Company lost my data & failed to report - what do I do?

dilby

Hello everyone - I've had a letter from a wealth management firm I've used in the past (set up my mortage years ago) saying my data has been stolen. I'm no expert in this area and don'T really know who to turn to so thought I'd post here.

It strikes me that they don't outline what data was stolen, and that they didn't inform me at the time (if I'm not mistaken they are required to do so). But what's really odd to me is they're offering a product which puts the onus on me to sort it out, and sort of seems like a sales opportunity for them.

Does any of this seem fishy? I'm really stressed out about this and uncomfortable that they've alerted me to a potential risk yet are really doing nothing about it apart from offering my a free trial on software, there is not other actionable or more information to put my mind at ease. Should I be contacting someone further to ensure safety or taking things further somehow? Excerpt from letter below:

Important information about vour personal data

As a current or former client of a financial adviser within REDACTED, I am writing to you to make you aware of a data breach within REDACTED. In May 2023 we identified a cyber incident impacting isolated parts of our IT system. The incident was quickly contained and all necessary steps to ensure our systems' security were undertaken. We also informed the relevant authorities and regulators and have been working with them throughout our response to the incident.

We did not contact to you at the time as it was not initially confirmed that any data pertaining to you was affected. However, after completing an extensive review, further information has come to light where we have now identified some of your personal data.

We have completed expert analysis of the data involved in this incident and have determined, given the nature of the stolen data, that there is a risk the data may be used by someone to deliberately target you, for their own financial gain. We are also concerned that there is sufficient data about you to enable attempts to impersonate vou or approach you (via telephone or email) with potentially believable scams.How we are helping reduce the risk.

To help mitigate the risk of data misuse, we are offering you 24 months of free credit and web monitoring services, provided by Experian, one of the UK's leading Credit Reference agencies.

Your Complimentary Experian Identity Plus membership

To help you to monitor your personal information for certain signs of potential identity theft, we are offering you a complimentary 24-month membership to Identity Plus. This service helps detect possible misuse of your personal data and provides you with identity monitoring support, focussed on the identification and resolution of identity theft.

DullGreyGuy

So you think them paying for a third party service for you for 2 years is a "sales opportunity"?

Its not "software" but a service offered by Experian (https://identity.experian.co.uk/get-started/protection) for these types of circumstances, they will alert you if they see activity either on your credit file that could be fraudulent (eg someone applying for credit in your name) and look to identify if your details are being offered for sale somewhere etc. 

Ultimate the data is gone which they cannot undo and so helping you protect yourself from identity fraud is really the best they can do. 

As a competing service to Experian you could also apply for protective registration with CIFAS, though note this 1) means you won't be able to easily apply for credit and get an instant approval yourself and 2) not all credit providers use CIFAS so its less complete than Experian but more definitive at blocking attempts if it is with a CIFAS member.

Aylesbury_Duck

First thing I'd do is contact them by phone, using whatever number you used to use, not any number listed on that letter, to check that this is genuine.  I don't know if it's possible to contact the ICO to check as well?  I would have thought that a data breach like the one described would have been reported.

If it is genuine, then I don't see any harm in looking at the complimentary service being offered, but as a priority, you should change your passwords on everything - bank accounts, mortgage account, email, amazon, paypal, etc. and have a unique password for each.  And take a look at each account to make sure there aren't any unusual transactions on there.  That won't stop someone intent on impersonating you with whatever data they have, but it will help make your accounts more secure.

dilby

DullGreyGuy said:

So you think them paying for a third party service for you for 2 years is a "sales opportunity"?

Its not "software" but a service offered by Experian (https://identity.experian.co.uk/get-started/protection) for these types of circumstances, they will alert you if they see activity either on your credit file that could be fraudulent (eg someone applying for credit in your name) and look to identify if your details are being offered for sale somewhere etc. 

Ultimate the data is gone which they cannot undo and so helping you protect yourself from identity fraud is really the best they can do. 

As a competing service to Experian you could also apply for protective registration with CIFAS, though note this 1) means you won't be able to easily apply for credit and get an instant approval yourself and 2) not all credit providers use CIFAS so its less complete than Experian but more definitive at blocking attempts if it is with a CIFAS member.

I don't know, that's why I asked. I said it seems. I work in software and it's really common to give out long term initial seats to ultimately get sales, so to me it seemed strange to not outline what was taken, if it's been reported and how and what practical steps I can take but to use this software. I would have personally thought outlining the above info would be the best they can do, but thanks for the tip on the other software.

400ixl

From Experians point of view it is a sales opportunity. They will have sold the service at a discount to the Wealth Management company at a discounted rate (which is still a cost to the WM company) with the hope that you will continue the service when the part the WM paid for expires.

Its not a sales opportunity for the WM company other than to try to retain affected customers.

born_again

Make a note in calendar & diary to cancel before the 24 months are up. or you could be billed.
That is the only sales danger to you. 

DullGreyGuy

dilby said:

DullGreyGuy said:

So you think them paying for a third party service for you for 2 years is a "sales opportunity"?

Its not "software" but a service offered by Experian (https://identity.experian.co.uk/get-started/protection) for these types of circumstances, they will alert you if they see activity either on your credit file that could be fraudulent (eg someone applying for credit in your name) and look to identify if your details are being offered for sale somewhere etc. 

Ultimate the data is gone which they cannot undo and so helping you protect yourself from identity fraud is really the best they can do. 

As a competing service to Experian you could also apply for protective registration with CIFAS, though note this 1) means you won't be able to easily apply for credit and get an instant approval yourself and 2) not all credit providers use CIFAS so its less complete than Experian but more definitive at blocking attempts if it is with a CIFAS member.

I don't know, that's why I asked. I said it seems. I work in software and it's really common to give out long term initial seats to ultimately get sales, so to me it seemed strange to not outline what was taken, if it's been reported and how and what practical steps I can take but to use this software. I would have personally thought outlining the above info would be the best they can do, but thanks for the tip on the other software.

But it's not the WM product you are being given. Undoubtably after 2 years Experian will try and sell you the same service (currently £10.99 a month) and what the WM company is paying will reflect that opportunity and the volume of licenses they are buying. Its not the same as a free trial as its not free, its just free to you. 

You can certainly ask them what they believe was taken but on the basis its taken them a year to identify the attack managed to access more data than they originally realised does suggest they may not fully know.