Ford Money Data Breach 1 August 2023

Options
LikeaDream
LikeaDream Posts: 16 Forumite
First Anniversary First Post Name Dropper
in Savings & investments
On 1 August 2023 Ford Money's Head of Marketing sent two emails to Ford Money savings customers about the result of a competition. Unfortunately, those two emails shared the email addresses and names contained in those email addresses to all other participating current Ford Money customers. I checked for the relative that's now seriously distressed and concerned to find that a large number of those email addresses have been compromised and therefore computers are at risk of potentially running malware capturing email addresses for scammers and spammers. As such all those customers are now at high risk of receiving phishing attacks because the data breach links the email address to a person holding an active Ford Money savings account.

The relative is now so upset at Ford Money's dismissive attitude that I hope Martin Lewis can get the FCE Bank to actually help all those Ford Money customers to be safe and secure.
«134

Comments

  • InvesterJones
    InvesterJones Posts: 711 Forumite
    First Anniversary First Post Name Dropper
    Options
    LikeaDream said:
    I checked for the relative that's now seriously distressed and concerned to find that a large number of those email addresses have been compromised and therefore computers are at risk of potentially running malware capturing email addresses for scammers and spammers.
    I don't understand this sentence. How can you tell from an email address that a computer is at risk of running malware? It's hard to find an email address that hasn't been compromised at some point in history, but in the majority of cases people will have changed passwords since.

    However I'd definitely notify the ICO directly, rather than waiting for Martin to get involved. In the meantime usual good practise should apply - don't click on links from unverified sources, install anti-virus with a web/email link checking service etc.
  • masonic
    masonic Posts: 23,406 Forumite
    Photogenic Name Dropper First Post First Anniversary
    edited 9 August 2023 at 5:12PM
    Options
    LikeaDream said:
    On 1 August 2023 Ford Money's Head of Marketing sent two emails to Ford Money savings customers about the result of a competition. Unfortunately, those two emails shared the email addresses and names contained in those email addresses to all other participating current Ford Money customers. I checked for the relative that's now seriously distressed and concerned to find that a large number of those email addresses have been compromised and therefore computers are at risk of potentially running malware capturing email addresses for scammers and spammers. As such all those customers are now at high risk of receiving phishing attacks because the data breach links the email address to a person holding an active Ford Money savings account.

    The relative is now so upset at Ford Money's dismissive attitude that I hope Martin Lewis can get the FCE Bank to actually help all those Ford Money customers to be safe and secure.
    If you mean you typed those email addresses into a website that checks if they have been subject to any prior data breaches, then it would be no surprise that almost any email address that has been used to register an account would be subject to at least one breach. It does not mean that any of those email addresses are at risk. Care should be taken using such websites, as some exist just to harvest information from people for nefarious purposes.
    It's worth bearing in mind that the act of supplying someone else's email address to such a website without permission from the owner of the email address itself constitutes a breach of the Data Protection Act.
  • eskbanker
    eskbanker Posts: 31,248 Forumite
    First Anniversary Name Dropper Photogenic First Post
    Options
    LikeaDream said:
    The relative is now so upset at Ford Money's dismissive attitude that I hope Martin Lewis can get the FCE Bank to actually help all those Ford Money customers to be safe and secure.
    What does your relative expect Ford Money to do?  There are protective ID services, which will sometimes be made available to victims of more significant data breaches, i.e. including name and address and other data that would be viable for ID theft, but email addresses in themselves are unlikely to warrant that.
  • mattywallace121
    mattywallace121 Posts: 50 Forumite
    First Anniversary First Post
    Options
    If they are that distressed tell them to leave and move their money elsewhere?
  • LikeaDream
    LikeaDream Posts: 16 Forumite
    First Anniversary First Post Name Dropper
    Options
    Checking email addresses via a recognised site like haveibeenpwned and not retaining those addresses is not a GDPR issue. There's no disadvantage nor retention of data involved.  But the check does give a chilling indication that half of the addresses have been compromised. Many are clean and uncompromised. Until Ford Money broke their Privacy agreement with customers. 

