The lost of two CDs holding 25 Million personal records by HMRC, is the biggest data breach in UK history, it's almost half the population. The data lost included children's names, full addresses, dates of birth, National Insurance numbers and where relevant bank and building society account details.
How did this breach occur?
In October, a junior HMRC employee downloaded the entire HMRC database and placed all the data onto two CDs, and then put the CDs in Jiffa bag and stuck it in the internal post for the attention of NAO, who requested it. This package never arrived at the destination NAO, so on finding out the same junior HMRC employee downloaded the entire database and placed the data on CDs again, but this time sent it by recorded mail, this did arrive. The lost CD is described as password protected by HMRC, however I would like to make it very clear the data on the CD is NOT encrypted, therefore is far from secure being read, and I understand the password system can be easily defeated.
My first question I have here, is it shouldn't even be possible for any junior employee (or senior employee for that matter) to extract all of the data from the HMRC system, clearly there are no controls in place within the databases and IT Systems at HMRC. I have also heard from a source that the IT systems at HMRC are a bit of mess, which the lack of basic security controls for me confirms as fact.
My second question is over how the data of transferred, clearly in this data and age there are many secure and more cost effective methods of sending sensitive data to third parties, it's a completely unacceptable practice to send any sensitive information on unencrypted media, never mind 25 Million records. Clearly the junior employee doesn't even have a basic information security awareness, therefore this points to a lack of a security culture within the HMRC, which I would of thought would of been a priority considering the sensitive of data with HMRC.
Thirdly, HMRC are in clear breach of the Data Protection Act, will they get punished? Is it even worth it considering fining them, as they are public operated, it would basically fining yourself. So just where is the drive to improve information security within HMRC going to come from?
Finally, this isn't the first incident involving HMRC in recent times, are they investigating incidents and learning from the mistakes? Clearly I think not.
So typical records on the missing CD include a full name, full address, Date of Birth, National Insurance number, children's names and even full bank account details. In the wrong hands this information could literally ruin lives. I'll blog more about the risks and consequences of this information being used for identity theft tomorrow.
How does this incident affect me personally? Well two weeks ago I got comprised with the missing CD sent by HMRC to Standard Life, today I find that my Wife's bank account and my children's details are compromised two, so a real clean sweep by HMRC in my house hold.
Tuesday, 20 November 2007
Shambolic HMRC loses yet another CD
It’s well documented on this blog, on how the UK Government department, Her Majesty's Revenue & Customs (HMRC), failed to protect my own and 15,000 others personal information,losing a couriered unencrypted CD a couple of weeks back, and then there was the incident with an unencrypted HMRC laptop going missing a couple weeks before that.
Now they have completed the hat-trick big time, this time losing a bunch of CDs holding 15 Million children benefit records, which I understand held names, address, date of birth and bank account details for around 7 million British families.
Apparently the CD went missing after being couriered between HMRC headquarters in Washington, Tyne and Wear and London, when exactly how this happened isn’t clear yet, however ministers have known about the problem for 9 to 10 days. I understand another HMRC internal investigation is underway, while the police are still investigating.
So yet again the CD was sent unencrypted and yet again I wish to highlight there are more efficient, cheaper and secure ways of sending personal data, as well as the totally unacceptable and irresponsible practice employed HMRC.
So this time the HMRC chairman, Paul Gray, has resigned over this issue, and to quote him directly “I had hoped to be around for a while longer, and to have had the continuing privilege of leading HMRC towards the vision we have been developing. I am extremely proud of what all of you in the organisation have achieved during my time as deputy chairman and chairman."
The issue is being raised in parliament as I type, with Tory MP Nigel Evans saying "He should have told the public straight away in order that they could have taken precautions against anyone's information being used by ID fraudsters."
And for the Liberal Democrats, Chris Huhne told the BBC: "It is a horrendous problem; it's one of the biggest failures in a major government department that I can remember. It's an enormous delivery problem and I think that clearly that's been recognised by the head of HMRC when he resigned... I would be surprised if we did not see ministerial heads rolling as well."
