Arnold Clark data breach
Discussion
Gibby88 said:
It is crazy that any company still retains a customer's passport, driving licence and payment details, 4 years after the purchase.
Minimum is 6 years, although as a customer you can ask for your data to be deleted.I know of banks retaining data for much longer 20+ years in case there's a query over a mortgage etc that was provided over that period.
MB140 said:
I hope Arnold Clark get bent over and reamed good and proper. No way should they be storing all that information for that long in the first place. Moreover why wasn’t it encrypted.
Where did it say it wasn't encrypted? The statement on website is the typically worded announcement, we have no idea on the security controls they have in place, clearly they have network security and probably a SIEM of some description, but we don't know if the data taken is encrypted at rest, and by what mechanism.jeremyh1 said:
I don't even get the obsession with data and credit files.
Never bothered me and I am worried about you missing out on life nannying over these stupid things
Whilst I disagree with the "someone messed up therefore I'm going to try and get compo" attitude... When your data is leaked, the concern isn't that someone will look at it and think "Ooh, so Jeremy lives at 7 Acacia Avenue and owns a Ford, well I never". It's not a matter of privacy in the traditional sense. The concern is that very nasty people indeed will use that data to create a facsimile of your identity to obtain money that (until you can make it clear enough that it wasn't you) you are on the hook for. That money will be used in the traditional bank robber "retire somewhere sunny with no extradition agreement" sense in a few cases, but it will also be used to fund terrorism and as a sideline for the narcotic and people trafficking industries. Never bothered me and I am worried about you missing out on life nannying over these stupid things
For us it's a modern day embuggerance that should only be worthy of compensation if you are directly affected. However the fines should be enough to make companies prick up their ears.
jeremyh1 said:
I think you lot and your modern day drama is a joke
You poor timid souls and your precious data
Please God I hope you show a bit more balls when the Russians attack!
I don't even get the obsession with data and credit files.
Never bothered me and I am worried about you missing out on life nannying over these stupid things
Never had debt collectors hound you for debt you had nothing to do with, have you? It's horrible having to fight your way through it to clear your name. You poor timid souls and your precious data
Please God I hope you show a bit more balls when the Russians attack!
I don't even get the obsession with data and credit files.
Never bothered me and I am worried about you missing out on life nannying over these stupid things
Give me the same details that AC leaked and I can have credit open in your name in minutes, and you wouldn't know anything about it.
It's makes life complete misery, not the joke you play it down as.
jeremyh1 said:
I think you lot and your modern day drama is a joke
You poor timid souls and your precious data
Please God I hope you show a bit more balls when the Russians attack!
I don't even get the obsession with data and credit files.
Never bothered me and I am worried about you missing out on life nannying over these stupid things
The Walts and Misfits thread is missing youYou poor timid souls and your precious data
Please God I hope you show a bit more balls when the Russians attack!
I don't even get the obsession with data and credit files.
Never bothered me and I am worried about you missing out on life nannying over these stupid things
jeremyh1 said:
I think you lot and your modern day drama is a joke
You poor timid souls and your precious data
Please God I hope you show a bit more balls when the Russians attack!
I don't even get the obsession with data and credit files.
Never bothered me and I am worried about you missing out on life nannying over these stupid things
You poor timid souls and your precious data
Please God I hope you show a bit more balls when the Russians attack!
I don't even get the obsession with data and credit files.
Never bothered me and I am worried about you missing out on life nannying over these stupid things
[quote=Baldchap
Companies have been and will continue to be hacked. You personally are ultimately responsible for your data security.
[/quote]
I think that last portion is a little unfair. You can change passwords and have managers etc. all in place, but if a company fails to adequately protect personal data what can you do? Bluntly nothing.
It puts you in a better position granted by having effective passwords not reused anywhere and MFA.
Equally understanding where your data goes, your data rights are other elements to protection. But saying a person is ultimately responsible for your own personal data is a little strong. Protect it as best you can, but at the end of it companies you provide data to have a responsbility to protect it as well.
In regards to the ICO, the less said the better in some corners.
Companies have been and will continue to be hacked. You personally are ultimately responsible for your data security.
[/quote]
I think that last portion is a little unfair. You can change passwords and have managers etc. all in place, but if a company fails to adequately protect personal data what can you do? Bluntly nothing.
It puts you in a better position granted by having effective passwords not reused anywhere and MFA.
Equally understanding where your data goes, your data rights are other elements to protection. But saying a person is ultimately responsible for your own personal data is a little strong. Protect it as best you can, but at the end of it companies you provide data to have a responsbility to protect it as well.
In regards to the ICO, the less said the better in some corners.
Ninja59 said:
Baldchap said:
Companies have been and will continue to be hacked. You personally are ultimately responsible for your data security.
I think that last portion is a little unfair. You can change passwords and have managers etc. all in place, but if a company fails to adequately protect personal data what can you do? Bluntly nothing. It puts you in a better position granted by having effective passwords not reused anywhere and MFA.
Equally understanding where your data goes, your data rights are other elements to protection. But saying a person is ultimately responsible for your own personal data is a little strong. Protect it as best you can, but at the end of it companies you provide data to have a responsbility to protect it as well.
In regards to the ICO, the less said the better in some corners.
Freakuk said:
Where did it say it wasn't encrypted? The statement on website is the typically worded announcement, we have no idea on the security controls they have in place, clearly they have network security and probably a SIEM of some description, but we don't know if the data taken is encrypted at rest, and by what mechanism.
