/ Shopping, Technology

Apologetic emails don’t make up for losing our personal data

Computer keyboard with 'oops' key

What is it with companies emailing people to say their details may have been stolen from a third party? We’ve had a handful of these in just a few weeks, but we want to see them doing more than simply ‘fessing up.

If you shop online, have an internet account with a bank or retailer and they confess that your details have been stolen by a third party, should this be an end to the matter? I don’t think so.

In the last few weeks I’ve heard numerous cases of people getting emails from the likes of Play, Santander, Trip Advisor and Lush along the lines of ‘we’ve discovered that an unauthorised third party has stolen part of our member email list…’.

Great, thanks for letting us know. You’re absolved. Not.

Companies such as these are clearly breaching the Data Protection Act. Plus, people who have opted out of third party online marketing are now at risk of their emails landing in the laps of any number of spam marketers – or worse.

Saying sorry isn’t good enough

Holding your hands up to sloppy – and potentially illegal – breaches of law is just not good enough. If I smashed into your car and just said sorry I wouldn’t expect you or your insurer to forget the matter.

Yet it seems that the industry wants to confess and get absolution. In fact, all they’re probably doing is hoping to avoid getting blamed by the press by coming clean before their sloppy errors are leaked by someone else.

What they should be doing is controlling their customers’ data properly. Fine, we know hackers do get in – as Wikileaks highlighted with the likes of Visa, Mastercard and the Swedish Government.

But when these things do happen we’re left having to close email accounts, open new ones, let all our contacts know our new address – and, if our financial details have been seen, cancel all our cards and reapply for new ones.

Give us a ‘customer pledge’

So what should companies be doing in these circumstances? Here’s what Which?’s senior lawyer, Georgina Nelson, says:

‘These companies need to start taking it on the chin and manning up, rather than looking to blame it all on the hackers or an IT glitch ‘outside of their control’. The evidence is clear – their security has been flawed. So – what are they going to do about it?

‘The “sorry” emails should outline a ‘customer pledge’ – a pledge to carry out a privacy audit, a pledge to work with the regulator (the Information Commissioner’s Office), a pledge for compensation if the consumer has suffered a material loss and a pledge to provide them with meaningful advice on how to minimise the damage.’

Have you been receiving any emails like this, and are you concerned that your data’s going into the wrong hands? Personally, I’d feel a lot happier if the regulators took a stand against these companies that don’t seem to have any control over the highly personal data they hold.


As a customer of at least one of the companies in question, and a recipient of the email, what I find most confusing/alarming about the emails is the lack of clarity about whether MY email address has been affected. Emails I’ve seen are vague, just stating that ‘some’ customer names and email addresses have been compromised (or something similar), and that I ‘may’ see an increase in spam as a result.
Erm – so have they nicked my email address or not? I’m left with no clue about whether or not I should take action.

Kenward says:
29 March 2011

Every now and then I receive emails that show that someone has acquired one of my email addresses illegally. But because of the way I manage my email addresses, I know where the problem stems from.
I use a unique forwarding email addresses whenever I give someone an email address, including which?. E.G. which@something.mydomain.co.uk or play@something.mydomain.co.uk (something is the same for all the addresses). I NEVER send emails with these addresses. My domain host (1and1) has a catch-all facility, so I don’t need to set up individual email addresses for each. The catch-all entry then forwards all the emails to whichever real email address I choose. If I get an email to my, for example, which? email address but it’s not from which? then I can contact which? and let them know. Additionally I can then set up the compromised email address with 1and1 and get any emails forwarded to the source of the problem, e.g.which?, so they then get any further spam, not me! I can then give them a new forwarding email address (eg. which2@something.mydomain.co.uk) if I so choose.
If I have to send an email to these ‘offending’ organisations, I use a proper email address that I treat as a send only address. Please note, I haven’t had any junk/spam email to my which email address…….so far!

Nice! I do the same (but with an ordinary ISP email account).

I do get some spam from my addresses that were exclusively used at sites that I don’t expect to be particularly vigilant, like Comparison Sites, but once I receive the first few, I just filter them out by deleting at the server and I never see them

However, since Nov. 2010, I have found that a much more vital site has leaked my email addy; Nationwide Building Soc. When I took it up with them, providing hard evidence, they would not even admit that they had been compromised on the basis that “it can’t happen because it has never happened in the past”. What sort of argument is that? They never even launched a proper investigation, other then go through the ineffectual steps of their Complaints Process.

So, I have now reported them to the Information Commissioner’s Office and eagerly await her investigation.

I have received one such email, since when I have been deluged with weird spam emails of a sort I never received before this problem was notified to me. I agree that apologies are not very useful in these circumstances – more action needs to be taken

All companies conduct cost / risk vs benefit analysis.
As long as the cost of proper data control is high, but the cost of losing the data is low then companies will continue to adopt a make do and mend approach to data control.
Only when the Information Commissioner starts using significant fines as a penalty for breaches of customer data confidentiality will companies start to take notice.
Only when the downside of not having better systems in place outweighs the cost of these better systems will this impact the decision making process and change the outcome of the cost / risk vs benefit analysis to favour the customer more than the bottom line.

There needs to be some public flogging and that includes the HM prison service, the NHS and various banks that have lost millions of peoples details by their own inept and casual misuse of data that really was so obvious as to be criminal.

eg Bucks prison service lost USB stick with prisoners data, encrypted yes, but the password was stuck on the front with sellotape on a post it note.
Never recovered,

Louise says:
3 April 2011

I have also received one such email and have since started receiving spam emails. I have never received spam before and am disgusted that this security breach has occured and that it would appear that the company can get away with just sending out an apology.

Attitude merely appears to reflect today’s – it doesn’t matter what goes wrong as long as you say sorry afterwards – society. Just look at the issues around the country’s highest paid footballer this last weekend and all in the name of so called passion.

In what name do these companies loose confidential data to third parties to provide their ‘excuse’?

Leakage of one’s email addresses is probably a fact of life if one wants to participate in online discussions. shopping etc.
OK it should be minimised but it cannot be completely prevented .

The biggest risk as an individual is probably from friends and families who have a large number of email addresses stored in Contacts and old email folders. It only needs one of them to have a lapse in security for them all to be harvested.

Not sure why Which think “Companies such as these are clearly breaching the Data Protection Act.” . I am unaware of an absolute offence of the loss of an email address, I thought security had to be appropriate not 100%. There is no way you can prevent an employee copying down email addresses if they want.

The cost/benefit analysis of businesses always works against security – it does not produce a profit. So the alternative I see is that everyone who has their e-mail addresses stolen by a hacking attack needs to be re-imbursed say £10- £25. This should make the cost benefit equation about right.

This applies to commercial companies. I do not envisage it applying to clubs etc which may be quite small and without any financial information. They could be covered by the current position. However I have to admit when I reported a breach by Surrey Council the slap on the wrist seemed inappropriately light.