Ford Money Data Breach 1 August 2023

masonic

LikeaDream said:

masonic said: You misunderstand. By entering other people's personal information into a third party website without their permission, you are unlawfully processing their personal data.

You misunderstand. GDPR exemptions apply to individuals for non-commercial / personal activities. But do take a moment to read the GDPR exemptions and haveibeenpwned's privacy policy for their no retention statement.

I refer you to the case of Fairhurst v Woodard (Case No: G00MK161), 2021, in which use of a video doorbell by a private individual was judged to be in breach of UK data laws - both the UK Data Protection Act and UK GDPR. Data subjects can win cases against individuals processing their personal information contrary to data protection laws. Disseminating personal data received by accidental disclosure to third party a corporate entity, especially across international borders, would surely meet that test. In the case of haveibeenpwned, such use would also be a breach of their Terms of Service.

Regarding privacy policies, I'm sure Ford Money's privacy policy isn't defective, but there is no guarantee your data will be processed in accordance with a privacy policy in practice, as mistakes, attacks, or even technical flaws in the implementation of the services, happen. When you provide your data to any third party, there is a small risk it will at some time be compromised, so customers need to make an informed choice. Customers are denied that choice when others distribute their personal information without permission.

LikeaDream said:

There was no suggestion other than from your mind that customers would put the information to nefarious use.

If no customers puts the information to nefarious use, then there is no risk to customers from the accidental disclosure and your relative has nothing to fear.

masonic

Growingold said:

I'm a FORD Money customer and I didn;t receive any email about any competitiion results.  I hadn't even known they were running one.  Did other Ford Money customers receive one?

Was this a scam maybe?

It might be the case that only those agreeing to receive marketing communications would get such an offer.

TheWoodler

I received no emails about any competition being run by Ford Money - I’m signed up to receive marketing communications, as well as checking into the website regularly, and you’d think they would have publicised the competition in the first place as well as emailing the results.

It also seems strange for financial institutions to run competitions. Many do offer prize draws in return for marketing surveys or response to user community questions, but a prize draw is not a competition. Crucially, prize draws fulfil certain criteria legally that prize competitions do not - competitions are more complex legally as promotional activity. 

When was the competition, and what were the prizes? Another one whose first thought is ‘scam’, I’m afraid. 

DeLaSole

Hi LikeaDream,

Has your relative written to the ICO to report the breach?

Best wishes.

friolento

Another Ford Money customer here who had not heard of any competition by them before, and has not had the emails mentioned. There also doesn’t appear to be any coverage of a Ford Money GDPR breach in the news. I am not sure whether and why I should now be worried about any malware. I agree, it is more likely a scam. 

@LikeaDream, can you share the text of the two offending emails, and the email header information? What was the email address the sender used? What was the competition, when was it run? How many email addresses have been  revealed? 

FindingBBob

lcooper said:

Another Ford Money customer here who had not heard of any competition by them before, and has not had the emails mentioned. There also doesn’t appear to be any coverage of a Ford Money GDPR breach in the news. I am not sure whether and why I should now be worried about any malware. I agree, it is more likely a scam. 

@LikeaDream, can you share the text of the two offending emails, and the email header information? What was the email address the sender used? What was the competition, when was it run? How many email addresses have been  revealed? 

It wasnt a scam, calm down - I got the competition email. I didn't enter. It was about telling stories about what you have saved for etc I don't remember the details. I doubt it would hit the news as the numbers of customers impacted will be small. As i didn't enter I did not receive the email that @likeadream references.. but I would not be worried, your email address has likely been scrapped numerous times (mine has), this is just a clerical error . I guess the competition may have been product specific, I have their flexible saver. You may also want to check if you have marketing permissions switched on or off - if off I doubt you would not have got the original email. 

friolento

FindingBBob said:

lcooper said:

Another Ford Money customer here who had not heard of any competition by them before, and has not had the emails mentioned. There also doesn’t appear to be any coverage of a Ford Money GDPR breach in the news. I am not sure whether and why I should now be worried about any malware. I agree, it is more likely a scam. 

@LikeaDream, can you share the text of the two offending emails, and the email header information? What was the email address the sender used? What was the competition, when was it run? How many email addresses have been  revealed? 

It wasnt a scam, calm down - I got the competition email. I didn't enter. It was about telling stories about what you have saved for etc I don't remember the details. I doubt it would hit the news as the numbers of customers impacted will be small. As i didn't enter I did not receive the email that @likeadream references.. but I would not be worried, your email address has likely been scrapped numerous times (mine has), this is just a clerical error . I guess the competition may have been product specific, I have their flexible saver. You may also want to check if you have marketing permissions switched on or off - if off I doubt you would not have got the original email. 

DOn't worry, I am entirely calm, my email address has never been scrapped, I do have marketing permissions set on in my FM account, but I probably didn't fit the profile of people they were after as I never had more than £20 in my FM account for the last 6 years. Thanks for confirming that there was a competition email, and therefore unlikely that it's a scam.

BooJewels

I got it too - on 21st June.  I just filed it as I'd only opened my account that week, so nothing to tell - they wanted stories about how Ford had helped you save for something.  Not that I would have entered anyway.  This is a paragraph from the centre of the email that sort of summarises it - I've removed the link URL on the T&C as it was a tracker one - but it led to a 2 page pdf on Ford's domain:

"My team will share some of these stories on Ford Money's social channels throughout 2023. The best part? Everyone who shares their story can also enter into a prize draw for a chance to win £1000, which we'll choose at random on 10th July 2023. If you win, we'll add the £1000 to your Ford Money Flexible Saver account balance. See the prize draw terms and conditions for more information."

It all looked legit to me - styling and language consistent with Ford's usual presentation, mouseovers on email addresses went to the Ford domain, headers looked good etc.

jimjames

LikeaDream said:

Many people won't know their email addresses have been compromised. May not have changed their email password in years. Spam and phishing emails could carry malware. Ford Money has no idea how secure or insecure are any of those devices used by their customers and it only takes one malware download out of the hundreds to capture emails and those data breach email addresses.  

This does seem a rather big overreaction calling this a compromise situation that's relying on multiple stages happening for anything to even be breached. It's nothing to do with Ford Money whether an email password has been changed and makes absolutely no difference to the security of your relative's email address. If a device has been compromised I suspect that the recipients of one email amongst thousands is unlikely to be top of the list for a hacker to access when far easier sources of email addresses are available. On it's own an email address isn't really going to do much, I'm not sure how bigjim1998@hotmail is going to link to my name or address for example.

flaneurs_lobster

Nothing's been compromised, it's not even a "data breach". Someone has stuck a load of email addresses into "CC" rather than "BC".

Happened in The City a few years back. A new "Gentleman's Club" had solicited membership enquiries by email and then replied "CC" to the prospective members. 

A few names on there raised some eyebrows, even more so that they had used their work email address.