The various articles do say that a portion of the cleartext details have been leaked onto the dark web by the hackers. Of course this might just be made-up data to get AC to pay the hackers but who knows. I work in a very similar industry to AC, in IT, and the approach to security by many of our competitors is quite shocking.Freakuk said:
Gibby88 said:
It is crazy that any company still retains a customer's passport, driving licence and payment details, 4 years after the purchase.
Minimum is 6 years, although as a customer you can ask for your data to be deleted.I know of banks retaining data for much longer 20+ years in case there's a query over a mortgage etc that was provided over that period.
I'm have no involvement having never bought or considered a car from them but if they have kept driving and passport details for that long I hope the ICO considers it as having infringed GDPR as *well* as the actual breach itself.
Fastdruid said:
Freakuk said:
Gibby88 said:
It is crazy that any company still retains a customer's passport, driving licence and payment details, 4 years after the purchase.
Minimum is 6 years, although as a customer you can ask for your data to be deleted.I know of banks retaining data for much longer 20+ years in case there's a query over a mortgage etc that was provided over that period.
I'm have no involvement having never bought or considered a car from them but if they have kept driving and passport details for that long I hope the ICO considers it as having infringed GDPR as *well* as the actual breach itself.
"The UK GDPR does not dictate how long you should keep personal data. It is up to you to justify this, based on your purposes for processing. You are in the best position to judge how long you need it.
You must also be able to justify why you need to keep personal data in a form that permits identification of individuals. If you do not need to identify individuals, you should anonymise the data so that identification is no longer possible."
As I said I know Banks retain data for longer i.e. if they sell a 25 year mortgage they will retain that data for 25 years whilst the mortgage is still being paid off, I would also make an assumption that they may retain that for a further 6-7 years after the policy has been completed for reference.
jeremyh1 said:
I think you lot and your modern day drama is a joke
You poor timid souls and your precious data
Please God I hope you show a bit more balls when the Russians attack!
I don't even get the obsession with data and credit files.
Never bothered me and I am worried about you missing out on life nannying over these stupid things
What a bizarre post. Even for PH. You poor timid souls and your precious data
Please God I hope you show a bit more balls when the Russians attack!
I don't even get the obsession with data and credit files.
Never bothered me and I am worried about you missing out on life nannying over these stupid things
BuzzBravado said:
Never had debt collectors hound you for debt you had nothing to do with, have you? It's horrible having to fight your way through it to clear your name.
Give me the same details that AC leaked and I can have credit open in your name in minutes, and you wouldn't know anything about it.
It's makes life complete misery, not the joke you play it down as.
Oh you poor little thing Give me the same details that AC leaked and I can have credit open in your name in minutes, and you wouldn't know anything about it.
It's makes life complete misery, not the joke you play it down as.
Did the man come and ask you for some money and hurt your feeling
FFS
It's a delightful irony. One of the reasons that companies ask for and keep a lot of data is for the so called KYC checks (to keep you safe apparently).
Now that's all to do money laundering and the companies are so scared about being caught out and being fined that they ask for too much data and keep it for too long. It gets hacked and used for the very crime that is supposed to be prevented.
The very thing (badly) designed to stop crime actually facilitates and fuels it.
Now that's all to do money laundering and the companies are so scared about being caught out and being fined that they ask for too much data and keep it for too long. It gets hacked and used for the very crime that is supposed to be prevented.
The very thing (badly) designed to stop crime actually facilitates and fuels it.
Baldchap said:
Gibby88 said:
I find the best approach is to use a unique password for every page then go through the process of forgetting it and resetting my password everytime I need in!
One way to prevent password propagation without forgetting every time is to start with a base password and modify it using the domain name. For example:Ba5ePa55w0rd!
On Google:
GoBa5ePa55w0rd!
On Amazon:
AmBa5ePa55w0rd!
On Pistoheads:
PiBa5ePa55w0rd!
Obviously make it slightly less obvious than that, be as creative as you want/can, but using a system like this you can always calculate your password without using the same one for everything.
link
pablo said:
I know you mean well but This is a pretty terrible idea in all honesty. Here’s what the National Cybersecurity Centre say, look for guidance on “three random words.”
link
Ultimately, you have to be practical and there's no perfect system. Problem with any random password is that people will and do forget them. MFA, fobs etc improve things, but for some reason users don't like them as a rule. A text to your phone and a password is the easiest approach these days.link
Fact of the matter is, if you limit password propagation you're 90% further down the path than 99.x% of web users out there. If you have a keylogger on your machine or phone that really is down to poor practices as a user, but again, by limiting propagation you limit the effects.
I'd have said use a password manager back when I was working in information security, but Lastpass were breached last year so even that can't be considered good practice these days.
Most hacks are still staff or connected parties. That's why good practice like limiting access only to what is required, ensuring no shared accounts are used, regular audits etc are very important.
I think a lot of you are missing how much large companies are targets for exactly these types of attacks. Think of all those websites that you saved your credit cards details on for future use. Things like supermarkets are prime targets.
Passwords are only one, relatively trivial, part of the problem, and would have little to no affect on the personal damage that could result from data breeches like this.
Passwords are only one, relatively trivial, part of the problem, and would have little to no affect on the personal damage that could result from data breeches like this.
Gassing Station | General Gassing | Top of Page | What's New | My Stuff