, , ,

What information was stolen in the LOQBOX data hack?

The information stolen in the LOQBOX Data Hack includes

  • Customer names
  • Postal addresses
  • Dates of birth
  • Email addresses
  • Phone numbers
  • Two digits of the bank account number used to make payments to LOQBOX
  • Payment card expiry dates.

According to some reports, the first six and last four digits of customer card numbers may also be at risk[1]. This information is very valuable to cybercriminals. For example, the first six digits identify the financial provider. This information is often used in phishing scams (see more on this below).

LOQBOX funds have not been affected by this data breach.

What can cybercriminals do with this data?

LOQBOX states that “this information on its own cannot be used to access your bank accounts or other accounts”. However, the Fintech does acknowledge that this data could be used for phishing scams.

What is phishing?

Phishing is where a fraudster poses as a legitimate organisation, your bank, the police, or someone else you trust to trick you into handing over sensitive information such as usernames and passwords.

Phishing scammers use emails, texts, websites, phone calls and social media to access your data, your computer, or your financial accounts. Their ultimate goal is to steal your money and/or personal information (to commit identity or financial fraud).

Typical phishing scams include:

  • Where fraudsters contact you posing as your bank to trick you into giving them sensitive financial data
  • Where fraudsters contact you posing as a company (e.g. LOQBOX) and encourage you to hand over sensitive information (e.g. passwords)
  • Where scammers send out an email with a fraudulent link. This email instructs you to click on a link which leads to a fake page that collects more of your sensitive data
  • Where you receive an email from a person or company you know and trust which includes your personal information and lures you into clicking on a malicious URL or email attachment.

You can find out more about Phishing here.

The full impact of the LOQBOX data hack is not yet known

Phishing scams can lead to your personal and sensitive data getting into the wrong hands. In the worst cases, this can lead to you falling victim to financial fraud and identity theft.

Dealing with hundreds of different types of data breach cases, one thing that has become apparent to our solicitors is that the full impact is often not felt until months after the initial violation.

The impact of a phishing scam can be devastating, and we have seen cases where the financial losses only start to occur three to six months later. This is often because the data stolen is used in batches over time.

What’s more, many clients involved in phishing cases go on to suffer from distress and/or psychological trauma as a result of having their details stolen and used in fraudulent activity.

Speaking about the possible consequences of the LOQBOX data hack, expert data protection solicitor Richard Forrest said: “At this stage, we cannot say with any certainty that the LOXBOX breach will not result in future fraud and financial loss. So, while LOQBOX might want to play this hack down, it must face up to its responsibilities and be held accountable for any data security failures that made the attack possible.”

Are you at risk because of the LOQBOX data hack?

If you are a LOQBOX customer, or if you have been a LOQBOX customer in the past, then you are affected by this cyber-attack. If you are in any way concerned you should contact the LOQBOX dedicated support team at help@loqbox.co.uk.

LOQBOX also works in partnership with a number of banks (e.g. Natwest, TSB and Monzo). Customers from these banks who use LOQBOX may have had their data stolen.

Make a LOQBOX data breach compensation claim

LOQBOX has told customers it is not currently offering compensation for the loss of personal data. Although it did say it was “extremely sorry”.

However, at Hayes Connor Solicitors, we are considering launching a no-win, no-fee group litigation action to help compensate victims of the LOQBOX data hack. We can take on your claim on a no-win, no-fee basis.

To become part of our LOQBOX group action – and receive updates on what is happening in this case – we need you to register with us. This ensures that you will form part of any LOQBOX breach group action compensation claim lodged by us.

Our process is fully compliant with ICO guidance, there is no obligation to proceed, and we never put your details at risk.

Register Now


[1] https://www.theregister.co.uk/2020/03/02/financial_startup_loqbox_data_breach/

, , , ,

You might be involved in the Equifax data breach but not know it

Equifax is the second-largest credit reference agency in the UK. But, in March 2017, a staggering data breach demonstrated how weak the company’s security processes were. This happened when the personal data of hundreds of millions of people was stolen from the credit reporting giant.

Luckily for Equifax, the breach happened pre-GDPR (General Data Protection Regulation). So, while the Information Commissioner’s Office (ICO) did fine Equifax £500,000 for its security failures, this punishment could have been much, much higher.

The fact that the Equifax data breach happened under old data protection laws has proved to be even more fortuitous for the company. Not least because Equifax didn’t have to adhere to newer, more stringent, consumer rights guidelines.

Equifax hasn’t informed everyone that was impacted by the data breach

Two sets of data were hacked. And, following the breach, Equifax wrote to 693,665 customers in the UK to confirm that they had their data stolen. Equifax also wrote to a further 167,431 UK consumers whose landline telephone numbers were already published in the public Phone Book and were accessed as part of the cyberattack. Many people who received this letter have since contacted Hayes Connor to claim Equifax data breach compensation.

But not everyone put at risk by the breach has been informed.

Today, in our post-GDPR world, companies must tell people if their personally identifiable data is involved in a security breach. But, before the GDPR was introduced on 25 May 2018, these businesses were only advised to do so.

Following its investigation into the Equifax data breach, the UK’s data privacy regulator (the ICO), said that millions of people in the UK could be affected by the hack. So, many victims will not have received a letter from Equifax to let them know that their data was put at risk.

Did you use an Equifax security product between 2015 and 2017?

Following investigations into the breach, it has come to light that anyone who used an Equifax security product between 2015 and 2017 could have had their data exposed.

But, if you haven’t had a letter, how can you find out if you were involved?

The good news is that Equifax knows exactly who was impacted by this breach. And it is legally required to tell you if your data was involved. The bad news is that you have to ask Equifax for this information.

Making an Equifax subject access request

In the UK, you have a legal right to find out if and how an organisation is using or storing your personal data. To exercise this right, all you have to do is ask for a copy of this information. This is called making a subject access request (SAR).  You can make a SAR to find out if your data was involved in a hack or breach.

The ICO has provided a handy template to help you to make a SAR.

However, sometimes, defendants like to swamp people with information in response to SARs. And this can make it very difficult to find the information required in the info supplied.

So, to make sure the process is as straightforward as possible, when you appoint Hayes Connor as your data protection lawyers, we’ll provide the exact wording needed to get the information you require from Equifax – and only this data.

Don’t let Equifax get away with it

There are many failings from Equifax that led to this breach being one of the largest disclosed. It is entirely down to these vast number of failings that the breach is so large and that the attack went undetected for so long.

In the US, a settlement required Equifax to pay $1.4 Billion into a fund to compensate affected consumers. And, if you live in the UK and were impacted by the Equifax data breach, we believe that you should also be compensated.

Register today to join our No-Win, No-Fee Equifax data breach

At Hayes Connor Solicitors, we know what it takes to make a successful compensation claim. In fact, we’ve been helping people to do just that for over 50 years. We also steer you through the aftermath of a data breach – minimising the impact on you as much as possible.

Crucially, our data protection breach solicitors are true experts in this type of law. Unlike other firms, it is all we do, and we have been doing it for longer than most.

In addition to our data protection solicitors, we also work with expert barristers to help us win our cases. So, we are confident that we have all the experience necessary to get the best possible result for you.

We are dealing with all Equifax data breach claims on a no-win, no-fee basis. This means that, if your claim is not successful, you won’t have to pay a penny.  What’s more, if your claim is successful, we expect to be paid by the offending party (Equifax). So, as well as providing no-win, no-fee funding arrangements, we won’t charge you a “success fee”. This means there are no solicitor’s fees win or lose.

There are strict time limits in place for making Equifax breach compensation claims, so it’s essential to act now.

REGISTER NOW

 

, , ,

Another Marriott data breach sees 5.2 million guest records stolen

In 2018, a huge data breach put 339 million Marriott International customers at risk.  And, while you think the hotel giant would have learned its lesson, this doesn’t seem to be the case. In fact, Marriott has confirmed that it has suffered another data breach – this time involving the personal information of 5.2 million guests.

In this breach, hackers obtained the login details of two employees, and broke into a Marriott franchise property system during mid-January.

What do we know about the latest Marriott data breach?

On Tuesday 31st March, Marriott announced that it was notifying some guests of a security incident involving an unspecified system at a franchise hotel. In a statement, the hotel chain said:

“At the end of February 2020, the company identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. The company believes that this activity started in mid-January 2020. Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations.

“Although Marriott’s investigation is ongoing, the company currently has no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers”.

What data was exposed in the breach?

The following information may have been compromised in the hack. Although Marriott states that not all of this information was present for every guest involved:

  • Contact details (e.g. name, mailing address, email address, and phone number)
  • Loyalty account information (e.g. account number and points balance, but not passwords)
  • Additional personal details (e.g. company, gender, and birthday day and month)
  • Partnerships and affiliations (e.g. linked airline loyalty programs and numbers)
  • Preferences (e.g. stay/room preferences and language preference)

Are you affected by the latest Marriott data hack?

Marriott believes that up to 5.2 million guests may have been affected. It will be sending these people an email to confirm their involvement. You might find this email in your spam folder.

Where to get help/further information

Marriott has set up a dedicated website and call centre resource to support victims of the data breach. The website can be accessed here

Marriott customers living in the UK who are concerned about the data breach should call 08003457018. The call centre will be staffed during ordinary business hours in the United States, 8:00am-8:00pm EDT Monday through Friday. Language support will be provided in English and French, and additional translation services will be available upon request.

Was financial information exposed?

Marriott says there is “no reason” to believe payment data was stolen. However, the information that is at risk could be used by cybercriminals to extract additional financial data. For example, fraudsters may pose as a legitimate organisation to trick victims into handing over sensitive information (phishing).

As such, anyone affected by this breach must take additional steps to protect themselves.

  • Contact your bank or credit card provider for advice on what to do. They will advise if any additional security measures should be implemented to protect your finances
  • Contact your bank or credit card provider immediately if you spot any unfamiliar transactions or suspicious activity
  • Keep an eye on your credit score for any unexpected dips and contact all the major credit reference agencies to ensure credit isn’t taken out in your name
  • Beware of emails with poor spelling and grammar. This is one of the most common signs that an email isn’t legitimate. However, phishing scammers are getting more sophisticated, and sometimes it’s almost impossible to tell a fake email from a real one
  • Rollover hypertext links (without clicking them), to see if the actual URL differs from the one displayed. You should also hover your mouse over the email address in the ‘from’ field to see if the website domain matches that of the organisation the email claims to be from
  • Always question uninvited approaches (calls, emails, texts, letters, etc.) that ask you for further information in case it’s a scam. Don’t assume a communication is authentic. Just because someone knows your details (such as your name and address or even your mother’s maiden name), it doesn’t mean they are genuine. This also applies to any contact claiming to be from Marriott
  • Understand that a legitimate bank or other financial organisation will never contact you ask for your PIN or full password or ask you to move money to another account for fraud reasons
  • If you receive an email that looks in any way suspicious, never click to download the attachment, as it could be malware
  • If you are concerned that your data might be at risk, there are some steps you can take to stop the threat from escalating. For example, you could register with the Cifas protective registration service. You should also change your passwords and make sure your devices are protected by up-to-date internet security software
  • Be aware of common phishing techniques. For example, as well as those outlined above, if you receive an email informing you that you’ve won a prize (or the lottery) do not provide any personal information without checking that this is genuine. And do not respond to emails asking you to make a charitable donation. If you’d like to donate to a charity, do so by visiting their website directly.

If you are in any doubt, DO NOT click on any links, open any attachments or provide any information. Instead, you should go to the organisation’s website directly (not via the link provided in the communication) and contact them to make sure the email is legitimate.

Can you claim compensation following the Marriott data breach?

Yes. If an organisation breaches the Data Protection Act you have a right to claim compensation. Marriot carries cyber insurance, and the company says that it is working with its insurers to assess coverage. However, while it also says that it does not currently believe that its total costs related to this incident will be significant, it is far too early to say.

The impact of a data breach can be both long-lasting and significant. A data breach can result in both financial and/or identity theft. And the result of either of these can be devastating. With enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts. Furthermore, many victims go on to suffer from stress, anxiety and distress. And, according to Victim Support, the effects of crime can last for a long time.

To make matters worse, this isn’t the first time Marriott has been responsible for failing to protect its customers. Last year, the Information Commissioner’s Office (ICO) announced plans to fine the hotel group £99.2million for failing to secure its systems. And the regulator is unlikely to look favourably on a further breach.

Why choose Hayes Connor Solicitors?

At Hayes Connor Solicitors, we have the expertise to investigate the impact of such breaches. We also steer you through the aftermath of a data breach – minimising the impact on you as much as possible.

Crucially, our data protection breach solicitors are true experts in this type of law. Unlike other firms, it is all we do, and we have been doing it for longer than most.

In addition to our data protection solicitors, we also work with expert barristers to help us win our cases. So, we are confident that we have all the experience and know-how necessary to get the best possible result for you.

Our process is fully compliant with ICO guidance, and we never put your details at risk.

REGISTER NOW

, ,

Hayes Connor moves forward with LOQBOX data breach group action

Hayes Connor Solicitors is pressing forward with its group action case against LOQBOX. This comes after LOQBOX contacted customers to let them know that the company had been hacked. As a result of the LOQBOX data breach, sensitive personal information may have been compromised – including financial data in some circumstances.

Issuing LOQBOX with an Early Notice of Claim, Hayes Connor hopes to enter into negotiations with the company, and settle its client’s claims without them having to go to court.

LOQBOX data breach group action

Talking about the LOQBOX data breach group action, data protection expert and managing director at Hayes Connor Solicitors, Kingsley Hayes said:

“We have submitted the initial paperwork in our action against LOQBOX. This means issuing LOQBOX with an Early Notice of Claim on behalf of the many claimants who have registered with Hayes Connor in this case.

 “While LOQBOX made it clear that a personal data breach took place, customers have been left with no more than the barest of information as to the true circumstances surrounding the loss of their data. And no sense of how this breach was allowed to happen and what has actually been done as a result.

 “As a result, as well as letting LOQBOX know that we plan to start proceedings against the company, our letter also requests that LOQBOX provide us with evidence to establish how this breach was able to happen and an explanation of the response.

 “The bottom line is that we are very serious about getting our clients the compensation they deserve.”

What will happen next?

Many defendants take an Early Notice of Claim very seriously. So, we hope that LOQBOX responds to our request to enter discussions and provides the details we have asked for. Regardless, LOQBOX’s response will dictate our next steps. We are fully prepared to take this matter further, and to litigation if needs be.

It’s not too late to join our LOQBOX data breach group action

A data breach is a serious failure, so if your personal information was involved in this violation, you might be able to make a LOQBOX compensation claim.

To become part of our LOQBOX group action, we need you to register with us. This guarantees that you will form part of the compensation claims that will be lodged by us.

We can take on your claim on a no-win, no-fee basis.

Why choose Hayes Connor for your LOQBOX data breach claim?

At Hayes Connor Solicitors, we know what it takes to make a successful compensation claim. In fact, we’ve been helping people to do just that for over 50 years.

We also steer you through the aftermath of a data breach – minimising the impact on you as much as possible.

Crucially, at Hayes Connor, our data protection breach solicitors are true experts in this type of law. Unlike other firms, it is all we do, and we have been doing it for longer than most.

In addition to our data protection solicitors, we also work with expert barristers to help us win our cases. So, we are confident that our team will get the results you deserve. We have all the experience and know-how necessary to get the best possible result for you.

Our process is fully compliant with ICO guidance, and we never put your details at risk.

If you wish to be part of our LOQBOX data breach, please register using the link below. You will then be contacted by our office to advise of the next steps. There are no costs to join our group action and no obligation to proceed.

REGISTER

, , ,

How do you know if you are affected by the Equifax data breach?

The Equifax data breach was announced in September 2017. Millions of consumers had their personal details put at risk in this huge data protection failure. As well as the breach of data of US citizens, a file containing 15.2m UK records dating from between 2011 and 2016 was also attacked.

The sensitivity of the personal information held by Equifax makes this breach one of the most severe data protection contraventions reported to date. And, since the privacy violation, Hayes Connor has been contacted by many people – all of who are worried that they might be affected.

But how can you find out if your details were included in the Equifax data breach?

If you have had a letter from Equifax

Equifax has written to 693,665 UK customers confirming that they have had their data breached.

In addition, Equifax also wrote to a further 167,431 UK consumers whose landline telephone numbers were already published in the public Phone Book and were accessed as part of the cyberattack.

If you are one of the people who have received such a letter, you can now make a claim for Equifax data breach compensation.

If you have not had a letter from Equifax

Following an investigation into the Equifax data breach, the UK’s data privacy regulator (the ICO), said that around 15 million people in the UK could be affected by the hack. So, many victims will not have received a letter from Equifax.

If you think that you have been involved in the Equifax data breach, but you haven’t received a letter, you can still claim against Equifax. However, we would need to find other evidence to show how the hack affected you.

You can also ask Equifax if your data was involved in the data privacy hack.

What evidence do you need to make an Equifax data breach claim?

To make the strongest possible claim on your behalf, we always ask for evidence to support your claim. We will ask for this whether or not you have a letter from Equifax. This could include things like:

  • Evidence that you have received a letter from Equifax saying your details have been affected (where you have this)
  • Evidence of any financial losses, distress, and/or inconvenience you have suffered as a result of the data breach. For example:
    • Bank statements
    • Correspondence (letters, emails, etc.) with banks, credit card providers, credit reference agencies, etc.
    • Credit score reports (with dates of any dips)
    • Details about medical appointments/prescriptions that relate to this data breach (e.g. due to distress/stress)
    • Evidence of any fraudulent transactions, fraud attempts, alerts, cancelled cards that relate specifically to the card details breached
    • Evidence of increased spam
  • Anything else that may be relevant to support your claim

We would also seek confirmation that, as far as you are aware, your information was not put at risk by another data breach.

Register today to join our No-Win, No-Fee Equifax data breach

At Hayes Connor Solicitors, we know what it takes to make a successful compensation claim. In fact, we’ve been helping people to do just that for over 50 years. We also steer you through the aftermath of a data breach – minimising the impact on you as much as possible.

We are dealing with all Equifax data breach claims on a no-win, no-fee basis. This means that, if your claim is not successful, you won’t have to pay a penny.  What’s more, if your claim is successful, we expect to be paid by the offending party (Equifax). So, as well as providing no-win, no-fee funding arrangements, we won’t charge you a “success fee”. This means there are no solicitor’s fees win or lose.

There are strict time limits in place for making Equifax breach compensation claims, so it’s important to act now.

REGISTER NOW

, , ,

What are the data protection experts saying about the LOQBOX breach?

Since the LOQBOX breach was made public, the data protection experts at Hayes Connor have been contacted by many LOQBOX customers. Most of who are concerned that they are now at risk of financial fraud, phishing attacks and further privacy violations.

So far, the details about what happened in the LOQBOX breach remain scarce. So, it’s hard to say with certainty what the long-term impact of this hack will be. But, by using their unique experience and understanding of what can happen following a data privacy infringement, our cybersecurity solicitors share their thoughts on the possible consequences.

Richard Forrest, data protection solicitor, Hayes Connor Solicitors

“Over the past few weeks, I’ve been contacted by many LOQBOX customers who have had their personally identifiable information breached. Understandably, the one thing that most of them share is that they are now suffering a high degree of stress and anxiety.