I wouldn’t be surprised either, meanwhile with my own case with HMRC, I have written letters to my local MP, the Information Commissioner and the Minister responsible for data protection, I’ll report back any responses and further development. Although I expect from this point on, my issue will be completely over shadowed by this very significant incident, involving millions of peoples records.
Now they have completed the hat-trick big time, this time losing a bunch of CDs holding 15 Million children benefit records, which I understand held names, address, date of birth and bank account details for around 7 million British families.
Apparently the CD went missing after being couriered between HMRC headquarters in Washington, Tyne and Wear and London, when exactly how this happened isn’t clear yet, however ministers have known about the problem for 9 to 10 days. I understand another HMRC internal investigation is underway, while the police are still investigating.
So yet again the CD was sent unencrypted and yet again I wish to highlight there are more efficient, cheaper and secure ways of sending personal data, as well as the totally unacceptable and irresponsible practice employed HMRC.
So this time the HMRC chairman, Paul Gray, has resigned over this issue, and to quote him directly “I had hoped to be around for a while longer, and to have had the continuing privilege of leading HMRC towards the vision we have been developing. I am extremely proud of what all of you in the organisation have achieved during my time as deputy chairman and chairman."
The issue is being raised in parliament as I type, with Tory MP Nigel Evans saying "He should have told the public straight away in order that they could have taken precautions against anyone's information being used by ID fraudsters."
And for the Liberal Democrats, Chris Huhne told the BBC: "It is a horrendous problem; it's one of the biggest failures in a major government department that I can remember. It's an enormous delivery problem and I think that clearly that's been recognised by the head of HMRC when he resigned... I would be surprised if we did not see ministerial heads rolling as well."
I wouldn’t be surprised either, meanwhile with my own case with HMRC, I have written letters to my local MP, the Information Commissioner and the Minister responsible for data protection, I’ll report back any responses and further development. Although I expect from this point on, my issue will be completely over shadowed by this very significant incident, involving millions of peoples records.
Monday, 19 November 2007
UK WiFi Theft is Rife
A recent UK survey by Sophos revealed 54% of those surveyed had used someone else’s wireless Internet access without permission. Many within the media are calling this practice “WiFi Piggybacking”, and I’ve even seen quotes from liberal academics backing the practice. In my view this is plain and simple WiFi Theft, its wrong and it’s completely illegal in the UK.
The offence is under section 125 of the Communications Act 2003, which states that "a person who (a) dishonestly obtains an electronic communication service, and (b) does so with intent to avoid payment of a charge applicable to the provision of that service, is guilty of an offence”. The maximum penalty is six months in jail and/or a fine of up to £5,000. There have been several prosecutions under this act. In fact I'm aware of the arrest of a 39 man in August, who was spotted using on his laptop in the street, accessing an unsecured WiFi connection within someone’s home in Chiswick, London.
I have heard some people say, they don’t care if their neighbours use their WiFi for Internet access. Well first of all, every UK ISP I have encountered has a clause within the contract, which clearly states you aren’t allowed to share your WiFi Internet connection with your neighbours. Secondly if you leave your WiFi broadband open, it allows the potential for anyone (even your neighbours) the ability to browse illegal and unsavoury websites, commit online fraud, download illegal movies, and even host illegal movies and unsavoury material. All of this activity is done in the name of the WiFi owner, some people still don’t realise the Internet is far from being anonymous usage, everything can be easily traced back via your ISP, back to you. So if someone uses your Internet bandwidth illegally, it will be your doorstep the authorities will darken. Thirdly, someone connecting to your WiFi connection can eavesdrop on your Internet activity, reading your Emails, building up a profile for identity theft and gathering any non-encrypted website username and passwords. Fourthly, many ISPs provide bandwidth limits, especially the cheaper deals out there, so your Internet usage is quite literally a limited resource, so you certainly shouldn’t want others stealing and using it.
