Ford Money Data Breach 1 August 2023

BooJewels

Maybe it's me, but I'm just not getting the concern over this and quite how computers have been "polluted with hundreds of Ford Money customers' email addresses" - they'll just be in the header of one email - just hit the delete key and then empty your trash folder, job done.  The yobs walking home past my house from a nearby gym and lobbing energy drink cans into my foliage cause more pollution. I utter a couple of expletives and put the offending articles in my recycling bin - problem solved.  It's a bit more effort if the can wasn't empty and I get a sticky puddle on my garden furniture - I might utter a few more rude words.

The only thing that might concern me modestly is people now having my email address and what that might lead to.  But I'd like to think that the kind of person that saves with Ford Money might be above doing anything outright malicious with it.  If I was really concerned, I'd change the email used with my Ford account and be more vigilant about mail from them and what address it was sent to.  Not sure that modest effort requires compensating.

TheWoodler

If the recipients were confined to Ford Money customers, then that limits the breach. The data have not been released beyond the other customers. Ford’s response seems proportionate to me. 

Being ccd in doesn’t in and of itself expose you to being phished or scammed. My email has been in a data breach, in common with most of the population I suspect, but it would have to be an external hack to steal the data associated with financial accounts.

Or are you saying that other customers could do something nefarious? 

Money_Grabber13579

LikeaDream said:

Growingold said:

I'm a FORD Money customer and I didn;t receive any email about any competitiion results.  I hadn't even known they were running one.  Did other Ford Money customers receive one?

Was this a scam maybe?

Only those Ford Money customers that entered a Ford Money competition had their personal identification data breached. The data breach is limited to those hundreds of customers that trusted Ford Money with their personal data. Ford Money has now been forced to implement email training and upgrade its email systems. But is doing nothing to help customers clean up personal email systems polluted with hundreds of Ford Money customers' email addresses. They've admitted the data breach was due to a mistake and obviously lack of email training and the right email software for data security. They've offered a token gesture of goodwill but that's their full and final offer and to get proper compensation make a complaint to the Financial Ombudsman Service and the Office of the Information Commissioner.

OP, when you checked all of the email addresses on haveibeenpwned and half of them said they had been compromised, did you check to see what event they had been compromised from? I suspect it’s much too soon for them to be showing as compromised form the Ford Money breach and so those were compromised as some time in the past.

One of my email addresses has been compromised in three separate breaches. Am I worried? No. I just ignore any spam emails I get telling me I’ve won something, that i need an enlargement, that someone has been watching me on my computer etc. Having an email address by itself cannot give anyone access to anything.

LikeaDream

BooJewels said:

Maybe it's me, but I'm just not getting the concern over this and quite how computers have been "polluted with hundreds of Ford Money customers' email addresses" - they'll just be in the header of one email - just hit the delete key and then empty your trash folder, job done. 

The only thing that might concern me modestly is people now having my email address and what that might lead to. 

The address book has over 300 email addresses collected in it from the Ford Money Data breach emails. So who now has the task of cleaning up the address book. Not Ford Money. They've washed their hands of that problem. That isn't solved by a quick email deletion. Yes, Ford Money asked for the emails to be deleted. But who now has to spend time identifying genuine contacts from the Ford Money contacts and deleting those that if left could lead to phishing attacks if a hacker acquired that address book.

LikeaDream

TheWoodler said: My email has been in a data breach, in common with most of the population I suspect, but it would have to be an external hack to steal the data associated with financial accounts.

Your email address is already compromised so why didn't you delete it? Because it would take weeks to notify all your contacts of a new address. Now you'll be getting spam and scam targeted at you. Did you just view that image? That was unfortunate because now you've downloaded malware that has captured all of your address book contacts. Those contacts will now be getting phishing emails probably spoofing your email address to look genuine so that more personal details can be gained.

Ford Money doesn't want to acknowledge this is what could happen. And what happens if the malware contains a keylogger to capture logins and passwords?  If online fraud didn't happen then there would be no need for Action Fraud UK or GCHQ to be there to shut down the scammers. 

What we're talking about here is the dismissive way that Ford Money treats Data breaches for customers that haven't previously had their personally identifiable data made public. 

masonic

LikeaDream said:

TheWoodler said: My email has been in a data breach, in common with most of the population I suspect, but it would have to be an external hack to steal the data associated with financial accounts.

Your email address is already compromised so why didn't you delete it? Because it would take weeks to notify all your contacts of a new address. Now you'll be getting spam and scam targeted at you. Did you just view that image? That was unfortunate because now you've downloaded malware that has captured all of your address book contacts. Those contacts will now be getting phishing emails probably spoofing your email address to look genuine so that more personal details can be gained.

This happens to most email addresses, whether they've been involved in what you mischaracterise as a "breach" or not. Spam and phishing attacks can be sent to anyone. They are sprayed out to any conceivable email address. If you sign up for an email address that is vaguely meaningful, chances are, sooner or later, it will start receiving spam/scam/phishing messages even if you never use it or tell anyone of it. 

You are also over-egging the risks of viewing such emails in my opinion. In contemporary devices, browsers and email clients, there should be multiple layers of security in place to mitigate the risk you describe, but ultimately the same risk applies to opening any webpage. Perhaps this is the reason your relative is seriously distressed about the accidental disclosure of their email address to a group of people who, by your own admission, there was no suggestion would put the information to nefarious use.

I certainly would not change my email address on the first occasion I receive a spam/scam/phishing message. There is simply no need. Most are recognised by my email provider, and I can exercise basic common sense when deciding how to deal with others. If I was not willing to accept the possibility of being delivered a malicious email or malicious ad on a webpage, then I would not use email/the internet. The two go hand in hand.

BooJewels

LikeaDream said:

BooJewels said:

Maybe it's me, but I'm just not getting the concern over this and quite how computers have been "polluted with hundreds of Ford Money customers' email addresses" - they'll just be in the header of one email - just hit the delete key and then empty your trash folder, job done. 

The only thing that might concern me modestly is people now having my email address and what that might lead to. 

The address book has over 300 email addresses collected in it from the Ford Money Data breach emails. So who now has the task of cleaning up the address book. Not Ford Money. They've washed their hands of that problem. That isn't solved by a quick email deletion. Yes, Ford Money asked for the emails to be deleted. But who now has to spend time identifying genuine contacts from the Ford Money contacts and deleting those that if left could lead to phishing attacks if a hacker acquired that address book.

I don't think you can hold Ford Money responsible for your 'relative's' email programme settings.  They've made a choice at some point to engage the setting 'add all addresses to contacts' so that is a risk they've taken and found out the hard way why it's a poor decision.  Your 'relative' is probably most upset with themselves for bringing this modest, albeit slightly tedious, problem upon themselves and is looking for someone else to blame.  I'm not in a bit surprised that Ford aren't interested - that aspect is a non-starter.

And if it's only around 300 addresses, I think the statistical chances of one of those having poor motives and using this opportunity that's unexpectedly landed in their lap to do something inappropriate with the addresses they can now see, is somewhat slim.  As I said in the quote you chose to trim off - I'd like to think Ford Money customers are not likely to be in the section of society that would have those sort of motives and be rubbing their hands in glee at the little surprise gift Ford Money have sent their way. 

I also think the way phishing works is a scatter gun approach in very large numbers - tens of thousands of recipients at least to make it statistically probable to get some success - I doubt 300 emails would yield enough chance of success to be worth the effort.

As I also suggested and you trimmed - your 'relative' can easily change the email address they use with Ford, so that they can identify genuine mail from Ford from other potential problem messages in future.  Anyone who has suitably robust personal email practices won't be troubled by this.  Maybe your relative needs to be better schooled in such matters.

TheWoodler

I agree entirely with @masonic. No need for me to delete my email address in the event of a data breach. My email client provides security that consigns most spam and scam mails to the junk bin, and common sense just deals with the odd one that slips through.

I said that my email had been in a data breach, but did not specify which breach, and it was nothing to do with Ford Money in any case. You asked me if I viewed an image? What image? I downloaded no malware. You are making leaps on no foundation. It does not follow that exposure of your email to others = scams, malware etc. 

Effectively there is no difference between sending the email CC with all addresses visible, or from a BCC mailing list hiding the addresses - it’s the same data. Other Ford Money customers could see others’ addresses in this instance - that shouldn’t have happened, agreed. But that is limited to other Ford Money customers. Exactly the same data is used for a BCC list. What is the difference? So where would malware come from? 

You are also talking to someone who underwent a genuine data breach at a financial institution of a different order (not email) and whose complaint was upheld. This is because I stuck to facts and set out my case without catastrophising, which is what you are doing here, and as it was a genuine breach, case proven. Panic and over-egging the position without fully understanding GDPR, and how both security measures and actual scams and malware work, doesn’t help you or your relative, who is now needlessly frightened. 

I suggest that you and your relative take advantage of free courses such as those offered by Barclays’ Digital Eagles programme https://www.barclays.co.uk/digital-confidence/eagles/ for reassurance and to equip yourselves with the right approach, skills and confidence to approach digital banking.

Most financial institutions have very good webpages on fraud and scams, which are hugely informative. They are worth a read for anyone looking to be more confident with online banking and online security. If you are in employment in an office-based role, your employer should provide annual mandatory GDPR training, which should reassure you as to the nature of this incident, or you should be able to access such training locally under a digital skills programme.