“When a hack occurs, people often worry about their finances. And, as the LOQBOX breach includes some degree of financial information, it’s only natural that people will be concerned. LOQBOX has even admitted that, while the data exposed in the breach cannot be used on its own to access a person’s bank account, it could be used for phishing scams.

“The bottom line is that, despite assurances from LOQBOX, we cannot say with any certainty that the breach will not result in future fraud and financial loss. And, without that certainty, people will be subject to increased levels of stress and apprehension.

“Even if the customers involved in the LOQBOX breach never have anything else stolen from them (other than their private data), the sheer worry about what might happen can be debilitating. Of course, everyone reacts differently, but for some people, the effects of a data breach can include a lack of sleep, feeling ill, unsettled or confused. I’ve seen situations where the level of stress suffered after a privacy violation has affected a person’s relationships with their friends and family, and even their ability to do their job. So, while LOQBOX might want to play this hack down, it must face up to its responsibilities and be held accountable for any data security failures that made the attack possible.”

Kingsley Hayes, managing director, Hayes Connor Solicitors

“Despite the increased risk to customers following the hack – a risk that has been acknowledged by LOQBOX – it took over a week before many people found out that their data had been breached.

LOQBOX said that it wanted to let people know sooner. But it felt doing so would have been irresponsible because, without knowing more, LOQBOX would not have been able to advise customers on what measures they should take to protect themselves.

“At Hayes Connor, we would question this decision. Our experience is that any delay in contacting victims of a data breach immediately places people at increased risk of fraud and causes more long-term distress.

“Furthermore, Loqbox themselves state that they have bank level security in their marketing material. There are significant questions to ask about that security if that is indeed the case given the breach that occurred.”

Customers are at risk following the LOQBOX breach

A huge amount of personal and highly sensitive data was accessed during the LOQBOX data hack. And the damage that could be caused should this fall into the wrong hands should not be underestimated.

If your info has been exposed, our expert data protection solicitors recommend that you follow these tips on how to spot phishing attacks and prevent cybercriminals from causing more damage:

  1. Contact your bank or credit card provider for advice on what to do. They will advise if any additional security measures should be implemented to protect your finances
  2. Contact your bank or credit card provider immediately if you spot any unfamiliar transactions or suspicious activity
  3. Keep an eye on your credit score for any unexpected dips and contact all the major credit reference agencies to ensure credit isn’t taken out in your name
  4. Beware of emails and websites with poor spelling and grammar. This is one of the most common signs that an email/site isn’t legitimate. However, phishing scammers are getting more sophisticated, and sometimes it’s almost impossible to tell a fake email/site from a real one
  5. Rollover hypertext links (without clicking them), to see if the actual URL differs from the one displayed. You should also hover your mouse over the email address in the ‘from’ field to see if the website domain matches that of the organisation the email claims to be from
  6. Always question uninvited approaches (calls, emails, texts, letters, etc.) that ask you for further information in case it’s a scam. Don’t assume a communication is authentic. Just because someone knows your details (such as your name and address or even your mother’s maiden name), it doesn’t mean they are genuine. This also applies to any contact claiming to be from LOQBOX
  7. Understand that a legitimate bank or other financial organisation will never contact you ask for your PIN or full password or ask you to move money to another account for fraud reasons
  8. If you receive an email that looks in any way suspicious, never click to download the attachment, as it could be malware
  9. If you are concerned that your data might be at risk, there are some steps you can take to stop the threat from escalating. For example, you could register with the Cifas protective registration service. You should also change your passwords and make sure your devices are protected by up-to-date internet security software
  10. Be aware of common phishing techniques. For example, as well as those outlined above, if you receive an email informing you that you’ve won a prize (or the lottery) do not provide any personal information without checking that this is genuine. And do not respond to emails asking you to make a charitable donation. If you’d like to donate to a charity, do so by visiting their website directly.

If you are in any doubt, DO NOT click on any links, open any attachments or provide any information. Instead, you should go to the organisation’s website directly (not via the link provided in the communication) and contact them to make sure the email is legitimate.

Making a LOQBOX breach compensation claim

At Hayes Connor Solicitors, our data protection breach solicitors are true experts in this type of law. Unlike other firms, it is all we do, and we have been doing it for longer than most. As such, we have all the experience and know-how necessary to get the best possible result for you.

We are watching this case with interest and are considering launching a no-win, no-fee group litigation action.

To become part of our LOQBOX group action – and receive updates on what is happening in this case – we need you to register with us. This ensures that you will form part of any LOQBOX breach group action compensation claim lodged by us.

Our process is fully compliant with ICO guidance, there is no obligation to proceed, and we never put your details at risk.

Register now

, ,

2019 data breach timeline

Scrutinising the data protection landscape, here are some of the bigger data breaches and developments that occurred over the last 12 months.

,

Virgin Media data breach links customers to porn

Last week, Virgin Media admitted that a data security issue at the company put the personal information of 900,000 people at risk. Initially, Virgin Media said that the information exposed in this breach included contact details (such as name, home and email address and phone numbers), technical and product information, and any requests you may have made to Virgin using forms on its website. It also said that in a very small number of cases, the breach included dates of birth.

However, what wasn’t made clear by the company when it informed customers about the Virgin Media data breach, was that the unsecured data also contained details linking some customers to pornography and explicit websites.

The Virgin Media data breach could be used by cyber-criminals to extort victims

Virgin Media has confirmed that the database at the centre of the data breach contained details of customers who had used an online form to ask for a particular website to be blocked or unblocked. In many cases, these requests related to pornography.

This admission came after researchers at cyber-security firm TurgenSec – which found the database – raised concerns the breach involved more confidential details than Virgin was admitting to.

It is thought that about 1,100 people might have had this sensitive and intimate data breached, and there are fears that it could be used by cyber-criminals to extort money from victims.

Are you at risk of cyber extortion?

Virgin Media believes that the database was accessed on at least one occasion. But it does not yet know the extent of the access. Or how/if any information was used. So, people affected by this breach are right to be worried.

Speaking about the potential impact, our MD and expert data protection solicitor Kingsley Hayes said:

“This data was left in plain text, unencrypted, exposed and waiting to be found for ten months. That in itself is a serious data security failure. Anyone could have stumbled across this information and downloaded it. So, rather than a complicated break-in, it is as if Virgin Media left the door open.

 “Furthermore, while no financial data has been accessed, if this information has fallen into the wrong hands, cyber-criminals may very well use it to go on and commit further offences. Given the sensitive nature of this particular data, many Virgin Media customers could now be a target for extortion attempts.”

 Following the initial email, warning all 900,000 people that their details had been exposed, Virgin Media has said that it is now in the process of contacting customers about specific data that may have been stolen.

Did Virgin Media lie?

Technically, no. In the initial email to customers, Virgin media did admit that “any requests you may have made to us using forms on our website” may have been affected. However, by not making it clear what this data might involve, it could be argued that Virgin Media was trying to conceal the real details.

Upholding your data privacy rights

Hayes Connor Solicitors is a law firm operating in the data breach and protection sector. We help our clients to claim data breach compensation following data protection violations, GDPR breaches and other cyber offences.

Our firm has established itself as the leading niche provider of legal services in this area. A relatively new and evolving area of law, this is all we do. Consequently, we have become a specialist in data protection law and data breach compensation claims, and, we lead our field when it comes to understanding the complexities involved. This means you get the very best level of legal support available.

With all the experience and expertise needed to win against even the biggest of companies, we work with you to protect your rights and hold organisations to account for their failures.

To find out if you can make a data breach compensation claim against Virgin Media, register with us. We will keep you updated about any developments in this case and let you know if you can make a claim.

REGISTER NOW

, , ,

LOQBOX data breach. What do we know so far?

Fintech startup LOQBOX – a company that helps people to improve their credit ratings – has suffered a cyber-attack. At Hayes Connor, we have been contacted by many LOQBOX users, concerned that their data is now in the hands of criminals. The full details of what happened in the LOQBOX data breach will emerge over time, but what do we know about this data privacy failure so far?

When did the LOQBOX data breach happen?

The cyber-attack on the LOQBOX computer system took place on 20th February 2020.

What data was accessed in the LOQBOX data hack?

The information included in the LOQBOX data hack includes:

  • Customer names
  • Postal addresses
  • Dates of birth
  • Email addresses
  • Phone numbers
  • Two digits of the bank account number used to make payments to LOQBOX
  • Payment card expiry dates.

According to some reports, the first six and last four digits of customer card numbers may also be at risk[1]. This information is very valuable to cybercriminals. For example, the first six digits identify the financial provider. This information is often used in phishing scams (see more on this below).

LOQBOX funds have not been affected by this data breach.

Who is affected by the LOQBOX data breach?

If you are a LOQBOX customer, or if you have been a LOQBOX customer in the past, then you are affected by this cyber-attack. If you are in any way concerned you should contact the LOQBOX dedicated support team at help@loqbox.co.uk.

LOQBOX also works in partnership with a number of banks (e.g. Natwest, TSB and Monzo). Customers from these banks who use LOQBOX may have had their data stolen.

What can cybercriminals do with this data?

The damage that could be caused should this information fall into the wrong hands should not be underestimated. Indeed, while LOQBOX states that “this information on its own cannot be used to access your bank accounts or other accounts”, it does acknowledge that this data could be used for phishing scams.

Phishing is where a fraudster poses as a legitimate organisation, your bank, the police, or someone else you trust to trick you into handing over sensitive information such as usernames and passwords. Phishing scammers use emails, texts, websites, phone calls and social media to access your data, your computer, or your financial accounts. Phishing is a serious crime, and victims can suffer both financial loss and distress.

You can find out more about Phishing here.

How did LOQBOX react to the data breach?

The company has taken additional steps to improve the defences of the LOQBOX computer system. And it is liaising with the relevant regulators – the FCA (Financial Conduct Authority) and the ICO (Information Commissioner’s Office). It has also reported the incident to the police.

Following the attack, LOQBOX also contacted customers to let them know that the company had been hacked and that as a result, some of their personal information may have been compromised. However, there was a delay in doing this and it took over a week before many people found out that their data was at increased risk.

In its defence, LOQBOX said that it could not contact users and let them know about the hack until it knew more about how people had been affected. But, in our experience, any delay in contacting customers (and former customers) immediately, places these individuals at increased risk of fraud and causes more long-term distress.

Can you claim compensation for the LOQBOX data breach?

LOQBOX has told customers it is not currently offering compensation for the loss of personal data. Although it did say it was “extremely sorry”.

However, at Hayes Connor Solicitors, we are watching this case with interest, and, if LOQBOX has failed to protect its customers, we will launch a no-win, no-fee group litigation action. We can take on your claim on a no-win, no-fee basis.

 We have already been contacted by people concerned that LOQBOX has breached their data; all of whom are understandably upset and anxious about the breach. To become part of our LOQBOX group action, we need you to register with us. This guarantees that you will form part of the group action compensation claims that will be lodged by us.

REGISTER HERE

What can you claim compensation for?

You do not need to have suffered any financial loss or emotional distress to claim against LOQBOX. If you have suffered a privacy violation caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. So, should personal data be found to be compromised, customers can claim for:

  • Financial losses. A data breach can lead to both financial and/or identity theft. And the result of either of these can be devastating. With enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts
  • Distress. Being the victim of a crime can have a significant impact on you mentally and physically. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job
  • Loss of privacy. You can claim for any loss of privacy suffered as a result of a data breach (e.g. having an email address stolen).

What is a group action?

A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also known as class actions or multi-party actions.

With a group action claim, this group of people (the Claimants) collectively bring their cases to court against a Defendant (in this case, LOQBOX). These victims then fight together to achieve compensation in the High Court of Justice.

Where cases are very similar, group actions can be a powerful tool and can have a bigger impact than a single claim.

How can you protect yourself following the LOQBOX data breach?

Follow these tips on how to spot phishing attacks and prevent cybercriminals from stealing your information.

  1. Contact your bank or credit card provider for advice on what to do. They will advise if any additional security measures should be implemented to protect your finances. This may include organising a replacement bank card
  2. Contact your bank or credit card provider immediately if you spot any unfamiliar transactions or suspicious activity
  3. Keep an eye on your credit score for any unexpected dips and contact all the major credit reference agencies to ensure credit isn’t taken out in your name
  4. Beware of emails with poor spelling and grammar. This is one of the most common signs that an email isn’t legitimate. However, phishing scammers are getting more sophisticated, and sometimes it’s almost impossible to tell a fake email from a real one
  5. Rollover hypertext links (without clicking them), to see if the actual URL differs from the one displayed. You should also hover your mouse over the email address in the ‘from’ field to see if the website domain matches that of the organisation the email claims to be from
  6. Always question uninvited approaches (calls, emails, texts, letters, etc.) that ask you for further information in case it’s a scam. Don’t assume a communication is authentic. Just because someone knows your details (such as your name and address or even your mother’s maiden name), it doesn’t mean they are genuine. This also applies to any contact claiming to be from LOQBOX
  7. Understand that a legitimate bank or other financial organisation will never contact you ask for your PIN or full password or ask you to move money to another account for fraud reasons
  8. If you receive an email that looks in any way suspicious, never click to download the attachment, as it could be malware
  9. If you are concerned that your data might be at risk, there are some steps you can take to stop the threat from escalating. For example, you could register with the Cifas protective registration service. You should also change your passwords and make sure your devices are protected by up-to-date internet security software
  10. Be aware of common phishing techniques. For example, as well as those outlined above, if you receive an email informing you that you’ve won a prize (or the lottery) do not provide any personal information without checking that this is genuine. And do not respond to emails asking you to make a charitable donation. If you’d like to donate to a charity, do so by visiting their website directly.

If you are in any doubt, DO NOT click on any links, open any attachments or provide any information. Instead, you should go to the organisation’s website directly (not via the link provided in the communication) and contact them to make sure the email is legitimate.


Register today to join our no-win, no fee LOQBOX data breach action

At Hayes Connor Solicitors, we have the expertise to investigate the impact of such breaches. We also steer you through the aftermath of a data breach – minimising the impact on you as much as possible.

Crucially, at Hayes Connor, our data protection breach solicitors are true experts in this type of law. Unlike other firms, it is all we do, and we have been doing it for longer than most.

In addition to our data protection solicitors, we also work with expert barristers to help us win our cases. So, we are confident that our team will get the results you deserve. We have all the experience and know-how necessary to get the best possible result for you.

Our process is fully compliant with ICO guidance, and we never put your details at risk.

