Data breach

dlk

There may not be but just wondered if there's any recompense I should expect from a data breach from Cruise1st.

They sent a sales email out on Monday evening for upgrades on an existing cruise booked to a number of customers but instead of Bcc the email they CC'd everyone in and about a thousand customers can all see each other's email addresses.

Now it might just be coincidence but on Monday night my email was hacked, followed by my Netflix account hacked. I spent hours getting access to these again and have now changed password etc so the only financial loss is £14.50 they spent in Netflix but for the time I expected some sort of apology or compensation but cruise first simply explained it was an accident and its done now so nothing they can do.

I work in banking and know a data breach there is a pretty serious thing but evidently not in the travel industry maybe. Is there any additional course of action I can take with an ombudsman or anything for having my details shared. Its still causing inconvenience now as since changing my email password its been locked again twice after someone has tried to access it again.

powerful_Rogue

dlk said:

There may not be but just wondered if there's any recompense I should expect from a data breach from Cruise1st.

They sent a sales email out on Monday evening for upgrades on an existing cruise booked to a number of customers but instead of Bcc the email they CC'd everyone in and about a thousand customers can all see each other's email addresses.

Now it might just be coincidence but on Monday night my email was hacked, followed by my Netflix account hacked. I spent hours getting access to these again and have now changed password etc so the only financial loss is £14.50 they spent in Netflix but for the time I expected some sort of apology or compensation but cruise first simply explained it was an accident and its done now so nothing they can do.

I work in banking and know a data breach there is a pretty serious thing but evidently not in the travel industry maybe. Is there any additional course of action I can take with an ombudsman or anything for having my details shared. Its still causing inconvenience now as since changing my email password its been locked again twice after someone has tried to access it again.

You can report it to the ICO, they won't get you compo though.

eskbanker

dlk said:

Now it might just be coincidence but on Monday night my email was hacked, followed by my Netflix account hacked. I spent hours getting access to these again and have now changed password etc so the only financial loss is £14.50 they spent in Netflix but for the time I expected some sort of apology or compensation but cruise first simply explained it was an accident and its done now so nothing they can do.

As you accept, you can't really prove that the attacks on your accounts were a consequence of the cruise company's error, in that it's just circumstantial, so you're unlikely to be able to make any claim against them stick.

Mark_d

Finding lists of email addresses is not difficult. I'm sure millions of people either have or could guess my email address.

Your email and Netflix accounts were likely hacked due to poor security practices.  Do you use different, long, secure passwords for all your online services?  Do you use two-factor authenticated wherever it is available?  Do you ever connect to networks which could be compromised?

It sounds like someone is trying to guess at passwords to access your email account.  Any good email provider would block the IP address of the person trying different passwords for your account. My email account is even configured to only allow login attempts from the UK.

user1977

Why would the data breach have anything to do with your email being hacked? (unless your password was "ILOVECRUISE5")

It's almost certainly just a coincidence.

Aylesbury_Duck

If the only information shared was an email address, how did they access your email and Netflix accounts?  Presumably they guessed your password (is it the same for both?) or they worked it out from clues such as social media posts, e.g. people regularly tell everyone when it's their birthday and what their dog's name is on facebook.  I'm also assuming you didn't have MFA on either?

Not excusing the error, but any loss or inconvenience would appear to be down to some poor security on your part as well as their error.  It's probably a good, and fairly cheap, warning that you need to secure things better than you have done until now.

born_again

What have Cruise1st said abut this, as nothing online. Although they come under Sunshine Cruise Holidays Ltd.

Have they reported it to ICO as they have 72 hours to do so?

dlk

born_again said:

What have Cruise1st said abut this, as nothing online. Although they come under Sunshine Cruise Holidays Ltd.

Have they reported it to ICO as they have 72 hours to do so?

They simply said it was a mistake but they didn't see it as much of an issue.

MattMattMattUK

dlk said:

born_again said:

What have Cruise1st said abut this, as nothing online. Although they come under Sunshine Cruise Holidays Ltd.

Have they reported it to ICO as they have 72 hours to do so?

They simply said it was a mistake but they didn't see it as much of an issue.

They will probably self report to the ICO, they will get told not to do it again and someone will have to go on a course, it is pretty much the lowest level of data breach that can occur considering how most people's emails are already available online in huge batch files.

Your issue with Netflix indicates weak, likely repeated passwords and a failure to use 2FA, both of which are far bigger security issues than someone knowing your email. Use it as a wakeup call, change any passwords which are similar, enable 2FA where available.

PHK

Just to be clear. It's very unusual for compensation to be paid for a data  breach. The ICO don't award compensation , In fact you'd need to go to court and even then it's unlikely to be awarded. 
In a case like this when no real harm was done then I doubt very much you'd get anything. 

IvanOpinion

Use 'haveIbeenpwned' website to see what data breaches your email has been involved in. Then try running a digital footprint check using malwarebytes to see what information may have been accessed. I wouldn't worry about an email address, they are equivalent to a postal address - they are out there but you may have to do a little bit of work to find the correct one.

When people 'expect an apology' it reminds me of one of those day-in-the-life TV shows. Something trivial had happened and the customer was demanding a written apology. A staff member explained this to the VP, whose response was along the lines of "Tell them to go $%^^% themselves'. The staff member then typed out a nice letter (much more diplomatic and apologetic) and took it into the VP for signing. He took a quick look at it and he threw it back at her, so she simply PP'd it and sent it out. I hope the customer was happy with their apology.