We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Ford Money Data Breach 1 August 2023
LikeaDream
Posts: 16 Forumite
On 1 August 2023 Ford Money's Head of Marketing sent two emails to Ford Money savings customers about the result of a competition. Unfortunately, those two emails shared the email addresses and names contained in those email addresses to all other participating current Ford Money customers. I checked for the relative that's now seriously distressed and concerned to find that a large number of those email addresses have been compromised and therefore computers are at risk of potentially running malware capturing email addresses for scammers and spammers. As such all those customers are now at high risk of receiving phishing attacks because the data breach links the email address to a person holding an active Ford Money savings account.
The relative is now so upset at Ford Money's dismissive attitude that I hope Martin Lewis can get the FCE Bank to actually help all those Ford Money customers to be safe and secure.
0
Comments
-
LikeaDream said:I checked for the relative that's now seriously distressed and concerned to find that a large number of those email addresses have been compromised and therefore computers are at risk of potentially running malware capturing email addresses for scammers and spammers.I don't understand this sentence. How can you tell from an email address that a computer is at risk of running malware? It's hard to find an email address that hasn't been compromised at some point in history, but in the majority of cases people will have changed passwords since.
However I'd definitely notify the ICO directly, rather than waiting for Martin to get involved. In the meantime usual good practise should apply - don't click on links from unverified sources, install anti-virus with a web/email link checking service etc.
3 -
If you mean you typed those email addresses into a website that checks if they have been subject to any prior data breaches, then it would be no surprise that almost any email address that has been used to register an account would be subject to at least one breach. It does not mean that any of those email addresses are at risk. Care should be taken using such websites, as some exist just to harvest information from people for nefarious purposes.LikeaDream said:On 1 August 2023 Ford Money's Head of Marketing sent two emails to Ford Money savings customers about the result of a competition. Unfortunately, those two emails shared the email addresses and names contained in those email addresses to all other participating current Ford Money customers. I checked for the relative that's now seriously distressed and concerned to find that a large number of those email addresses have been compromised and therefore computers are at risk of potentially running malware capturing email addresses for scammers and spammers. As such all those customers are now at high risk of receiving phishing attacks because the data breach links the email address to a person holding an active Ford Money savings account.The relative is now so upset at Ford Money's dismissive attitude that I hope Martin Lewis can get the FCE Bank to actually help all those Ford Money customers to be safe and secure.It's worth bearing in mind that the act of supplying someone else's email address to such a website without permission from the owner of the email address itself constitutes a breach of the Data Protection Act.3 -
What does your relative expect Ford Money to do? There are protective ID services, which will sometimes be made available to victims of more significant data breaches, i.e. including name and address and other data that would be viable for ID theft, but email addresses in themselves are unlikely to warrant that.LikeaDream said:The relative is now so upset at Ford Money's dismissive attitude that I hope Martin Lewis can get the FCE Bank to actually help all those Ford Money customers to be safe and secure.1 -
If they are that distressed tell them to leave and move their money elsewhere?2
-
Perhaps offer some light reading to take their mind off the Ford Money situation... Cyber-attack on UK's electoral registers revealed6
-
Checking email addresses via a recognised site like haveibeenpwned and not retaining those addresses is not a GDPR issue. There's no disadvantage nor retention of data involved. But the check does give a chilling indication that half of the addresses have been compromised. Many are clean and uncompromised. Until Ford Money broke their Privacy agreement with customers.Many people won't know their email addresses have been compromised. May not have changed their email password in years. Spam and phishing emails could carry malware. Ford Money has no idea how secure or insecure are any of those devices used by their customers and it only takes one malware download out of the hundreds to capture emails and those data breach email addresses.As the Ford Money email links them to active Ford Money account customers that's a potential phishing goldmine for the criminals. Lots of hassle created for Ford Money customers and that's just in clearing out the emails and captured email addresses in address books. Changing email address and closing accounts adds to the hassle.0
-
LikeaDream said:Checking email addresses via a recognised site like haveibeenpwned and not retaining those addresses is not a GDPR issue. There's no disadvantage nor retention of data involved. But the check does give a chilling indication that half of the addresses have been compromised. Many are clean and uncompromised. Until Ford Money broke their Privacy agreement with customers.You misunderstand. By entering other people's personal information into a third party website without their permission, you are unlawfully processing their personal data. It doesn't matter what the third party website does with the data (and there really is no way of knowing for sure what they do with it). The only lawful action to take when in receipt of an accidental disclosure of such information is to delete it.Given that this is an accidental disclosure of some email addresses of some Ford Money customers to other Ford Money customers, it's quite unlikely that any of the recipients will put the information to nefarious use, though clearly some are doing things with the information that they should not.3
-
masonic said: You misunderstand. By entering other people's personal information into a third party website without their permission, you are unlawfully processing their personal data.You misunderstand. GDPR exemptions apply to individuals for non-commercial / personal activities. But do take a moment to read the GDPR exemptions and haveibeenpwned's privacy policy for their no retention statement.No retention anyway other than the anonymous data that statistically half of the email addresses had been compromised. This is a generalised guide to how potentially insecure user devices could be as an assessment of the high risk of further compromise and resultant phishing attacks if all Ford Money data breach customers do not delete all Ford Money data breach emails and collected Address Book contacts. This is what Ford Money have to deal with in this messy data breach.There was no suggestion other than from your mind that customers would put the information to nefarious use.0
-
I'm a FORD Money customer and I didn;t receive any email about any competitiion results. I hadn't even known they were running one. Did other Ford Money customers receive one?
Was this a scam maybe?2 -
LikeaDream said:masonic said: You misunderstand. By entering other people's personal information into a third party website without their permission, you are unlawfully processing their personal data.You misunderstand. GDPR exemptions apply to individuals for non-commercial / personal activities. But do take a moment to read the GDPR exemptions and haveibeenpwned's privacy policy for their no retention statement.I refer you to the case of Fairhurst v Woodard (Case No: G00MK161), 2021, in which use of a video doorbell by a private individual was judged to be in breach of UK data laws - both the UK Data Protection Act and UK GDPR. Data subjects can win cases against individuals processing their personal information contrary to data protection laws. Disseminating personal data received by accidental disclosure to third party a corporate entity, especially across international borders, would surely meet that test. In the case of haveibeenpwned, such use would also be a breach of their Terms of Service.Regarding privacy policies, I'm sure Ford Money's privacy policy isn't defective, but there is no guarantee your data will be processed in accordance with a privacy policy in practice, as mistakes, attacks, or even technical flaws in the implementation of the services, happen. When you provide your data to any third party, there is a small risk it will at some time be compromised, so customers need to make an informed choice. Customers are denied that choice when others distribute their personal information without permission.
If no customers puts the information to nefarious use, then there is no risk to customers from the accidental disclosure and your relative has nothing to fear.LikeaDream said:There was no suggestion other than from your mind that customers would put the information to nefarious use.4
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.1K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.2K Spending & Discounts
- 245.2K Work, Benefits & Business
- 600.8K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards