Retailer won’t close fraudulent account

nhoneymon

Hoping someone can offer advice.  Someone has used my details to set up an online account with a retailer (Just My Look).  They used my name,  address and email and placed an order to be sent to an alternative address.  I believe they must have hacked my email, as they were also able to use stored card details on a pay app, and would have needed the verification code to complete the purchase.

I have hopefully secured the payment app and email account now, but I’m having difficulty getting the retailer to close down the account.  I have explained that it was set up fraudulently using my details, I was told it would be dealt with if I replied to their email with a few details, but all I got was a response saying they couldn’t delete the account as they needed to keep the order details for 6 years for HMRC!  I don’t believe that they need to keep the account open in order to store the transaction details.  What they are suggesting would mean someone could keep running an account using my details for several years.

I have sent a complaint (they are only contactable online) but am unsure what the next course of action should be if they refuse to close the account.  An internet search suggests the Financial Ombudsman Service, but looking at their website I’m not sure it’s the type of complaint they deal with.

user1977

Is there possibly confusion between "close" and "delete"? They can stop access to the account but it's legitimate for them to keep records. 

nhoneymon

Possibly.  I asked for the account to be closed but they used the word delete.  Hopefully the next reply will be a bit more helpful.  Live chat were no help as they just referred me to the email thread, so I am yet again waiting for an email response.

Ergates

nhoneymon said:

Possibly.  I asked for the account to be closed but they used the word delete.  Hopefully the next reply will be a bit more helpful.  Live chat were no help as they just referred me to the email thread, so I am yet again waiting for an email response.

Agree with user1977 - they've gotten confused.   You're not asking them to remove the data, just to inactivate/block the account.

nhoneymon

I do get the impression that when the enquiry is passed from one department to another they don’t bother reading the previous comments.

nhoneymon

Update:  I have eventually had a further reply which is equally useless.  They have now said they can’t assist further at this time as a chargeback has been raised.  I asked if they can reset the password as I don’t want someone to keep using my details, and they advised not as I have said the account wasn’t set up by me, and cited GDPR.  The account wasn’t set up by me, but the details on the account are mine!  I have told them someone set up the account fraudulently using my details, surely they are legally obliged to act on this?  They haven’t asked me to verify my identity, or even said they will investigate.  They seem content to let someone continue to use my details.  

A_Geordie

nhoneymon said:

Update:  I have eventually had a further reply which is equally useless.  They have now said they can’t assist further at this time as a chargeback has been raised.  I asked if they can reset the password as I don’t want someone to keep using my details, and they advised not as I have said the account wasn’t set up by me, and cited GDPR.  The account wasn’t set up by me, but the details on the account are mine!  I have told them someone set up the account fraudulently using my details, surely they are legally obliged to act on this?  They haven’t asked me to verify my identity, or even said they will investigate.  They seem content to let someone continue to use my details.  

I would suggest you bypass all of that and do the following: 

1. Report the issue to Action Fraud, preferably if you register an account you will be able to track and discuss the matter with AF otherwise report it without registering.

2. Draft a letter or email and send it to privacy@justmylook.com. Use a catchy subject line such as "Fraudulent use of personal data - Request to (1) immediately restrict processing and (2) request for erasure"

(a) Keep the relevant facts concise to what they need to know and without going off on an tangent. Tell them that you have also reported the matter through Action Fraud and provide them with the police crime number.

(b) Explain that in light of the circumstances, you are exercising your right under Article 18 of the UK GDPR and requesting that Just My Look immediately restrict the processing of your personal data associated with the account in question. This should also include any processing of payments or orders under that account where your personal data is required to process that payment or order.

(c) You are also exercising your right under Article 17 of the UK GDPR requiring JML to erase all personal data that they hold about you (and applicable to third parties whom they have shared your data with). This includes the  account your querying. The reason for the erasure is that your personal information has been used fraudulently to set up the account with JML and make purchases. 

(d) In accordance with the UK GDPR, they have one month to comply with your request, or if the request is refused, provide reasonably detailed information as to the refusal. 

You may be asked to provide photographic identification to verify who you are, so you may want to wait for them to ask you that which will likely delay the erasure request or you can supply them with that information as part of your email/letter. Given the nature of the request, it may be sensible to take a selfie along with your passport or driving licence or some other relevant ID that proves who you are.

If you do this, you should also state in your letter that the photograph you have provided is strictly for the purposes of verifying your identity and should not be stored or on their systems or used for any other purposes, but instead deleted immediately once verified since it is no longer necessary for that photo to be retained - You'd be amazed at how many companies delete personal data as requested but then keep other data they didn't already have at the time. 

Failing that, complain to the ICO, wait weeks or months for a response but if the ICO agrees with you, they will ask JML to delete the data. JML could still refuse and then you may have to take legal action against JML to obtain a court order to force them to comply.

Personally I find the ICO hit and miss with their decision making and half the time I'm having to correct them on their own guidance, so I prefer to take legal action as it has a number of advantages, mainly you could claim compensation for wrongful processing of the personal data, the court has strict time limits for JML to respond to any legal action but crucially, lawyers are likely to get involved. That means you are likely dealing with someone who has common sense other than the low level plonkers who don't have a clue (although I will say there are some lawyers that don't have any common sense!). The result being that the matter will be swiftly actioned unless they have a good reason to defend it, in which case wait 6-12 months to argue your case in court. 

nhoneymon

Thank you, that’s all really helpful.  I did look at Action Fraud but it looks like I may need to report to Police Scotland (the delivery address was Scotland so presume the person who committed the fraud lives there).

Thanks for taking the time to respond. 

A_Geordie

No harm in reporting both to AF and Police Scotland for belts and braces, the perpetrator could be residing in England or Wales or NI and arranged for the goods to be delivered to Scotland.

born_again

nhoneymon said:

Update:  I have eventually had a further reply which is equally useless.  They have now said they can’t assist further at this time as a chargeback has been raised.  I asked if they can reset the password as I don’t want someone to keep using my details, and they advised not as I have said the account wasn’t set up by me, and cited GDPR.  The account wasn’t set up by me, but the details on the account are mine!  I have told them someone set up the account fraudulently using my details, surely they are legally obliged to act on this?  They haven’t asked me to verify my identity, or even said they will investigate.  They seem content to let someone continue to use my details.  

If they have all the details, can you not try change password, given OP mentions hacked email.🤷‍♀️ 

Trouble is while they will lock acc down, so it can not be used. They will have to do a internal investigation before totally closing account down.
Or any third party can cause customers problems.

 they must have hacked my email, as they were also able to use stored card details on a pay app

That sounds more like someone has gained your details via a site being hacked you have previously used, rather than just your email, as how would they know you have a pay app linked? Or it is someone you know.

nhoneymon

I have tried changing the password on the retailer site using the forgotten password link, but the emails never arrive.  

It’s possible that the payment app was hacked, but a verification code is sent which needs to be input before the payment can be completed and they were able to do this.  I later received an email saying I had requested to delete the payment app account, I had not so I presume it was the person trying to cover their tracks.  The deletion was not completed but by this time I had changed my email password.  Although I don’t know how purely hacking the email would make them aware that I had the payment app.

No one I know has the relevant information to access my email or apps.  The address the order was sent to is no where near where I or anyone I know lives.