How many unsecured home WiFi connections are they in the UK? Well the answer is about 1 in 4 residential wireless routers are unsecured, according to Moneysupermarket.com, who commissioned an amateur hacker to test the quality of wireless security in the streets of Liverpool, Manchester and Chester earlier this year. About 88% people secure their home PCs from the Internet with Anti-Virus and Firewalls, but it seems significant numbers are neglecting to secure the WiFi Routers. It’s possible for bad guys to compromise an unsecured WiFi router and bypass the security on home PC. Particularly if you think about the consequences of changing DNS settings and routing on the WiFi Router, so keeping the default WiFi Router name and password and leaving your WiFi unsecured isn’t such a great idea,
The offence is under section 125 of the Communications Act 2003, which states that "a person who (a) dishonestly obtains an electronic communication service, and (b) does so with intent to avoid payment of a charge applicable to the provision of that service, is guilty of an offence”. The maximum penalty is six months in jail and/or a fine of up to £5,000. There have been several prosecutions under this act. In fact I'm aware of the arrest of a 39 man in August, who was spotted using on his laptop in the street, accessing an unsecured WiFi connection within someone’s home in Chiswick, London.
I have heard some people say, they don’t care if their neighbours use their WiFi for Internet access. Well first of all, every UK ISP I have encountered has a clause within the contract, which clearly states you aren’t allowed to share your WiFi Internet connection with your neighbours. Secondly if you leave your WiFi broadband open, it allows the potential for anyone (even your neighbours) the ability to browse illegal and unsavoury websites, commit online fraud, download illegal movies, and even host illegal movies and unsavoury material. All of this activity is done in the name of the WiFi owner, some people still don’t realise the Internet is far from being anonymous usage, everything can be easily traced back via your ISP, back to you. So if someone uses your Internet bandwidth illegally, it will be your doorstep the authorities will darken. Thirdly, someone connecting to your WiFi connection can eavesdrop on your Internet activity, reading your Emails, building up a profile for identity theft and gathering any non-encrypted website username and passwords. Fourthly, many ISPs provide bandwidth limits, especially the cheaper deals out there, so your Internet usage is quite literally a limited resource, so you certainly shouldn’t want others stealing and using it.
How many unsecured home WiFi connections are they in the UK? Well the answer is about 1 in 4 residential wireless routers are unsecured, according to Moneysupermarket.com, who commissioned an amateur hacker to test the quality of wireless security in the streets of Liverpool, Manchester and Chester earlier this year. About 88% people secure their home PCs from the Internet with Anti-Virus and Firewalls, but it seems significant numbers are neglecting to secure the WiFi Routers. It’s possible for bad guys to compromise an unsecured WiFi router and bypass the security on home PC. Particularly if you think about the consequences of changing DNS settings and routing on the WiFi Router, so keeping the default WiFi Router name and password and leaving your WiFi unsecured isn’t such a great idea,
Friday, 9 November 2007
Frank Abagnale's advice to me Re:HMRC
I know all about the various methods and processes in which HMRC could of protected my private information, but now my info could be in the wild and in the hands of bad guys, who better to give me some advice than Frank Abagnale. If you haven't heard of Frank, he's the guy the "Catch Me If You Can" movie was based on, after serving his time Frank provided consultancy to several banks, helping them to beat fraudsters, and he went on to be known and respected as a leading expert in Identity Theft. Here is his advice to me...
"Sorry that this happened to you.
Most of the time when identities are lost/stolen in this method, the people who steal the information sell it to a buyer who sits on it normally for about 2 -3 years. Unlike stealing credit card data where the credit card issuer can cancel the cards, you can't change your name, date of birth, National Insurance Number/Social Security Number, etc. So the longer they sit on the information the more valuable it becomes to the buyer when he decides to become the seller.
