Data breach my data on darkweb GDPR questions
Discussion
I was informed a few days back my personal data including NI nbr had been stolen and published on the dark web in a data breach, the organisation is an accountancy firm so they had lots of my sensetive info, they knew of the breach in Jan / Feb this year but so took 9 /10 months to tell me. Also the organisation in question I had not been a client of for 10 plus years under GDPR I believe they should of deleted mty details automatically at circa 7 years as an accountant ?
I'm furious as the breach now probably explains the mass increase of scammers activity I have been subjected to this year at one point I was receiving calls daily and also what appeared to social engineering calls to get more info out of me.
I want to make complaint but I called the organisation who just pointed me to the firm they employed to deal with it, who can I make a more formal complaint of a GDPR breach to? I am furious.
I'm furious as the breach now probably explains the mass increase of scammers activity I have been subjected to this year at one point I was receiving calls daily and also what appeared to social engineering calls to get more info out of me.
I want to make complaint but I called the organisation who just pointed me to the firm they employed to deal with it, who can I make a more formal complaint of a GDPR breach to? I am furious.
PostHeads123 said:
I was informed a few days back my personal data including NI nbr had been stolen and published on the dark web in a data breach, the organisation is an accountancy firm so they had lots of my sensetive info, they knew of the breach in Jan / Feb this year but so took 9 /10 months to tell me. Also the organisation in question I had not been a client of for 10 plus years under GDPR I believe they should of deleted mty details automatically at circa 7 years as an accountant ?
I'm furious as the breach now probably explains the mass increase of scammers activity I have been subjected to this year at one point I was receiving calls daily and also what appeared to social engineering calls to get more info out of me.
I want to make complaint but I called the organisation who just pointed me to the firm they employed to deal with it, who can I make a more formal complaint of a GDPR breach to? I am furious.
Sue them.I'm furious as the breach now probably explains the mass increase of scammers activity I have been subjected to this year at one point I was receiving calls daily and also what appeared to social engineering calls to get more info out of me.
I want to make complaint but I called the organisation who just pointed me to the firm they employed to deal with it, who can I make a more formal complaint of a GDPR breach to? I am furious.
EmilA said:
The name begin with N and W? If so I have also been affected by this.
Yeap I'm furious over it, when were you told I was only contacted yesterday yet the breach was reported in Jan / Feb, I saw it at the time but thought nothing of it as it 10years plus since I was a client so my records would have been removed at circa 7 years but obviously they werent.Yes report to the ICO who will determine how well they have followed processes. Companies can self-determine whether or not to report a breach to the ICO but there are guidelines based on scale of breach and nature of the data.
In any event, be prepared for the fact that punitive fines applied by the ICO are not common. They tend to take a “lessons learned” approach unless the company has been extremely negligent in data security AND failed to act/react appropriately to the breach.
In any event, be prepared for the fact that punitive fines applied by the ICO are not common. They tend to take a “lessons learned” approach unless the company has been extremely negligent in data security AND failed to act/react appropriately to the breach.
I was just about to post on this very subject - an accountancy firm I used to use emailed me yesterday, data breach as OP describes back in January. I stopped using them August last year so not sure if they're in contravention of GDPR as at the time of the breach I'd only left them around six months prior?
In terms of legal action (if one were to decide to explore that route), would that be a personal case against them as it was personal data that was breached, or would it be my limited company raising the case as the company was the client of the accountancy firm?
In terms of legal action (if one were to decide to explore that route), would that be a personal case against them as it was personal data that was breached, or would it be my limited company raising the case as the company was the client of the accountancy firm?
8bit said:
I was just about to post on this very subject - an accountancy firm I used to use emailed me yesterday, data breach as OP describes back in January. I stopped using them August last year so not sure if they're in contravention of GDPR as at the time of the breach I'd only left them around six months prior?
In terms of legal action (if one were to decide to explore that route), would that be a personal case against them as it was personal data that was breached, or would it be my limited company raising the case as the company was the client of the accountancy firm?
Both. You, as a natural person, have data protection rights under GDPR. Their failure to protect your data (specifically with regard to Article 32 security obligations) is potentially actionable if they can be shown to have been negligent. They are also in breach of their notification obligations under Article 34, which requires them to inform you "without undue delay".In terms of legal action (if one were to decide to explore that route), would that be a personal case against them as it was personal data that was breached, or would it be my limited company raising the case as the company was the client of the accountancy firm?
Your first port of call here is to complain to the ICO as mentioned by others. You do also have an individual right of action, although from the sounds of it there will probably be a class action suit. Note that recent precedent suggests you will need to demonstrate material harm in order to succeed in a legal action.
Your limited company can likely also pursue them for breach of contract, as their terms of engagement will include a duty of care and confidentiality undertakings. I am a data protection consultant, not a lawyer, so will add no more on this point.
As to the retention point, if you only ceased doing business with them six months ago this is less compelling. You could have an additional ground for complaint if you can show that they made insufficient efforts to remove or redact those parts of your files which they were not legally required to retain; this is an area in which almost all accountants and lawyers are deficient, their habit being to retain whole files and all correspondence where they should be more selective. The OP, however, is on firmer ground as there is little basis for them to retain them for longer than 6 years following the end of the financial year in which the relationship ended.
PostHeads123 said:
EmilA said:
The name begin with N and W? If so I have also been affected by this.
