Capita - Hacked

shefmarkh

Universidad said:

shefmarkh said:

Uss website now is claiming Capita has secured the stolen data. But how can we be sure this is true.?

There is zero possibility of this ever happening with any degree of certainty. You should assume that all bad actors have access to all leaked information.

Quite possibly. But with such a statement they can evade any responsibility.

Umiamz

shefmarkh said:

Umiamz said:

shefmarkh said:

Uss website now is claiming Capita has secured the stolen data. But how can we be sure this is true.?

Where does it say this? All I can see is a statement that Capita have taken extensive steps to recover and secure the data, not that they have actually succeeded.

Umiamz said:

shefmarkh said:

Uss website now is claiming Capita has secured the stolen data. But how can we be sure this is true.?

Where does it say this? All I can see is a statement that Capita have taken extensive steps to recover and secure the data, not that they have actually succeeded.

It’s buried in

https://www.uss.co.uk/-/media/project/ussmainsite/files/news-and-views/news-articles/capita-cyber-incident-qas-25-may-2023.pdf?rev=a3596b72f8c64ad383fe084b136b9b42&hash=D30ACB3F40D54AC7D50130C83490EC98

Thanks - got it now. "While at present we understand from Capita that the data “exfiltrated” has been secured, we are also taking steps to put our own monitoring in place."

Some news outlets suggested that Capita might have paid a ransom for the data.

TheBanker

flaneurs_lobster said:

CIFAS Protective Registration costs £25 for two years.

I'm surprised that CIFAS Protective Registration doesn't seem to be offered by hacked organisations while Identity Protection from the likes of Experian and Kroll often is. Are they doing the same thing? Too expensive?

The problem might be that CIFAS PR can only be set up and paid for by the affected individual. I don't think it can be arranged/paid for in bulk in the same way as the Experian/Kroll services can be. So not as easy to arrange where lots of people are affected. 

They also work differently - the CIFAS service alerts lenders dealing with applications that extra checks are needed as the individual is at heightened risk of ID theft. I think the Experian service works by notifying the individual that someone has applied for credit. CIFAS themselves say:

Where the risk of fraud is very low, some companies may accept the application without contacting you separately to ensure the application is from you. This will minimise delay while continuing to protect you from fraud. Please note that not all applications for products, finance and services will be checked; even with Protective Registration in place, you should continue to check your credit report regularly and may wish to consider a credit report monitoring alert.

flaneurs_lobster

TheBanker said:

flaneurs_lobster said:

CIFAS Protective Registration costs £25 for two years.

I'm surprised that CIFAS Protective Registration doesn't seem to be offered by hacked organisations while Identity Protection from the likes of Experian and Kroll often is. Are they doing the same thing? Too expensive?

The problem might be that CIFAS PR can only be set up and paid for by the affected individual. I don't think it can be arranged/paid for in bulk in the same way as the Experian/Kroll services can be. So not as easy to arrange where lots of people are affected. 

They also work differently - the CIFAS service alerts lenders dealing with applications that extra checks are needed as the individual is at heightened risk of ID theft. I think the Experian service works by notifying the individual that someone has applied for credit. CIFAS themselves say:

Where the risk of fraud is very low, some companies may accept the application without contacting you separately to ensure the application is from you. This will minimise delay while continuing to protect you from fraud. Please note that not all applications for products, finance and services will be checked; even with Protective Registration in place, you should continue to check your credit report regularly and may wish to consider a credit report monitoring alert.

Good points. I don't know if CIFAS could handle the scale of Protective Registrations that might be requested if, say, the victims of the Capita hack were to all ask for the service. 

Maybe we need to apply a "virtual" marker to everyone so that any application gets the enhanced level of checks, but I imagine the additional costs and delays would be unacceptable to both individuals and institutions.

Problem seems to me that even if an individual ties down their own accounts (both online and otherwise) as well as they can there exists the threat that compromised details can be used to apply for and contract for goods and/or services out with their control or knowledge. 

   

TheBanker

flaneurs_lobster said:

TheBanker said:

flaneurs_lobster said:

CIFAS Protective Registration costs £25 for two years.

I'm surprised that CIFAS Protective Registration doesn't seem to be offered by hacked organisations while Identity Protection from the likes of Experian and Kroll often is. Are they doing the same thing? Too expensive?

The problem might be that CIFAS PR can only be set up and paid for by the affected individual. I don't think it can be arranged/paid for in bulk in the same way as the Experian/Kroll services can be. So not as easy to arrange where lots of people are affected. 

They also work differently - the CIFAS service alerts lenders dealing with applications that extra checks are needed as the individual is at heightened risk of ID theft. I think the Experian service works by notifying the individual that someone has applied for credit. CIFAS themselves say:

Where the risk of fraud is very low, some companies may accept the application without contacting you separately to ensure the application is from you. This will minimise delay while continuing to protect you from fraud. Please note that not all applications for products, finance and services will be checked; even with Protective Registration in place, you should continue to check your credit report regularly and may wish to consider a credit report monitoring alert.

Good points. I don't know if CIFAS could handle the scale of Protective Registrations that might be requested if, say, the victims of the Capita hack were to all ask for the service. 

Maybe we need to apply a "virtual" marker to everyone so that any application gets the enhanced level of checks, but I imagine the additional costs and delays would be unacceptable to both individuals and institutions.

Problem seems to me that even if an individual ties down their own accounts (both online and otherwise) as well as they can there exists the threat that compromised details can be used to apply for and contract for goods and/or services out with their control or knowledge. 

