/ Money

Data breaches: will you back our call for redress?

Data

We’re calling on the government to use the Data Protection Bill to give independent bodies the power to take action with collective redress. Will you back our call?

Yahoo revealed recently that it had been the victim of the largest data breach in history, with hackers able to gain access to information from up to three billion Yahoo accounts.

That’s nearly half the population of the world, and even though it’s likely that some individuals will own more than one of those accounts and many will be dormant, it will still be many hundreds of millions of people that are affected.

Just a couple of weeks ago we had the news of the latest details in the on-going Equifax breach with over 690,000 people’s phone numbers, email address, driving licence numbers, Equifax membership details and passwords have been compromised in a cyber-attack. That’s in addition to 14.5 million records where only names and dates of birth were made vulnerable.

Equifax breach

Equifax has confirmed that it will be writing to all of the victims –  assuming that it has up-to-date details. It will be offering free access to its identity protection service, Equifax Protect, to those who had their email addresses, driving license number or online membership details compromised. And for those who had their phone number accessed will be offered a leading identity monitoring service for free.

People are understandably concerned that when they hand their personal information over to a company, that company will keep it safe. However, as we’ve seen, this isn’t always the case.

If you were a victim of a serious data breach which meant your personal information was available for others to see, what would you do?

Data breaches

While the law is clear that you have the right to seek redress from the company who has lost or misused your data; actually getting redress is another matter.

In the first instance you could go to the company, but if the offer isn’t good enough or it doesn’t offer anything at all, where do you go?

You might expect there to be some sort of ombudsman or even the regulator to intervene on your behalf. But for victims of data breaches, the current system means the next step is to take the company to court yourself. For many, this would signal the end of any redress claim.

The fact that you need to go to court is a practical barrier, as understandably most are reluctant to become embroiled in a potentially lengthy and costly legal process.

And in some cases, you may not even know exactly where your data was lost and will struggle to build the evidence needed. In the case of Equifax, many of those affected will have no idea their data has been lost until the letter comes through the door – this could be simply that they don’t recall using the service, but also if a credit check has been run on them by a different company.

Collective redress

When there’s a data breach we believe people should have better ways to access their right to get redress.

Where a significant breach involving lots of people has taken place, we think the most appropriate way to get redress would be to allow independent organisations acting in the public interest to take action collectively on behalf of all people who have been affected.

Collective redress doesn’t just improve the process, but it also cuts costs and court time and makes it easier for businesses as all claims are dealt with at once. Companies that treat their customers fairly when things go wrong have absolutely nothing to fear and much to gain from an effective redress regime.

This collective redress action is something that we want the government to introduce for data breaches through the new Data Protection Bill. We want the government to amend the Bill to enable organisations, like Which?, to take action on behalf of all consumers.

We need evidence to support our call on the government. Have you suffered a data breach? Would you be prepared to take a company to court if your data had been lost?

Share your experience

Comments
Member

Well, the number of laptops containing important details and information left on trains and in taxis by civil servants in the MOD, DSS and many other government departments suggests little will ever be done about private companies.

And in a sense all your important data is already available: credit card information, addresses, ‘phone numbers – many companies already have this data and more and the government has all of it. While I believe it’s a good idea to develop the class action system here, I suspect the genie is long out of the bottle.

Member
Mark Gillan says:
4 November 2017

The genie can always be put back in the bottle, always … where there is a will, there is a way.

We pay for mistakes when it involves money, so should the corporates for not keeping our data safe enough. Surely they should be forced to take out insurance if they haven’t already.

Member
bishbut says:
12 October 2017

If you do not want your data breached or you computer stolen or hacked just STOP using all modern technology and revert to what you had to do before the computer age You could do that yourself but the people (companies) will still store everything they get from you on a computer They think and hope everything is secure but many people (even a non-expert like me ) Know no modern technology is ever 100% secure .At the moment hackers etc . are still winning against those trying to make things 100% secure Every new ” secure ” method is soon overcome by some one

Member
ShellieToo says:
28 October 2017

Actually bishbut, even reverting to a pre-PC and internet age is not sufficient. In the case of Equifax and other credit check companies, they have astonishingly wide remit to collect and process your personal data without you even knowing it.

You have a contract with British Gas? Credit agencies know about it.
A bank account with anyone at all. Also in their database.
You own a car? Have a life insurance policy? A job, for that matter? All there.

That’s right: These private firms know exactly how much money you made last tax year. If you look for a new job, the HR department will insist on doing a credit check (relevant why?!?!), which will uncover all the above, if they pay enough money for it.

It’s all so discouraging. I could stop using the internet right now, turn in my smartphone, only trek across town to the one bank branch still open in my community so I can withdraw cash once a week to buy all my daily supplies, etc, and these data aggregators would *still* have a shocking amount of insight into who I am, how much I earn and what I do with my money. As Ian says above, the genie is long out of the bottle. Frankly I find it terrifying.

Member

All that Shellie and Equifax was hacked recently in the USA and people wonder how their details are known . I remember fixing phones in two credit checking companies – well hidden- very tight security and looking at their very old computers then, I could see they knew all about your finances.

Member

Unless your data is subsequently misused, you won’t suffer a loss. And how would you prove, given how many companies and institutions hold your personal data, that the particular one was responsible for any loss?

Redress / compensation is designed to cover a definable loss so simply giving money to individuals is not redress but a penalty charge. A universal charge of any substance on many companies might well bankrupt them, and on public institutions like the NHS or government departments would simply either come out of the taxpayer’s pocket or cut their services – to our general detriment.

How do you deal with companies outside our jurisdiction – social media companies for example where some willingly deposit far too much personal information?

I’d like to see companies that hold data encouraged to practice sensible security (if they do not already) but as bishbut says nothing is 100% – like bank scams. And perhaps individuals who take data out of their workplace and leave it on public transport might be dealt with more appropriately.

Member

I keep bringing this up to–again-complete avoidance , I get up to the minute emails from America on it .I am fed up reiterating what I already posted > as I am told – no expression of technical stuff here( yet others can do it ) I will keep it SIMPLE . Want to stop all this ???? then stop leaving back-doors in all outr data which is sent to the USA where its used by third parties and hackers have as easy a time hacking it all as they have Windows 10 . Government snooping is rife in the UK/USA but the UK is now worse than the USA with its draconian snooping policies a new version just being introduced making us the number one country on the “Snooperbility ” of Nations all time greatest list. Remove back-doors stop the snoopers/hackers ( both the same ) “Terrorists ” guess who paid for them in the first place , no not who you think and now used as an excuse to condemn this country to having our internet restricted on political websites so you can only reach pro US/UK ones . Information Retrieval in action -2017.. AS Bishbut rightly says – sticking plaster over cracks ( but really enormous ravines).

Member

You have to hand it to the Americans , no 1 year later finding out about data breaches found a USA website specializing in medical breaches of patient data . No old data this 12October -2017 latest breach .Company called HealthIT security (USA ) -Amazon S3 repository with 150,000 patients records +316,363 weekly blood tests attempt ( they haven’t admitted they were hacked ) -5th October ransomeware attack -Arkansas -this got through and a long list of other attacks but thats not all 73 % of medical professionals share passwords for EHR Access. The problem OUR data is sent to the US and their servers.Another US good informational website lists not only Equifax but -the Buckle Breach in June -Cloud Pets breach -Arby,s breach -E-Sports Entertainment Association breach -Yahoo- FriendFinderNetwork breach-KInpton Hotels +Restaurants breach -Cici,s breach–Omni Hotels+ Resorts breach and thats only Page ONE . Many of you will not recognise them but think on if US websites are being hacked and we use US software and systems no wonder the scammers know so much about us.. For my critics I have many more non-disputable websites if you want . I really admire US informational honesty and freedom compared to the UK.

Member

Without redress there will be no improvement. Why shouldn’t a person be compensated by companies who do not apply a duty of care to data?

Member

Compensation covers definable loss. Other redress will be as goodwill or penalty charges. Our water supply was interrupted without the requisite 48 hours warning. Under their customer guarantee scheme we have £30 credited to out account, even though our loss was £1.50 for 4 bottles of water and the fuel to get to the shop.

Member

There needs to be serious jail-time for anyone caught stealing data. Buying and selling of personal data also needs to be made illegal with serious consequences and this should include anyone using stolen or bought data.

Member

The trouble with companies like Equifax, Experian et al is that they have somehow managed to get themselves appointed as the arbiters of our financial lives. I don’t recall them being voted for or even asking me if I wished them to be the final arbiter in a decision as to whether I can have a loan, credit card, mortgage etc. But of course when you apply for any of these products you have to agree to a credit search with these companies or you won’t get what you want.

Experian even charges to tell you wether your details are out there on the net for sale, what a wonderful wheeze, don’t worry too much about losing the data that you have so assiduously acquired, because if you lose it you can always charge us to find out whether we were one of the victims!

My wife had a completely false black mark on her credit score and despite the company responsible for the information giving her written confirmation that they had it wrong and despite untold letters, emails and phone conversations in the end the only way it was removed was by the five year time limit being passsed.

The FCA needs to come down on these organisations very hard indeed, if these companies want to exert that amount of power and control over our lives then they have to be absolutely beyond reproach and sufferserious financial penalties commensurate with their profits if they get it wrong, because hitting their bottom line is the only thing that these companies understand as they appear to be completely amoral

Member
xtopher says:
7 December 2017

peter t thank you very much for eloquently saying what I have been raging about this last few weeks; I too didn’t vote for Equifax nor did they ask my permission. I want them to remove every digit of data about me because they are clearly (a) not fit for purpose (b) operating with impunity. Damn them I hope they are wiped of the face of the planet if the USA class action is successful.

Member
Ania says:
15 October 2017

Any company storing personal data should be liable for not keeping it secure enough. They have duty of care and it is responsibility to protect it especially as this is for some potentially having their credit score severely affected.

Member
P Ducker says:
24 October 2017

It is your personal data private companies should be liable for not keeping it secure enough. Also what
do the private companies want with so much personal date? To sell for a profit that is wrong and completely
amoral. MY DATA KEEP IT PRIVATE AND SECURE

Member
Sener says:
25 October 2017

Its funny this has come up, because lately I have been really suspicious about Ebay, Amazon, Paypal etc sharing my personal information deceptively or without my permission or knowledge.

I suspect this because only just recently say 2 to 3 years everytime I try to sign in to Ebay, Amazon, Paypal etc I am forced to “confirm my identity”, and within the next few days I receive spam & promotional messages and occasional cold calling to my personal contact details.

Bottom line, I suspect that these companies are manipulating their customers in order to share and sell their personal information to third parties without their knowledge and If my suspicions are correct then it’s only a matter of time before I and others become the victims of financial fraud. This is very worrying but I don’t know how to prove it, nor do I know what to do about it.
Online shopping is a necessity to my life and family, but if this is a matter of professional betrayal of trust to the consumer than something must be done.

Member

You are in a “catch 22 ” situation Sener , if you are not willing to stop those Social media websites etc then you cant block them by normal means as they all require full access to your details . If you did they would not allow you to access their websites or block you . When I use a browser with blockers all I can do is look at the web-page ,cant click on anything or in some cases even access the website . To be “cruelly honest ” I get near daily accounts of all those being hacked , especially the social ones . Just visiting a website can give the owners + third parties your address or location plus your system details etc . The latest one is that on some you visit they use some pf your cPU power for other uses some illegal. .

Member
T O’Brien says:
7 November 2017

II received a letter asking me to call on a free number. I called it and there was no tone. I thought I’d been scammed. I checked my credit report with another trusted supplier. No change. I then realised this was probably a cold call trying to get me to sign up to Equifax products. Beware these unscrupulous people.

Member

If you had held on T you might have been connected to a real person .Its a computer that does the ringing . Some people seem to think its a minority that get bothered with those types of calls , not in my book Its way out of hand and time it was stopped dead in its tracks .Every organisation and their dog have reports on how its driving the British public mad , even HMG +BBC has articles on it . If it was just one or two people they wouldn’t bother. Open Britain- open to severe annoyance from commercial companies + scammers and dubious “charities “.

Member
Theresa Mumford says:
8 November 2017

The UK Government is responsible for allowing Banks like Barclays to use external employees in India etc to run the bank in the UK. What were they thinking? Most phone calls that come to my landline are from abroad and they always want you to answer their marketing questions. They never give up calling and when you try to track their number it is always unavailable/ or withheld. How fair is that? Brexit should have happened before the privatisation of British Businesses even occurred, back in the 90s. Tony Blair’s government actually ruined everything, it made Britain vulnerable. It is too late now to correct anything because our details are all over the place, even our home addresses.