Yeap I'm furious over it, when were you told I was only contacted yesterday yet the breach was reported in Jan / Feb, I saw it at the time but thought nothing of it as it 10years plus since I was a client so my records would have been removed at circa 7 years but obviously they werent.You had a good point about the 7 year mark, I haven't looked any further into it yet but will keep an eye on this thread and see where it goes.
I assume when they detected the breach they contacted the ICO, they have 72 hours to do so once a breach has been identified?
With regards to data retention, there isn't a default deletion age although SOX compliance from memory states a minimum of 6 years, depending upon the organisation they could retain data (including voice data) for 25+ years, i.e. you could have a mortgage spanning 25 years all data will be retained to cover this.
I assume they'll let you know as they have concluded what data has been accessed and following process.
With regards to data retention, there isn't a default deletion age although SOX compliance from memory states a minimum of 6 years, depending upon the organisation they could retain data (including voice data) for 25+ years, i.e. you could have a mortgage spanning 25 years all data will be retained to cover this.
I assume they'll let you know as they have concluded what data has been accessed and following process.
The time period between when it was and identification is not surprising most companies won't find out about a breach on average until 6 months after...note the word average, industry vertical has a massive influence over that shortening or going even longer.
In that time is when scammers and unwelcome individuals as you have experienced utilise the data and it has worth to them to exploit. Once in the public domain about the breach then it becomes far less worthwhile.
I think you need to find out more about when they became aware of the breach as opposed to when the breach was, that might make the approach more clear.
Additionally, in most cases the ICO as sort of flagged above rarely actually properly fine companies.
In that time is when scammers and unwelcome individuals as you have experienced utilise the data and it has worth to them to exploit. Once in the public domain about the breach then it becomes far less worthwhile.
I think you need to find out more about when they became aware of the breach as opposed to when the breach was, that might make the approach more clear.
Additionally, in most cases the ICO as sort of flagged above rarely actually properly fine companies.
The firm knew in Jan / Feb this year it had happened but only told me on Dec 13th, it was also in the trade press in Jan/ Feb but I didn't see it.
ICO not much help at all more or less said now the info is out there they couldn't do anything and to just monitor things.
ICO not much help at all more or less said now the info is out there they couldn't do anything and to just monitor things.
Edited by PostHeads123 on Wednesday 14th December 18:22
PostHeads123 said:
The firm knew in Jan / Feb this year it had happened but only told me on Dec 13th, it was also in the trade press in Jan/ Feb but I didn't see it.
ICO not much help at all more or less said now the info is out there they couldn't do anything and to just monitor things.
The ICO cannot delete the data, that's not their remit nor would it be even possible unfortunately.ICO not much help at all more or less said now the info is out there they couldn't do anything and to just monitor things.
Edited by PostHeads123 on Wednesday 14th December 18:22
Sounds like the firm did the correct thing, if it was in the press they would have followed the correct process and ultimately worked with the ICO to provide a root cause analysis and demonstrate whether they have sufficient controls in place i.e. access, authentication, monitoring and alerting etc. If the ICO deem they fell short of the appropriate controls then they will fine said firm accordingly.
As I said earlier, the firm has probably now completed a full investigation and identified the records and individuals affected and followed process to contact the affected parties.
Caddyshack said:
To be honest it is just part of modern life and I wouldn't get too het up over it. We (the public) have scam attacks all day long and most of the info in that breach can be found in many other ways.
If you really believe that, post your credit card numbers somewhere public. I'll run a stopwatch and we will see how long you hold that opinion.CraigyMc said:
Caddyshack said:
To be honest it is just part of modern life and I wouldn't get too het up over it. We (the public) have scam attacks all day long and most of the info in that breach can be found in many other ways.
If you really believe that, post your credit card numbers somewhere public. I'll run a stopwatch and we will see how long you hold that opinion.Deliberate advertising of your own data and a data breach are also another thing.
I also had notification of a data breach this month - name, address, contact details, social security number.
I've taken out protective registration with CIFAS - https://www.cifas.org.uk/pr - which in theory should make it harder for someone to use that data to set up a UK account using my details - the PR is showing up on my credit reports, so I imagine that it's in effect. I guess I should charge the leaky organisation the £25 fee that cost me
I've taken out protective registration with CIFAS - https://www.cifas.org.uk/pr - which in theory should make it harder for someone to use that data to set up a UK account using my details - the PR is showing up on my credit reports, so I imagine that it's in effect. I guess I should charge the leaky organisation the £25 fee that cost me
mikef said:
I also had notification of a data breach this month - name, address, contact details, social security number.
I've taken out protective registration with CIFAS - https://www.cifas.org.uk/pr - which in theory should make it harder for someone to use that data to set up a UK account using my details - the PR is showing up on my credit reports, so I imagine that it's in effect. I guess I should charge the leaky organisation the £25 fee that cost me
Yeah I will do same, I contacted the company responsible for breach but they wouldn't talk to me no replies to emails to very annoying and not a good way to treat us. I will have to take there word that the details they listed were what they got but I don't trust them now. I've had a couple of what seemed targeted scam calls trying to get other info out of me and they knew alot alreadty not the usual Amazon or your debit credit card calls, I going change my mobile number. I've taken out protective registration with CIFAS - https://www.cifas.org.uk/pr - which in theory should make it harder for someone to use that data to set up a UK account using my details - the PR is showing up on my credit reports, so I imagine that it's in effect. I guess I should charge the leaky organisation the £25 fee that cost me
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff