Payslip, worried about identity theft

stevat

Hello all,

hope this is the right forum for this, please let me know if not and I can try to move it.

I’m looking for some advice regarding personal information leak with a payslip that was sent to the wrong email address. I’ve seen a few similar questions in the forums, but wanted to try and get some specific advice as the payslip also includes the National Insurance Number.

TL;DR: my wife accidentally sent her payslip to an unknown email recipient, now we’re worried about potential consequences and would like to know what we need to do to protect us from potential issues now and in the future.

So what happened is: my wife accidentally (auto-complete, email address saved in history) sent her payslip from her personal email account to an old WindowsLive.com email account that belonged to her sister. The trouble is that her sister hasn’t used that account since 2013 at the latest and can no longer access or recover it, as the old password is no longer accepted and the recovery email account partially shown in the relevant option is not hers. The email was delivered (i.e. did not get an “undelivered” notification), so this makes us think that the email account has been deleted due to inactivity and was  subsequently recycled, i.e. now belongs to someone else. Or even worse, it has been hacked or spoofed, so it could now be controlled by a malicious person. We did send an email afterwards asking for the accidentally sent email to be deleted, but have had no response.

Our worst case assumption therefore is that her personal information (name, email address, current address, national insurance number, employer name and address, last 4 digits of her bank account) has now been compromised and we need to protect ourselves. What do we need to do to achieve that? What are the scenarios we need to be protected from? And, do we need to worry about this for ever, as things like name and National Insurance Number obviously stay the same and never change, so they’ll be “out there” forever?

So far we’ve done the following:

• notified her bank about this, they suggested  CIFAS protective registration, there is nothing they can do at this point
• contacted Action Fraud, they suggested CIFAS too, as no actual fraud has occurred (yet, at least)
• checked credit reports on all agencies for anything suspicious (nothing yet)
• Added CIFAS protective registration for 2 years
• Set reminders to frequently check on credit reports for anything suspicious
• put a password via a notice of correction on her credit report in Experian, the rest to follow 

Planning or thinking about doing the following too:

• perhaps put a lock or freeze on her credit reports too
• Sign up to a paid alert service that monitors credit reports

In the near future we are not planning on getting any sort of credit/loan/mortgage, so perhaps we won’t be disrupted much/at all by those measures. But still need some advice/reassurance that we’re doing the right things and we’re not missing something, or even making something worse.

Thanks to anyone that had the patience to read all this, any advice will be highly appreciated 

Uriziel

Did you try to contact Microsoft to explain this and ask them if they can delete the email from their side? They will also be able to tell you if the email was opened or if the email is even in use.

MattMattMattUK

stevat said:

Hello all,

hope this is the right forum for this, please let me know if not and I can try to move it.

I’m looking for some advice regarding personal information leak with a payslip that was sent to the wrong email address. I’ve seen a few similar questions in the forums, but wanted to try and get some specific advice as the payslip also includes the National Insurance Number.

TL;DR: my wife accidentally sent her payslip to an unknown email recipient, now we’re worried about potential consequences and would like to know what we need to do to protect us from potential issues now and in the future.

So what happened is: my wife accidentally (auto-complete, email address saved in history) sent her payslip from her personal email account to an old WindowsLive.com email account that belonged to her sister. The trouble is that her sister hasn’t used that account since 2013 at the latest and can no longer access or recover it, as the old password is no longer accepted and the recovery email account partially shown in the relevant option is not hers. The email was delivered (i.e. did not get an “undelivered” notification), so this makes us think that the email account has been deleted due to inactivity and was  subsequently recycled, i.e. now belongs to someone else. Or even worse, it has been hacked or spoofed, so it could now be controlled by a malicious person. We did send an email afterwards asking for the accidentally sent email to be deleted, but have had no response.

Our worst case assumption therefore is that her personal information (name, email address, current address, national insurance number, employer name and address, last 4 digits of her bank account) has now been compromised and we need to protect ourselves. What do we need to do to achieve that? What are the scenarios we need to be protected from? And, do we need to worry about this for ever, as things like name and National Insurance Number obviously stay the same and never change, so they’ll be “out there” forever?

So far we’ve done the following:

• notified her bank about this, they suggested  CIFAS protective registration, there is nothing they can do at this point
• contacted Action Fraud, they suggested CIFAS too, as no actual fraud has occurred (yet, at least)
• checked credit reports on all agencies for anything suspicious (nothing yet)
• Added CIFAS protective registration for 2 years
• Set reminders to frequently check on credit reports for anything suspicious
• put a password via a notice of correction on her credit report in Experian, the rest to follow 

Planning or thinking about doing the following too:

• perhaps put a lock or freeze on her credit reports too
• Sign up to a paid alert service that monitors credit reports

In the near future we are not planning on getting any sort of credit/loan/mortgage, so perhaps we won’t be disrupted much/at all by those measures. But still need some advice/reassurance that we’re doing the right things and we’re not missing something, or even making something worse.

Thanks to anyone that had the patience to read all this, any advice will be highly appreciated 

Putting this as bluntly as I can, this is a complete hysterical overreaction.

WindowsLive/Outlook does not allow emails to be reused, it does not send undeliverable messages and is is highly improbable anyone is using that email.

The theoretical risk of anything happening is only slightly over zero, if anything it will not be other people applying in her name, it will be phishing for card details which can be rendered in effective by basic common sense.

Brie

I agree with Matt that there is little risk.  I would suggest that you should keep an eye on credit reports to see if anything new pops up - but we all should be doing that as a matter of course.  Maybe if she's got a gov.uk gateway account for tax etc. she change the password to something wildly random as the NI number would be a useful thing for a scammer - not that I think a scammer could actually intercept this.  Everything else is easily available to anyone really from public records.Uriziel said:

Did you try to contact Microsoft to explain this and ask them if they can delete the email from their side? They will also be able to tell you if the email was opened or if the email is even in use.

@Uriziel - I wouldn't expect Microsoft to engage with the OP or wife as it's not either of their accounts.  If the sister contacted them something might happen but otherwise it would be a data breach to accept instructions from someone who is not the account holder.

Ayr_Rage

I agree with @MattMattMattUK a completely unnecessary overreaction about an email that is now sitting either on a server unable to be delivered or in an old inbox that will never be accessed again.

You've wasted a lot of your time and if you have paid for anything, your money too. 

Action Fraud must be rolling on the floor in hysterics if not angry at the waste of their time too.

stevat

Thanks all for your input so far, much appreciated!

@Uriziel we didn't really think about that, but like @Brie said, it is unlikely they'd be able/willing to act (e.g. delete an email or even provide information) about an account that presumably belongs to someone else now. Still, perhaps worth asking the question via the sister just in case the account is still hers somehow.

@MattMattMattUK we really hope you're right. There is no concrete official information from Microsoft on this though; it looks like they no longer recycle email addresses, but anecdotal evidence suggests this practice was happening in the past and possibly stopped around 2018. Last time this email account was accessed by my wife's sister was back in 2013 or thereabouts, so it's conceivable (not sure how likely though) that the account belongs to someone else now. And as for undeliverable emails, I just sent an email to a wildly random WindowsLive email address and it immediately came back as undeliverable. This makes us think that the sister's old email account is still receiving emails.

@Brie, my wife does have an account on gov.uk, so good idea to make sure it's changed (although she typically uses strong passwords). And it's also MFA protected, needs to be sent a code via text to login every time.

Yes, it's the NI that we're mostly worried about and trying to understand how it could pose a risk for her, assuming it's leaked. Do scams tend to happen while the data leak is fresh, or is this something we should always be concerned about? 

(and yes, being vigilant with credit reports, scams etc. is something we should all be doing)