacked.  I get emails from people all the time that at face value I know slightly.  They look real but the content is rubbish. Their phone hasn't been hack but the phone of someone who had them on it has.  You are not responsible for the leak. Ironically your friend who get the emails which look like they come from you is more suspect that you.

Aylesbury_Duck

I would add that it's not much of a friend who spams you with updates on spam emails that supposedly come from you but which might reflect their own lack of web security.  Tell them to wind their neck in!