/ Technology

Where’s the consumer protection when data protection fails?

Data breach

Eight months after TalkTalk’s data breach, the Culture Media and Sport Committee has published findings from its inquiry into cyber security and the protection of personal data.

The Committee heard from a range of experts and businesses, including TalkTalk’s Chief Executive Dido Harding, TechUK and the Information Commissioner on the growing threat of cyber-attacks on all businesses with an online platform or service.

And it seems businesses are found wanting. Worryingly, 90% of large companies have experienced a security breach, with 25% of companies experiencing a cyber-breach at least once a month. So it’s no surprise that consumers are increasingly concerned about data protection and cyber-security.

Data protection

The Institute of Customer Service said that over 1 in 4 people are most concerned that cyber-attacks might compromise their personal information and could result in a financial loss.

And our own research found that of the people we asked, half of them avoid using certain online services, apps and products for fear of being targeted by scammers.

Interestingly the Culture, Media and Sport Committee also received evidence from a number of individuals claiming to have fallen victim to scam calls, having been hounded by nuisance calls since their personal data had been leaked as a result of the data breach.

The problem is that when things go wrong the picture isn’t so rosy. The Committee noted that redress following a data breach is still too difficult.

In order to get compensation for damages, individuals may need to take legal action through a small claims court. This can be a long and costly process with no guarantees of success. But in some circumstances, if you fall victim of a data breach then there’s also no automatic right to terminate your contract early.

Instead when your personal data has been leaked, you’re left exposed to scams and your trust in a company has diminished as a result of a data hack, there’s not always a simple get out clause. Early contract termination is usually at the gift of the company and part of it’s original terms and conditions – often one that you won’t be aware of until it’s too late.

Next steps

So it’s positive that the Committee has acknowledged, interrogated and attempted to address these challenges – it recommended that more support and guidance should be offered to individuals to make a small claim for compensation, and that telecoms and mobile companies should provide clearer terms and conditions on the right to terminate a contract early.

But it still seems like it’s not enough. When there’s an industry-wide problem in facing the threat of cyber-attacks and hacks, why is it that consumers are still the ones facing the costs and consequences?

Comments
Profile photo of duncan lucas
Member

The problem for me is that all those companies use your data for financial gain which allows hackers to infiltrate the systems for their own financial gain . Its like MS and Windows while controlling the system using back doors they also allow hackers to get into your computer. MS compensate for that by never ending “updates ” but where is the updates for the telephone industry ? It is worth mentioning that you will not hear about BT being hacked as their security is tight although they would still email you or letter box you with bumf that doesnt constitute BT,s system being hacked . And as termination of contract is still being mentioned carrying over from the last Convo it was made very plain to the public that to transfer to another company without the £30 cease charge when the contract is up the customer must get a MAC address/code to use for no charge to occur this was publicised in the national press so ,it wasnt “hidden away ” in the small print . All you need to do is Call your current provider , yes thats all thats required to obtain one and should be provided in 5 days and don’t cancel your contract as it might take two weeks to transfer , if your contract is still in force you could incur large costs.

Member

Virginmedia is a 0845 number

Member
Nas says:
21 June 2016

I recently became a victim of a scam whilst booking a holiday rental on the Homeaway.co.uk website. My details were compromised whilst making genuine queries about the availability of properties. The way I was scammed only suggests that it was an inside job and my personal details were used in order to advertise a fraudulent listing which met my exact criteria enticing me to book and part with £1700. The company are being very arsy and not giving me an explanation of how this breach happened. They generalised it by saying that sometimes their website does become a victim of a fraudulent listing but this was very rate. That is not the case Homeaway/ owners direct have been having issues with these sort of scams since 2010 and 6 years on they’re security is no better, and they still don’t accept any liability. The government needs to do something about companies like homeaway.co. uk and make them accountable then maybe they’ll take the safety and security of their customers seriously.

Profile photo of william
Member

The ICO should be taken to task for using woolly words like “reasonable “in their guidance. Companies have to take reasonable steps. What I consider reasonable will be totally different from an IT director, and therein lies the problem.

Security breaches could be almost done away with if companies actually encrypted their data at source. Many hackers aren’t going to want to spend time hacking a system their get get the data from. But I imagine many companies haven’t done this do to the cost of not designing the system properly in the first place.

They could always force companies who have been breached to stop using overseas call centres, many talk talk scam phone calls have come from asian call centres.

Profile photo of Patrick Taylor
Member

“And our own research found that of the people we asked, half of them avoid using certain online services, apps and products for fear of being targeted by scammers.”

Can you provide a link to the research please?

Profile photo of malcolm r
Member

I agree, and I would like to see the basis of the “research” that I believe is often subcontracted. I don’t recall ever having been asked to take part in such research despite being a Which? and Connect member for many years. Which have 40 000 Connect members they could ask – a representative good size sample I would think.

What background information do they present to those surveyed? What questions are asked. I’d like to know. Some survey results come as a surprise: “In our survey of Which? campaign supporters over the weekend, 94% of nearly 30,000 people told us that car manufacturers are not being fair to UK consumers.” for example. Really?? Fair in what respect? I’d need some convincing, but the basis of the research would help.

Making organisations and companies pay when they are negligent in the way they hold and handle data will either result in it being seen as a business expense if it is too low or may incentivise them to invest in better security and discipline if it is pitched at the right level. Public bodies of course needn’t worry because the tax payer will fund it. I guess the problem will be proving negligence.

Profile photo of Patrick Taylor
Member

And how we really stick it to those who deal in personal details … NOT
medconfidential.org/2015/uks-largest-online-pharmacy-fined-130000-for-selling-patients-data-to-scammers/

You really really have to hand it to the ICO
ico.org.uk/media/action-weve-taken/mpns/1433030/pharmacy2u-ltd-monetary-penalty-notice.pdf

The amount paid was probably the reduced £104,000 and the executives get off scot-free. One person, possibly one whose details were sold, lost £16,000 to the Australian scammers.

Member
dieseltaylor says:
23 June 2016

I am faintly disturbed by the difference in emphasis in this article and what appears on the Government site. The requested for jail sentences and a beefed up ICO should be mentioned.

17 June 2016
The Culture, Media and Sport Committee publishes report recommending a new custodial sentence of up to two years for those convicted of unlawfully obtaining and selling personal data. It has also said the Information Commissioner’s Office (ICO) should also have a robust system of escalating fines at its disposal to sanction those who fail to report, prepare for or learn from data breaches.

The Chairman was fairly tough particularly in the last two paragraphs

“Chair’s comment – Jesse Norman MP, Chair of the Committee, said:

“Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment. Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.

As the TalkTalk case shows, the reality is that cyber-attacks are a constant, evolving threat. TalkTalk responded quickly and well to this attack, but appear to have been much less effective in the past, failing to learn from repeated breaches of different kinds.

They should now publish as much of the PWC investigation as commercially possible without delay, and set out exactly how they will implement any necessary changes. Everyone must take the lessons from the Talk Talk breaches as a wake-up call – both in how they prepare to prevent cyber-attacks, and in how they deal with their consumers when those attacks occur.”

Profile photo of Patrick Taylor
Member

arstechnica.com/security/2016/03/after-verizon-breach-1-5-million-customer-records-put-up-for-sale/

theregister.co.uk/2016/06/20/tmobile_czech_breach/

Just goes to show how well our data is secured. These are not highly dangerous breaches but for scammers they can provide enough details to be useful.

Profile photo of Patrick Taylor
Member

Ransomware with a new twist. And an additional password stealing attachment.

theregister.co.uk/2016/06/20/ransomware_scum_build_weapon_from_javascript/

Profile photo of duncan lucas
Member

The latest info is that 655,000 medical records of US medical insurance companies have been hacked and are up for sale on the Dark Web , so much for Cloud Storage I warned against it months ago and thats where our NHS records will end up .

Profile photo of duncan lucas
Member

Here is another major hack . Do you use DropBox ? if so on the 31-8-2016 – 68 MIllion users data which had been hacked is up for sale on the dark web . All your data not just a bit,passwords telephone numbers, addresses, you name it and people still wonder how scammers know all about them.

Profile photo of duncan lucas
Member

As nobody seems bothered with my hacking alerts on Which I had to think carefully if I would post another one but as I am not small minded I will try again but it might be my last. An alert has come in for users of MAC computers and Safari browsers as of 5-9-2016 . Apple is trying to alert all possible forums about a critical security threat and urging them to update OSX and Safati–NOW ! If you use OS X Yosemite/ OS X El Capitain and Safari -9.1.3 you will be sent phishing emails etc containing malware /sms messages which when opened allowed the virus in logging everything you have. If you go to their websites using Safari you will be attacked with code that infects your system . Go to App Store and click the UPDATE icon.

Profile photo of Ian
Member

Duncan: there is a total of one person in the world known to have been caught by this code flaw, exploited by an Israeli security firm and sold to Governments. It’s not new, either, but simply an extension of the Pegasus spyware discovered a couple of weeks ago. The only new fact is that the flaws have been discovered to affect Safari as well, and thus the potential vulnerability extends to all Apple kit. Fortunately, Apple’s excellent update service had already pushed the updates out several days ago, so things are now fixed. Until the next time, of course…