How worried should I be?

[learningtofly]

I've just received this email from a recruitment consultancy with whom I registered some time ago. Can't say I'm best pleased, tbh.

I am getting in touch with you today to make you aware that xxxxx recently experienced a cyber security incident, in which one of our databases was impacted and an unauthorised third-party gained access to our systems. Unfortunately, our investigations have shown that some of your personal data was contained on the accessed database and may have been copied.

Please be assured we took this incident extremely seriously. As soon as we became aware, we took immediate steps to contain it – which was successful - and launched a comprehensive investigation.

What happened?
We became aware of a potential security issue related to a third-party IT developer improperly storing credentials to our database. We discovered that we were compromised by an unauthorised third party as a result of this, leading to some candidate data being accessed. We immediately took steps to address the issue, including working with external IT cyber-security experts to help investigate, manage and resolve the incident.

What information was involved?
We have identified evidence that data copied from our systems includes some information relating to you. We confirm that the information we hold related to you included:-

• Your name and contact details;
• Proof of address document
• Your national insurance number and date of birth.
  

What should you do next?
We take our data protection responsibilities really seriously so we wanted to include some recommended steps that you can take following this incident. Whilst there is no evidence to suggest that you will be impacted as a consequence of this incident, there is a theoretical risk that in the wrong hands, some of the information could potentially be used to attempt to commit identity theft or fraud. While we believe this risk is low we recommend that you exercise increased vigilance in all matters relating to your personal details.

• In particular, it is good practice to:
• Check your bank accounts regularly, and contact the bank if you see any transactions you do not
  recognise;
• Be suspicious if anyone contacts you by email, phone call or text message asking you to confirm your
  personal details (for example direct debit details);
• Never give out personal details over the phone unless you’re sure who you’re speaking to;
• If you are unsure whether a communication you have received is genuine please get in touch with your
  normal contact to check, and;
• Use strong passwords (e.g. at least eight characters long with a mixture of numbers, symbols, upper and
  lower case. and change them regularly).
  If you think you have been a victim of fraud you should report it to Action Fraud, the UK's national fraud and internet crime reporting centre, on 0300 123 2040.

How worried should I be, do you think, and is there a clear best practice response that I should now be initiating?

TAI

[Chris_in_the_UK]

Not good Tony TBH.

I have had e-mail details leaked in the past and other that spam stuff coming through it has been nothing more than a minor irritation.

Given they have (potentially) leaked proof of address stuff - this will only leak to your current address?.

National Insurance info - specific to you but I get why it's a worry.

Contact details - again, specific to you at your current address.

I would be concerned if it was me, and I would be communicating my concerns, worries and suggesting to them that you would be referring the matter to the ICO.

[badger1]

I’d be looking to get a CIFAS marker out on your credit file. This means any application for credit will have extra layers of ID required. It’s a not for profit organisation so gives a little bit more protection

cifas.org.uk

Good luck not a great situation to be in

[hansblix2001]

I’d make sure you have two factor authentication on everything and new, strong passwords. As well as monitoring accounts very closely.

You could sign up for credit monitoring/ID protection with one of the main credit rating companies. I’d expect the company to pay for that give they seem to have cocked up. You could also report them to the ICO if you felt inclined.

[brigant]

I'm a bit of a loss to understand why a recruitment site wouls want your NI number. That should be a very secure and personal bit of datathat should not be handedout.

[Martylaa]

Its a worry isn't it, check you banking and keep an eye on it all, myself yesterday had to cancel a CC and contact the fraud team due to 2 minor transactions (google play scam), getting money refunded and the card is cancelled and ordered a new one but I'm at a loss how its happened, always away after getting done for £6K about 12 years ago over a weekend...

[Linocut]

With my pension provider that information would allow you to access my account over the phone. Barely credible but true!


Sent from my iPhone using Tapatalk

[joe narvey]

When we had these incidents we always made an offer to pay for three years credit file monitoring for customers that were affected.

I think that’s the minimum I’d be looking for.

[ptcoll]

Have they said they have reported the data breach to the ICO ?

Pete

[Chris_in_the_UK]

When we had these incidents we always made an offer to pay for three years credit file monitoring for customers that were affected.

I think that’s the minimum I’d be looking for.

Is this a common occurrence (given you have a policy for it)?

[learningtofly]

I’d be looking to get a CIFAS marker out on your credit file. This means any application for credit will have extra layers of ID required. It’s a not for profit organisation so gives a little bit more protection

cifas.org.uk

Good luck not a great situation to be in

I don't think I want a CIFAS marker against my name, thanks.