I would recommend a service that is now available in Great Britain called PrivacyGuard (http://www.privacyguard.co.uk/). Over 6 million Americans use PrivacyGuard including myself. PrivacyGuard monitors all three credit bureaus and notifies their customers in real time by e-mail or text message (not by a letter) if someone is attempting to get credit or open an account in their name. Typically over here, when information has been lost by the fault of a company or government agency, they provide the potential victims the monitoring service for free for one year. I would demand three years to protect oneself thoroughly."
Interesting point about how bad guys sit on the info and sell it on down the line, I'm going to take his advice and check out PrivacyGuard and post what I find out next week. Still there's going to be a charge to use this service, I wonder if I should try and get HMRC to foot the bill?
"Sorry that this happened to you.
Most of the time when identities are lost/stolen in this method, the people who steal the information sell it to a buyer who sits on it normally for about 2 -3 years. Unlike stealing credit card data where the credit card issuer can cancel the cards, you can't change your name, date of birth, National Insurance Number/Social Security Number, etc. So the longer they sit on the information the more valuable it becomes to the buyer when he decides to become the seller.
I would recommend a service that is now available in Great Britain called PrivacyGuard (http://www.privacyguard.co.uk/). Over 6 million Americans use PrivacyGuard including myself. PrivacyGuard monitors all three credit bureaus and notifies their customers in real time by e-mail or text message (not by a letter) if someone is attempting to get credit or open an account in their name. Typically over here, when information has been lost by the fault of a company or government agency, they provide the potential victims the monitoring service for free for one year. I would demand three years to protect oneself thoroughly."
Interesting point about how bad guys sit on the info and sell it on down the line, I'm going to take his advice and check out PrivacyGuard and post what I find out next week. Still there's going to be a charge to use this service, I wonder if I should try and get HMRC to foot the bill?
Thursday, 8 November 2007
Lack of Data Discloure Laws
Well I lodged a complaint about HMRC with the Information Commissioner today, basically the guys who enforce the Data Protection Act, as I am still far from happy about the bad practice which led to my personal details being lost by HMRC, the time it took for disclosure and then being misled about the data encryption of the CD. I'll post up the response when I get it.
Meanwhile I noticed my involvement with this was discussed on Martin McKeay's (and Rich Mogull's) excellent Network Security Podcast, by the way I heartily recommend this podcast for anyone who is interested in learning more about Information Security and the latest topics within the field. One interesting point was made about our lack of disclosure laws we have in the UK compared to the US, which I have to say is true, we don't have any clear laws on breach disclosure within the public and private sectors, we rely and trust companies and organisation ethics. I think it would of been a very dangerous game for HMRC to sweep such a data breach under the carpet, due to the important of transparency placed on government and the UK media reaction etc.
So, we need to have clear breach disclosure laws in the UK, so I checked the Prime Minister's website to see if there was an online partition, and there was one, but it had closed at the end October 2007, so I couldn't sign it.
"We the undersigned petition the Prime Minister to review exisiting data protection legislation and improve the reporting of information security breaches in the public and private sectors".
It was signed by 339 people. So perhaps I'll look into setting up and promoting another petition further down the line, well not unless this one proves successful! Actually perhaps I should try it the old fashioned way and lobby my local MP or the Minister responsible for Information Technology.
http://petitions.pm.gov.uk/fulldisclosure/
Meanwhile I noticed my involvement with this was discussed on Martin McKeay's (and Rich Mogull's) excellent Network Security Podcast, by the way I heartily recommend this podcast for anyone who is interested in learning more about Information Security and the latest topics within the field. One interesting point was made about our lack of disclosure laws we have in the UK compared to the US, which I have to say is true, we don't have any clear laws on breach disclosure within the public and private sectors, we rely and trust companies and organisation ethics. I think it would of been a very dangerous game for HMRC to sweep such a data breach under the carpet, due to the important of transparency placed on government and the UK media reaction etc.
So, we need to have clear breach disclosure laws in the UK, so I checked the Prime Minister's website to see if there was an online partition, and there was one, but it had closed at the end October 2007, so I couldn't sign it.
