Ford Money Data Breach 1 August 2023

sheslookinhot

LikeaDream said:

On 1 August 2023 Ford Money's Head of Marketing sent two emails to Ford Money savings customers about the result of a competition. Unfortunately, those two emails shared the email addresses and names contained in those email addresses to all other participating current Ford Money customers. I checked for the relative that's now seriously distressed and concerned to find that a large number of those email addresses have been compromised and therefore computers are at risk of potentially running malware capturing email addresses for scammers and spammers. As such all those customers are now at high risk of receiving phishing attacks because the data breach links the email address to a person holding an active Ford Money savings account.

The relative is now so upset at Ford Money's dismissive attitude that I hope Martin Lewis can get the FCE Bank to actually help all those Ford Money customers to be safe and secure.

How much does your relative want ?

just as well your “relative” is not in a real crisis.

InvesterJones

flaneurs_lobster said:

Happened in The City a few years back. A new "Gentleman's Club" had solicited membership enquiries by email and then replied "CC" to the prospective members. 

A few names on there raised some eyebrows, even more so that they had used their work email address.

Fantastic way to get rid of an annoying boss

DeLaSole

flaneurs_lobster said:

Nothing's been compromised, it's not even a "data breach". Someone has stuck a load of email addresses into "CC" rather than "BC".

Happened in The City a few years back. A new "Gentleman's Club" had solicited membership enquiries by email and then replied "CC" to the prospective members. 

A few names on there raised some eyebrows, even more so that they had used their work email address.

Hi flaneurs,

ICO does say:  "Personal data breaches can include: ... sending personal data to an incorrect recipient" which is what the opening poster is saying happened. 
 
Best wishes.

booneruk

I'm struggling to see a real issue here when it comes to security. A third party knowing your email address does not mean anything is compromised.

Presumably the email address has been used for some time with emails being sent to various recipients, all of which could have been subject to data breaches that may have disseminated the email address further and yes, the email could be in the hands of some bad actors. It's sensible to expect your email to be in the hands of bad actors by default. 

If sensible security is practiced there's little risk. If your email address is dunce@hotmail.com and your password is also dunce, that's a problem - someone could log into your email account. If dunce is also used as a password for multiple services on the internet, there's another problem. If you click links in emails received without thought, then that's yet another problem - these are all problems with the email owner though.

It's a bit extreme to get very hurty because Ford included your email address in the CC field.

Personally, I've had my email address for 20 years now, I'm on multiple spam databases, I get spam all the time (hooray for junk filters - though I do dip in occasionally to amuse myself with the frequent "YOU DO NOT KNOW ME BUT I WISH TO SEND YOU A MILLION USD" or "I HACKED YOUR WEBCAM AND I HAVE COMPROMISING VIDEO OF YOU" emails). I'm also listed in multiple data breaches according to haveibeenpwned.

However, I've not once been scammed, compromised, played host to trojan horse software etc etc etc.

booneruk

DeLaSole said:

flaneurs_lobster said:

Nothing's been compromised, it's not even a "data breach". Someone has stuck a load of email addresses into "CC" rather than "BC".

Happened in The City a few years back. A new "Gentleman's Club" had solicited membership enquiries by email and then replied "CC" to the prospective members. 

A few names on there raised some eyebrows, even more so that they had used their work email address.

Hi flaneurs,

ICO does say:  "Personal data breaches can include: ... sending personal data to an incorrect recipient" which is what the opening poster is saying happened. 
 
Best wishes.

Original poster also said "email addresses have been compromised and therefore computers are at risk of potentially running malware capturing email addresses for scammers"

See my post just above   

flaneurs_lobster

DeLaSole said:

flaneurs_lobster said:

Nothing's been compromised, it's not even a "data breach". Someone has stuck a load of email addresses into "CC" rather than "BC".

Happened in The City a few years back. A new "Gentleman's Club" had solicited membership enquiries by email and then replied "CC" to the prospective members. 

A few names on there raised some eyebrows, even more so that they had used their work email address.

Hi flaneurs,

ICO does say:  "Personal data breaches can include: ... sending personal data to an incorrect recipient" which is what the opening poster is saying happened. 
 
Best wishes.

I've just checked and yes, you are right. Apparently sharing an individual's email address (without their permission) is a breach of the GDPR (or whatever the regulations are now called). Apologies.

DeLaSole

booneruk said:

DeLaSole said:

flaneurs_lobster said:

Nothing's been compromised, it's not even a "data breach". Someone has stuck a load of email addresses into "CC" rather than "BC".

Happened in The City a few years back. A new "Gentleman's Club" had solicited membership enquiries by email and then replied "CC" to the prospective members. 

A few names on there raised some eyebrows, even more so that they had used their work email address.

Hi flaneurs,

ICO does say:  "Personal data breaches can include: ... sending personal data to an incorrect recipient" which is what the opening poster is saying happened. 
 
Best wishes.

Original poster also said "email addresses have been compromised and therefore computers are at risk of potentially running malware capturing email addresses for scammers"

See my post just above   

Hi booneruk,

Like you, and I guess most posting, I do not share the underlying worry of the OP/OP's relative. But as the title of thread includes 'Ford Money Data Breach' then I just think it's reasonable not to use what we individually believe is a data breach based on our personal assessment of seriousness of situation, but rather what the ICO says can constitute a data breach.

Best wishes.

eskbanker

eskbanker said:

LikeaDream said:

The relative is now so upset at Ford Money's dismissive attitude that I hope Martin Lewis can get the FCE Bank to actually help all those Ford Money customers to be safe and secure.

What does your relative expect Ford Money to do?  There are protective ID services, which will sometimes be made available to victims of more significant data breaches, i.e. including name and address and other data that would be viable for ID theft, but email addresses in themselves are unlikely to warrant that.

OP - can you clarify what you/your relative actually expects Ford Money to do, now that this has happened?  I'm assuming that they'll have apologised to those affected and perhaps warned them of an increased risk of phishing, etc, but they obviously can't turn back time and put the genie back into the bottle, so what specific help do you feel would be possible and useful now?

LikeaDream

Growingold said:

I'm a FORD Money customer and I didn;t receive any email about any competitiion results.  I hadn't even known they were running one.  Did other Ford Money customers receive one?

Was this a scam maybe?

Only those Ford Money customers that entered a Ford Money competition had their personal identification data breached. The data breach is limited to those hundreds of customers that trusted Ford Money with their personal data. Ford Money has now been forced to implement email training and upgrade its email systems. But is doing nothing to help customers clean up personal email systems polluted with hundreds of Ford Money customers' email addresses. They've admitted the data breach was due to a mistake and obviously lack of email training and the right email software for data security. They've offered a token gesture of goodwill but that's their full and final offer and to get proper compensation make a complaint to the Financial Ombudsman Service and the Office of the Information Commissioner.

LikeaDream

jimjames said:

This does seem a rather big overreaction calling this a compromise situation that's relying on multiple stages happening for anything to even be breached. It's nothing to do with Ford Money whether an email password has been changed and makes absolutely no difference to the security of your relative's email address. If a device has been compromised I suspect that the recipients of one email amongst thousands is unlikely to be top of the list for a hacker to access when far easier sources of email addresses are available. On it's own an email address isn't really going to do much, I'm not sure how bigjim1998@hotmail is going to link to my name or address for example.

Remember that each recipient of the Ford Money competition winner being chosen email also received all of the email addresses of all the other recipients. In two data breach emails. Unfortunately, many of the competition entrants used an email address like firstname.lastname@ so hackers accessing a compromised device will link the email to hundreds of known Ford Money savings customer and in many cases be able to deduce the customer names thus making it easier for a follow up phishing email to appear genuine.  But Ford Money are ignoring the possibility of any of the hundreds of email devices being compromised and assert there's no risk of fraud to any when we see almost daily cases reported in the media of customers being conned into trusting scammers and fraud taking place.