I’d make sure you have two factor authentication on everything and new, strong passwords. As well as monitoring accounts very closely.

You could sign up for credit monitoring/ID protection with one of the main credit rating companies. I’d expect the company to pay for that give they seem to have cocked up. You could also report them to the ICO if you felt inclined.

Good point, thanks.

Not good Tony TBH.

I have had e-mail details leaked in the past and other that spam stuff coming through it has been nothing more than a minor irritation.

Given they have (potentially) leaked proof of address stuff - this will only leak to your current address?.

National Insurance info - specific to you but I get why it's a worry.

Contact details - again, specific to you at your current address.

I would be concerned if it was me, and I would be communicating my concerns, worries and suggesting to them that you would be referring the matter to the ICO.

Yeah, not good.

I'm a bit of a loss to understand why a recruitment site would want your NI number. That should be a very secure and personal bit of data that should not be handed out.

It was an opportunity within the public sector, and there was a pre-interview vetting requirement. In hindsight...

Its a worry isn't it, check you banking and keep an eye on it all, myself yesterday had to cancel a CC and contact the fraud team due to 2 minor transactions (google play scam), getting money refunded and the card is cancelled and ordered a new one but I'm at a loss how its happened, always away after getting done for £6K about 12 years ago over a weekend...

Yes, I need to give this some thought.

With my pension provider that information would allow you to access my account over the phone. Barely credible but true!


Sent from my iPhone using Tapatalk

Eeeek!

When we had these incidents we always made an offer to pay for three years credit file monitoring for customers that were affected.

I think that’s the minimum I’d be looking for.

Thank you.

Have they said they have reported the data breach to the ICO ?

Pete

I'm about to ask.

[joe narvey]

Is this a common occurrence (given you have a policy for it)?

We had millions of customers and an infrequent event such as a data compromise needed an incident plan. Yes, it happened more often than it should, sometimes because secure rubbish was dumped on a tip, sometimes a web sever compromised and sometimes clients were victims to phishing attacks ( where they may be considered to have contributed to the compromise).

[murkeywaters]

Probably Putin!

[Devonian]

I posted about an experience I had last year and suggested everyone check their credit regularly. I think a similar thing must have happened to me as I'd had the odd email (from huge companies too) saying that there had been a data breach. They even applied for credit. I've linked the post:

https://forum.tz-uk.com/showthread.p...cking-heads-up

Almost every week someone on Facebook posts to say they've been hacked. My instagram account was hacked two days ago. Somehow they have managed to change the email, back up email and phone number to one the hacker uses. I even went through facial recognition and that got accepted but by the time I'd logged in the hacker had got there quicker. Now I'm permanently locked out. A lot of people have reported it to Instagram so hopefully it will get blocked.

The cheeky bast@rd has even emailed me asking if I want to buy the account back! There really is some thieving scum out there. I'm not going to let it get to me though as there isn't a lot I can do.

I would suggest you change your passwords, join up free credit reports like Martin Lewis (Experian) and credit karma and just monitor things. Hopefully things will be fine as this list could have thousands on it and they won't even get to you, but just do what you can to safeguard yourself. All the best Stephen.

[wileeeeeey]

Stephen for Instagram I think the main hack is someone convincing you to click on a link through a DM which instantly gives them control of your account somehow, probably from someone you know who was previously hacked/phished. Incredibly annoying I bet.

[Devonian]

Stephen for Instagram I think the main hack is someone convincing you to click on a link through a DM which instantly gives them control of your account somehow, probably from someone you know who was previously hacked/phished. Incredibly annoying I bet.

Yep Wiley, I think that's what it was. Someone I know well and previously had sent me things, but turned out this time they were hacked. Very annoying but it's done now and hopefully I'll be a bit wiser. Incredible how easy it is really.

[learningtofly]

Just a quick update for those who took the trouble to respond to my question, but I've had some meaningful exchanges with the company concerned (a large recruitment consultancy specialising in public sector roles). The outcome is:

1. Whilst I did provide my NI number I couldn't trace ever having sent them any kind of proof of address document. They confirmed that they weren't holding anything of that nature, despite their earlier suggestion to the contrary.
2. They've agreed to 12 months of credit monitoring at their cost. I did ask for 3 years but accepted their offer as I didn't want to get involved in any kind of bargaining or disagreement with them.
3. All of my data has now been deleted from their systems.

They've already reported the breach to the ICO, and I guess the lesson learned for me is that, whilst sensitive data might be required in some circumstances, there's usually a pertinent/acceptable time in the process to provide it. In this case it was too early to be providing NI numbers and similar, so l'll be more aware of that in future.