Member
Tina Conway Mrs says:
15 November 2017

I was sent a letter from Equifax and immediately contacted Crime Watchers when in turn asked me to contact both my bankers and a company called
Action Fraud. They tell me that they are fully aware of Equifax and were pleased they were informed by me, I am a pensioner living off my Meagher pension.

They said that if any other pensioner receives mail from this company Action Fraud would like to receive any information from them in a hope to stop these people from trying to con others who are, like me a pensioner or someone of low income.

Member

I have got more info on Equifax . its well known about the breach but do you know that Equifax is making money at the expense of your privacy ? Fast company writer Joel Winston reveals how SEVENTY THOUSAND companies know YOUR data including Amazon-AT&T-Facebook-Microsoft -Oracle-Twitter and Wal-Mart actually PAY Equifax to reorganise-collect- and RESELL their companies employees data including personal income +work history. Read it all at : https://krebsonsecurity.com/2017/11/how-to-opt-out-of-equifax-revealing-your-salary-history FAcebook owns Instagram-Whats App see how this builds up to what I have been saying for ages – YOUR data is NOT safe in US hands and YOUR government okayed it being transferred to the USA over a year ago. Their servers control your data and by law only US citizens are covered for any breaches .Get it into your head no matter how much you love the USA when it comes to US law WE are foreigners . Read up on US information security . Globalisation at work-lovely eh !

Member
John Taggart says:
29 November 2017

The ongoing data breach involving Equifax and its primary and secondary customers is a prime example of the utter lack of impact the ICO and the FCA has on such issues. 700,000 UK citizens conformed as having serious data breaches with the potential impact over 15M people. The breach was in May 17 at the latest and the ICO is still “asking” Equifax to inform the victims of their utter disregard for UK law. From the conversations I have had with the ICO and Equifax they are in breach of a number of principals of the DPA, yet the ICO is doing other than posting a pointless statement from an unidentified spokesperson – three paragraphs telling us they are monitoring the situation. Essentially, it looks like the Data was held in the USA and as the Data Controller is based in the USA it is out of their jurisdiction. Whilst the USA take Equifax to task we can’t even get them to inform the victims. The ICO is not fit for purpose already telling businesses and fundraising sub-contractors that they can carry on with current breaches of the DPA even when GDPR is in play and that if they get too many complaints about it they will simply give them advise and guidance on how to continue with the behaviour in a way that won’t result in legal prosecution. In the USA we have multi-billion $ class action law suits already commenced whilst the criminal investigation takes place. In the UK we have the ICO and FCA refusing to engage with or take information from the victims of Equifax let alone actually represent the concerns of victims to Equifax. Class action and law suits is the only way to force international and domestic businesses to get their data houses in order. Equifax are of course despicable in how they have dealt with UK citizens’ personal data. However, what about all the banks, mobile phone companies, utlilities companies, building societies, etc that signed agreements with Equifax that allowed them to take UK citizens’ personal data over to the USA with a USA data controller meaning it is outwith the jurisdiction of the ICO. Even now we have banks fraud departments advising people to contact Equifax and take up their offer of a free service that requires victims of Equifax to provide even more personal data to Equifax who are still mid-criminal investigation. The ongoing treatment of the victims of Equifax, by Equifax, by the original data controllers that signed agreements with Equifax and by the ICO and the FCA is frankly disgusting. There should be full UK criminal investigation. There should be an investigation into why banks, financial organisations, utilities companies, etc signed agreements with Equifax without carrying out due diligence on how UK citizens’ data was being managed / protected. Any business that pits agreements with third parties in place that has requires the handling of personal data of UK citizens should be equally held liable for any data breaches in the partner companies systems. Only class actions and severe law suits will force companies to take consumer data protection seriously.

Member

I am not panicking. I notice that Equifax offer protection if you give them details of your credit card and bank accounts. Not likely. They’ve done enough damage already

Member

I have just received my Equifax “breach letter” today—24th January 2018–9 months after the reported breach. As Jim above says, yes they are now offering free Protection packages for those affected but this involves giving even more personal information like bank account details, email adds, 6 years home addresses, mobile phone numbers, credit/debit card numbers! A hackers delight-all neatly rolled into one package. No thank you.