"We the undersigned petition the Prime Minister to review exisiting data protection legislation and improve the reporting of information security breaches in the public and private sectors".
It was signed by 339 people. So perhaps I'll look into setting up and promoting another petition further down the line, well not unless this one proves successful! Actually perhaps I should try it the old fashioned way and lobby my local MP or the Minister responsible for Information Technology.
http://petitions.pm.gov.uk/fulldisclosure/
Wednesday, 7 November 2007
HMRC Data Breach CD was NOT Encrypted
I phoned HM Revenue & Customers (HMRC) again today to obtain further clarification on whether their missing CD was encrypted or not, as on Monday I was categorically told by a HMRC representative the CD was encrypted, although he couldn't say what type of encryption was used, in fact I repeated the question three times to be sure. After reading conflicting press reports about encryption of the CD, I decided to phoned HMRC again today. This time I was told by HMRC the CD wasn't encrypted after all, so I was completely mislead by them on Monday then.
This just goes from bad to worst.
And get this, I was then told not to worry as although the names were readable within the files in the CD, my National Insurance, Date of birth and pension reference details would be "difficult" read! In other words the data was in an unformated state. I explained to the HMRC rep. that is was actually something to worry about, as it probably wouldn't take too long to render the "Unformated" data into a nice neat table of 15,000 records.
Just to recap the main point, this means NO ENCRYPTION was used on the CD (otherwise the names wouldn't be readable), this is a cardinal sin (and a crime?) to send people's personal data on a CD completely unprotected through public channels i.e. the courier/post system. In this day and age there are many more secure (and cheaper) ways than posting people details unprotected on CD media.
If HMRC think the data being a little hard to read is the equivalent of it being encrypted, well I'm afraid to say they really are in a bad state of affairs information security wise.
I went on to asked whether anyone had issues with ID theft & unusual access to National Insurance records and was told none as yet, but since the victims (including me) are stuck with the same NI number, name and DoB for the rest of our lives, I guess there is plenty of time for that.
This just goes from bad to worst.
And get this, I was then told not to worry as although the names were readable within the files in the CD, my National Insurance, Date of birth and pension reference details would be "difficult" read! In other words the data was in an unformated state. I explained to the HMRC rep. that is was actually something to worry about, as it probably wouldn't take too long to render the "Unformated" data into a nice neat table of 15,000 records.
Just to recap the main point, this means NO ENCRYPTION was used on the CD (otherwise the names wouldn't be readable), this is a cardinal sin (and a crime?) to send people's personal data on a CD completely unprotected through public channels i.e. the courier/post system. In this day and age there are many more secure (and cheaper) ways than posting people details unprotected on CD media.
If HMRC think the data being a little hard to read is the equivalent of it being encrypted, well I'm afraid to say they really are in a bad state of affairs information security wise.
I went on to asked whether anyone had issues with ID theft & unusual access to National Insurance records and was told none as yet, but since the victims (including me) are stuck with the same NI number, name and DoB for the rest of our lives, I guess there is plenty of time for that.
Monday, 5 November 2007
HMRC Data Breach Update - I'm vulnerable!
I'm vulnerable to Identity Theft thanks to HMRC Update
It turns out I’m one of 15,000 Standard Life customers to be at risk of fraud after personal details were lost by HM Revenue & Customs (HMRC).
I had confirmation in addition to the letter I received on Friday. The CD holding my info (including National Insurance Number, Date of Birth and info about my pension) was sent from the Revenue office in Newcastle to the Standard Life’s HQ in Edinburgh, however the CD never arrived, apparently lost by the courier firm.
Also I heard a rumour that second CD containing data on some customers from an unnamed second company has also gone missing, which if true might suggest something more sinister is afoot.
HMRC have been quoted in saying the incident happened at the end of September, a whole month before any notification, which isn't good as they should be notifying much quicker than that.
And on the data encryption front, HMRC won't say whether the information was encrypted or not "on security grounds" – to me that statement implies the data wasn't encrypted, however I called them up and spoke with an operator about this issue, and he said the data was encrypted, and can only be read by Standard Life and HMRC. Which begs the question why aren't HMRC providing any assurance in stating this in the letter and on press releases? So I asked what type of encrpytion was used, but the HMRC call operator didn't know. Then I asked to speak with someone senior who could answer my questions, he said they wouldn't know either as they are still investigating the incident.
I’m still gathering further information, and I’ll post more details and my findings when I get more answers.
It turns out I’m one of 15,000 Standard Life customers to be at risk of fraud after personal details were lost by HM Revenue & Customs (HMRC).
I had confirmation in addition to the letter I received on Friday. The CD holding my info (including National Insurance Number, Date of Birth and info about my pension) was sent from the Revenue office in Newcastle to the Standard Life’s HQ in Edinburgh, however the CD never arrived, apparently lost by the courier firm.
Also I heard a rumour that second CD containing data on some customers from an unnamed second company has also gone missing, which if true might suggest something more sinister is afoot.
HMRC have been quoted in saying the incident happened at the end of September, a whole month before any notification, which isn't good as they should be notifying much quicker than that.
And on the data encryption front, HMRC won't say whether the information was encrypted or not "on security grounds" – to me that statement implies the data wasn't encrypted, however I called them up and spoke with an operator about this issue, and he said the data was encrypted, and can only be read by Standard Life and HMRC. Which begs the question why aren't HMRC providing any assurance in stating this in the letter and on press releases? So I asked what type of encrpytion was used, but the HMRC call operator didn't know. Then I asked to speak with someone senior who could answer my questions, he said they wouldn't know either as they are still investigating the incident.
I’m still gathering further information, and I’ll post more details and my findings when I get more answers.
Friday, 2 November 2007
I'm vulnerable to Identity Theft - Thanks a lot HMRC
When I arrived home today and I was greeted with a brown letter from Her Majesty's Revenue & Customs (HMRC). Did I owe them tax? No, much worst than that, HMRC have exposed me to Identity Theft big time, just less than a week after I posted up a guide on "Reducing your risk of ID fraud" too.
ITSEeducing_your_Risk_of_Identity_Theft
So here we have a top UK Government department which has dropped yours truly, into serious risk of Identity Theft, at no fault of my own. To quote from the HMRC letter...
"At the end of September HMRC sent a CD to your pension provider, X (I've X them out as there not the ones at fault) with your surname, national insurance number, date of birth and plan reference number included on it. We are very sorry to tell you that the CD was lost after it had been collected from HMRC by HMRC's external courier and before it was delivered to X. This means that there is a possibility that your personal data could be accessed by someone other than HMRC or X."
My blood is really boiling!
(I've had to go through this post and delete out all the swearing!)
1. It might be just a coincident, but it’s little bit convenient sending me such a letter to arrive on a Friday or Saturday, when the HMRC offices are closed over the weekend. I’m concerned and I want answers now!
2. ENCRYPTION - This is the biggy - Why the hell did they not encrypt the data on the CD?
3. In this day and age, there are plenty of better ways of sending such sensitive data in a completely secure manor, rather than couriering media around the place, have they ever heard of PGP and VPNs?
4. The Data Protection Act, have they broken the law?
5. How many other peoples details were on that CD, I've not read anything about it in the press. Or how many other CDs have gone missing?
6. This breach occurred in September, its November now…When exactly in September did it happen? How long before they knew CD was missing? Why has it taken between 1 and 2 months to notify me?
7. Has it the incident been investigated? What's the result of the investigation? Do HMRC recognise they have a security hole within their business processes? Has it been corrected?
8. Now my personal details could be in hands of bad guys, how are they going to protect me?
9. What steps should I be taking to protect myself now?
Answers to these question and more when the HMRC offices open again on Monday morning, and I try to get some answers. I invite you all to join me in trying to hold the UK Government to account, for this heinous breach of my (and possibly many others) personal data.
ITSEeducing_your_Risk_of_Identity_Theft
So here we have a top UK Government department which has dropped yours truly, into serious risk of Identity Theft, at no fault of my own. To quote from the HMRC letter...
"At the end of September HMRC sent a CD to your pension provider, X (I've X them out as there not the ones at fault) with your surname, national insurance number, date of birth and plan reference number included on it. We are very sorry to tell you that the CD was lost after it had been collected from HMRC by HMRC's external courier and before it was delivered to X. This means that there is a possibility that your personal data could be accessed by someone other than HMRC or X."
My blood is really boiling!
(I've had to go through this post and delete out all the swearing!)
1. It might be just a coincident, but it’s little bit convenient sending me such a letter to arrive on a Friday or Saturday, when the HMRC offices are closed over the weekend. I’m concerned and I want answers now!
2. ENCRYPTION - This is the biggy - Why the hell did they not encrypt the data on the CD?
3. In this day and age, there are plenty of better ways of sending such sensitive data in a completely secure manor, rather than couriering media around the place, have they ever heard of PGP and VPNs?
4. The Data Protection Act, have they broken the law?
5. How many other peoples details were on that CD, I've not read anything about it in the press. Or how many other CDs have gone missing?
6. This breach occurred in September, its November now…When exactly in September did it happen? How long before they knew CD was missing? Why has it taken between 1 and 2 months to notify me?
7. Has it the incident been investigated? What's the result of the investigation? Do HMRC recognise they have a security hole within their business processes? Has it been corrected?
8. Now my personal details could be in hands of bad guys, how are they going to protect me?
9. What steps should I be taking to protect myself now?
Answers to these question and more when the HMRC offices open again on Monday morning, and I try to get some answers. I invite you all to join me in trying to hold the UK Government to account, for this heinous breach of my (and possibly many others) personal data.
Thursday, 1 November 2007
Unclever but Lucky People!
I just happen to own the domain “Network-UK.com” which I leased several years back as part of a project I was working on, which really didn’t take off the ground. Anyway for several months now I have been receiving misdirected Email to this domain, almost on a daily basis now, Email which appears to be meant for a London based UK employment agency using a similar domain name, addresses for a variety of individual accounts at the domain rather than one. Which in itself is kind of expected, however it’s the content of these misdirected Email which really concerns me. Due to the way forwarding works to my inbox, I can’t instantly tell if an Email was forwarded or not, and on occasion within my preview panel I can see these Email are about wages claims, and often include Full Name and Addresses, Bank Account numbers with Sort Code and bank name, Full Names and Phone numbers, National Insurance numbers, and even on occasion full colour scanned copies of passports! which as we all know is a really unclever to send to anyone over Email.
Out of courtesy and concern I made several efforts to contact the intended email destination company in question, however so far I had no replies. I can’t help but wonder whether they are encouraging their punters to send such sensitive details by Email in the first place, however lucky for those punters it’s me that receives their sensitive details and deletes on receipt. It really goes to show that there are plenty regular people out there who don't know how to be secure using the Internet.
It looks like I am going to have to put an Email auto-reply to all email received to this domain, as I really want to avoid receiving such sensitive details in the first place, however I would be interested if anyone had any advice to offer to me on this one!
Out of courtesy and concern I made several efforts to contact the intended email destination company in question, however so far I had no replies. I can’t help but wonder whether they are encouraging their punters to send such sensitive details by Email in the first place, however lucky for those punters it’s me that receives their sensitive details and deletes on receipt. It really goes to show that there are plenty regular people out there who don't know how to be secure using the Internet.
It looks like I am going to have to put an Email auto-reply to all email received to this domain, as I really want to avoid receiving such sensitive details in the first place, however I would be interested if anyone had any advice to offer to me on this one!
Subscribe to:
Posts (Atom)