   

I agree - I think this is the reason a lot of banks/credit institutions are now require you to upload a copy of your passport/driving license and a selfie video, then use clever software to compare the two. An inconvenience to some customers, but far more secure than simply relying on the applicant's details matching data held at the Credit Reference Agencies. 

Sarahspangles

TheBanker said:

I agree - I think this is the reason a lot of banks/credit institutions are now require you to upload a copy of your passport/driving license and a selfie video, then use clever software to compare the two. An inconvenience to some customers, but far more secure than simply relying on the applicant's details matching data held at the Credit Reference Agencies. 

This - with more and more personal data leaked, businesses will move to protect themselves by requiring a higher standard of evidence of prospective customers’ identity.  Everyone will be disadvantaged rather than only the unfortunate individuals whose existing providers chose Capita.

LHW99

Sarahspangles said:

TheBanker said:

I agree - I think this is the reason a lot of banks/credit institutions are now require you to upload a copy of your passport/driving license and a selfie video, then use clever software to compare the two. An inconvenience to some customers, but far more secure than simply relying on the applicant's details matching data held at the Credit Reference Agencies. 

This - with more and more personal data leaked, businesses will move to protect themselves by requiring a higher standard of evidence of prospective customers’ identity.  Everyone will be disadvantaged rather than only the unfortunate individuals whose existing providers chose Capita.

Sounds like there may be rather a large number of those

kinger101

Update on this one.

Received an e-mail from USS.

"To help you to monitor your personal information for certain signs of potential identity theft, you have been given free access to a 12-month membership to Identity Plus, a monitoring service provided by Experian – one of the UK’s leading Credit Reference agencies."

Not sure how useful this is.  Seems to contain less info than the report I get free via MSE.

crism

I am affected by this lifetime sticky situation as well. 

And I am not really looking forward to having my credit report checked every few seconds throughout my lifetime, especially that after year 1 I will have to pay for this myself. Probably with all 3 credit check agencies. It will quickly turn into pretty stressful situation - for many. 

As for Cifas, I really believe a 0 registration - a potential victim of fraud - will be a nightmare in the real world, as most probably any red flag on a credit application will trigger auto-refusal, no questions asked. In the end, who wants to deal with any issues of one person when there are so many others with no said red flag? 

Now what I am wondering about is what a criminal can do with my name, date of birth and NINO? Surely these are not enough to take a credit in my name? If they will be trying to fiddle HMRC using my NINO - I am not sure if this will be that easy, unless they try to pay my taxes for me? I suppose claiming tax credits or any other benefits may be the case, but this is always cross-checked so this may be a no-go. So what can they really do with all this information?

I am not trying to downplay the seriousness of the situation at all, merely trying to step back and think on how this can affect my and - as it seems - many people's day to day living. 

TheBanker

crism said:

I am affected by this lifetime sticky situation as well. 

And I am not really looking forward to having my credit report checked every few seconds throughout my lifetime, especially that after year 1 I will have to pay for this myself. Probably with all 3 credit check agencies. It will quickly turn into pretty stressful situation - for many. 

As for Cifas, I really believe a 0 registration - a potential victim of fraud - will be a nightmare in the real world, as most probably any red flag on a credit application will trigger auto-refusal, no questions asked. In the end, who wants to deal with any issues of one person when there are so many others with no said red flag? 

Now what I am wondering about is what a criminal can do with my name, date of birth and NINO? Surely these are not enough to take a credit in my name? If they will be trying to fiddle HMRC using my NINO - I am not sure if this will be that easy, unless they try to pay my taxes for me? I suppose claiming tax credits or any other benefits may be the case, but this is always cross-checked so this may be a no-go. So what can they really do with all this information?

I am not trying to downplay the seriousness of the situation at all, merely trying to step back and think on how this can affect my and - as it seems - many people's day to day living. 

A lender who declines a credit application simply due to the presence of a CIFAS marker is likely to be in breach of their CIFAS membership agreement (and CIFAS do audit their members). The marker is supposed to prompt a further review of the application. I am not saying people don't get declined simply due to the presence of a CIFAS marker, but they shouldn't. For Protective Registration, I do not think you would be declined.

So what can someone do? Well with those details they can probably find your address (if it wasn't part of the breached data). That would give them enough to start applying for accounts in your name with some institutions, which could then be used to apply for credit. If you are an active social media user they'd be able to find a bit more about you from there. Fortunately I don't believe payment card details were stolen - this has been a feature of previous major breaches e.g. the BA breach which they were fined for. 

More likely they'd use the stolen data, and anything else they can pick up from your publicly available information to try to scam you. They could tell you that your accounts had been compromised due to the Capita breach, and you urgently needed to move the money to a new Safe Account that they've set up for you. You'll probably say you won't fall for this, but millions of pounds are lots to 'Safe Account' scams each year.

I work in banking, I've worked in fraud in the past, and personally I would not be too concerned by any of this, but I don't have open social media profiles, I keep an eye on my own credit report using the free services, I have all my online services (not just bank accounts, but email addresses, social media profiles, shopping sites) protected with strong, unique passwords and where available 2FA. I know that if 'the bank' call me out of the blue, I need to call them back on a known number (if it's a major bank you can ring 159 now and they'll put you through to the right people). I know that if I have taxes to pay, HMRC will send a formal letter or notification through my online tax account, they won't send a WhatsApp message.

Obviously, people need to decide for themselves how concerned they should be. But personally I would not be too concerned because I think the existing measures I take are sufficient to protect myself. I think regardless of whether you opt for credit file monitoring and/or CIFAS protective registration, being aware that you could be targeted by scammers on the back of this is really important.