The Information Commissioner’s Office is investigating allegations that finance company Ffrees failed to inform affected customers after it suffered a data breach earlier this year.
Ffrees claims that it notified the Information Commissioner’s Office as well as all affected customers and also ran a dedicated support line.
Earlier this year, a white hat researcher observed that finance company Ffrees had suffered a cyber attack that compromised sensitive details of thousands of customers. Following the discovery, the researcher contacted Ffrees and notified them of the development.
According to The Register, compromised customer details included physical addresses; 94,574 unique email addresses; phone numbers; dates of birth; and driving license numbers, over 300k transaction logs, and passport number with expiry dates’.
When the researcher notified Ffrees, he wanted a confirmation that all affected customers had been notified of the breach. However, all he was told was that “appropriate action has been taken” which failed to satisfy him.
To verify if customers had actually been notified, the researcher collaborated with Have I Been Pwned? owner Troy Hunt. The website did confirm that the breach had taken place but several Ffrees customers stated that they had never heard from Ffrees and were not aware of the breach until they found out on the site.
After the breach had taken place, Ffrees posted a vague notification on its website, confirming that certain personal and account information was compromised. However, the notification didn’t include the fact that passport numbers, driving license records, and transaction data were also compromised as a result of the breach.
‘The exposure involved information held by Ffrees between 2012 and early 2014. It included personal information and Ffrees account information for some accounts. A batch of Ffrees account passwords stored in an encrypted form were also accessed,’ the notification read.
The breach was also reported on MSE Forums in June but the report stated that only full names, dates of birth and email addresses of customers were compromised by the breach. Affected customers were asked to call a dedicated customer support line for queries and also to take recommended precautions in case they believed that their identities were stolen.
Even if Ffrees didn’t inform all affected customers, it probably didn’t break the law since the current Data Protection Act doesn’t require data controllers to report the scope of security breaches to affected parties.
Nevertheless, the Information Commissioner’s Office is investigating the incident. “We are aware of an incident involving Ffrees Family Finance Ltd and are looking into the details. All organisations have a duty under the Data Protection Act to keep people’s personal information safe and secure,” it said.
Businesses and organisations, especially those controlling customer data, will have to share the scope of data breaches to all affected customers within 72 hours of such breaches taking place from next year. To comply with the provisions of the GDPR, the government will introduce a new data protection law that will take effect from next year.
As per the new law, if any company fails to comply with the new law, resulting in a breach that compromises customer data, the Information Commissioner’s Office will have the power to issue fines of up to £17m, or 4% of the company’s global turnover.
The upcoming law will require companies to have a clear approach to data collection and storage and to know where such data is stored so as to delete or amend them whenever requested by customers.
“Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account,” said Digital Minister Matt Hancock.