    Many people won't know their email addresses have been compromised. May not have changed their email password in years. Spam and phishing emails could carry malware. Ford Money has no idea how secure or insecure are any of those devices used by their customers and it only takes one malware download out of the hundreds to capture emails and those data breach email addresses.  

    As the Ford Money email links them to active Ford Money account customers that's a potential phishing goldmine for the criminals.  Lots of hassle created for Ford Money customers and that's just in clearing out the emails and captured email addresses in address books. Changing email address and closing accounts adds to the hassle.
  • masonic
    masonic Posts: 23,406 Forumite
    Photogenic Name Dropper First Post First Anniversary
    edited 9 August 2023 at 8:43PM
    Options
    LikeaDream said:
    Checking email addresses via a recognised site like haveibeenpwned and not retaining those addresses is not a GDPR issue. There's no disadvantage nor retention of data involved.  But the check does give a chilling indication that half of the addresses have been compromised. Many are clean and uncompromised. Until Ford Money broke their Privacy agreement with customers.
    You misunderstand. By entering other people's personal information into a third party website without their permission, you are unlawfully processing their personal data. It doesn't matter what the third party website does with the data (and there really is no way of knowing for sure what they do with it). The only lawful action to take when in receipt of an accidental disclosure of such information is to delete it. 
    Given that this is an accidental disclosure of some email addresses of some Ford Money customers to other Ford Money customers, it's quite unlikely that any of the recipients will put the information to nefarious use, though clearly some are doing things with the information that they should not.
  • IanManc
    IanManc Posts: 2,101 Forumite
    First Anniversary First Post Combo Breaker Name Dropper
    Options
    LikeaDream said:
    On 1 August 2023 Ford Money's Head of Marketing sent two emails to Ford Money savings customers about the result of a competition. Unfortunately, those two emails shared the email addresses and names contained in those email addresses to all other participating current Ford Money customers. I checked for the relative that's now seriously distressed and concerned to find that a large number of those email addresses have been compromised and therefore computers are at risk of potentially running malware capturing email addresses for scammers and spammers. As such all those customers are now at high risk of receiving phishing attacks because the data breach links the email address to a person holding an active Ford Money savings account.

    The relative is now so upset at Ford Money's dismissive attitude that I hope Martin Lewis can get the FCE Bank to actually help all those Ford Money customers to be safe and secure.
    I've got a Ford Money account and I'm not worried in the least because there's nothing to worry about.

    Luckily I haven't got a helpful family member to strike terror into me.
  • LikeaDream
    LikeaDream Posts: 16 Forumite
    First Anniversary First Post Name Dropper
    Options
    masonic said: You misunderstand. By entering other people's personal information into a third party website without their permission, you are unlawfully processing their personal data.

    You misunderstand. GDPR exemptions apply to individuals for non-commercial / personal activities. But do take a moment to read the GDPR exemptions and haveibeenpwned's privacy policy for their no retention statement. 

    No retention anyway other than the anonymous data that statistically half of the email addresses had been compromised. This is a generalised guide to how potentially insecure user devices could be as an assessment of the high risk of further compromise and resultant phishing attacks if all Ford Money data breach customers do not delete all Ford Money data breach emails and collected Address Book contacts. This is what Ford Money have to deal with in this messy data breach.

    There was no suggestion other than from your mind that customers would put the information to nefarious use.
  • Growingold
    Growingold Posts: 335 Forumite
    First Anniversary First Post Name Dropper
    Options
    I'm a FORD Money customer and I didn;t receive any email about any competitiion results.  I hadn't even known they were running one.  Did other Ford Money customers receive one?

    Was this a scam maybe?
Meet your Ambassadors

Categories

  • All Categories
  • 343.4K Banking & Borrowing
  • 250.2K Reduce Debt & Boost Income
  • 449.8K Spending & Discounts
  • 235.5K Work, Benefits & Business
  • 608.5K Mortgages, Homes & Bills
  • 173.2K Life & Family
  • 248.1K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 15.9K Discuss & Feedback
  • 15.1K Coronavirus Support Boards