Register now


[1] https://www.theregister.co.uk/2020/03/02/financial_startup_loqbox_data_breach/

, , ,

10 steps to protect yourself following the LOQBOX data hack

On 20th February 2020 there was a cyber-attack on the LOQBOX computer system. Following the attack, LOQBOX contacted customers to let them know that the company had been hacked and that as a result, some of their personal information may have been compromised. The information included in the LOQBOX data hack includes:

  • Customer names
  • Postal addresses
  • Dates of birth
  • Email addresses
  • Phone numbers
  • Some digits of the bank account number used to make payments to LOQBOX
  • Payment card expiry dates.

Customers (and former customers) are at risk following the LOQBOX data hack

A huge amount of personal and highly sensitive data was accessed during the LOQBOX data hack. And the damage that could be caused should this fall into the wrong hands should not be underestimated.

Indeed, while LOQBOX states that “this information on its own cannot be used to access your bank accounts or other accounts”, it does acknowledge that this data could be used for phishing scams.

Despite this, LOQBOX claimed that it could not contact users and let them know about the hack until it knew more about how people had been affected. So, it took over a week before many people found out that their data was at increased risk of being used in phishing scams.

In a statement, LOQBOX said:

“The simple reason it took the time it did to respond is that we had to get our response right. We had cyber-security experts going through our systems, almost immediately, in order to understand what happened and who had been affected, but this took time. We instructed a specialist law firm to make sure that we were compliant with all the relevant regulations. We also made sure that the Information Commissioner’s Office and the Financial Conduct Authority were informed about exactly how we were responding. We really wanted to let you know sooner but felt it would have been irresponsible to contact our customers with only a partial picture because you would not have known what measures you should take to protect yourselves”.

At Hayes Connor, our experience is that any delay in contacting customers (and former customers) immediately, places these individuals at increased risk of fraud and causes more long-term distress.

What is phishing?

This is where a fraudster poses as a legitimate organisation, the police, or someone else you trust to trick you into handing over sensitive information such as usernames and passwords.

Phishing scammers use emails, texts, websites, phone calls and social media to access your data, your computer, or your financial accounts. Typical phishing scams include:

  • Where fraudsters contact you posing as your bank
  • Where fraudsters contact you posing as a company (e.g. Microsoft) and encourage you to complete steps that let them gain access to your computer
  • Where scammers send out an email from a service you use (e.g. PayPal, Google Drive, Dropbox, etc.). This link instructs you to click on a link which leads to a fake page that collects your login details
  • Where you receive an email from a person or company you know and trust which includes your personal information and lures you into clicking on a malicious URL or email attachment
  • Where scammers pretend to be from someone in the same company as you in a bid to steal the private data of your customers.

Phishing is a serious crime, and victims can suffer both financial loss and distress.

FIND OUT MORE ABOUT PHISHING

Ten steps to protect yourself following the LOQBOX data hack

Follow these tips on how to spot phishing attacks and prevent cybercriminals from stealing your information.

  1. Contact your bank or credit card provider for advice on what to do. They will advise if any additional security measures should be implemented to protect your finances
  2. Contact your bank or credit card provider immediately if you spot any unfamiliar transactions or suspicious activity
  3. Keep an eye on your credit score for any unexpected dips and contact all the major credit reference agencies to ensure credit isn’t taken out in your name
  4. Beware of emails with poor spelling and grammar. This is one of the most common signs that an email isn’t legitimate. However, phishing scammers are getting more sophisticated, and sometimes it’s almost impossible to tell a fake email from a real one
  5. Rollover hypertext links (without clicking them), to see if the actual URL differs from the one displayed. You should also hover your mouse over the email address in the ‘from’ field to see if the website domain matches that of the organisation the email claims to be from
  6. Always question uninvited approaches (calls, emails, texts, letters, etc.) that ask you for further information in case it’s a scam. Don’t assume a communication is authentic. Just because someone knows your details (such as your name and address or even your mother’s maiden name), it doesn’t mean they are genuine. This also applies to any contact claiming to be from LOQBOX
  7. Understand that a legitimate bank or other financial organisation will never contact you to ask for your PIN or full password, or ask you to move money to another account for fraud reasons
  8. If you receive an email that looks in any way suspicious, never click to download the attachment, as it could be malware
  9. If you are concerned that your data might be at risk, there are some steps you can take to stop the threat from escalating. For example, you could register with the Cifas protective registration service. You should also change your passwords and make sure your devices are protected by up-to-date internet security software
  10. Be aware of common phishing techniques. For example, as well as those outlined above, if you receive an email informing you that you’ve won a prize (or the lottery) do not provide any personal information without checking that this is genuine. And do not respond to emails asking you to make a charitable donation. If you’d like to donate to a charity, do so by visiting their website directly.

If you are in any doubt, DO NOT click on any links, open any attachments or provide any information. Instead, you should go to the organisation’s website directly (not via the link provided in the communication) and contact them to make sure the email is legitimate.

Making a LOQBOX data hack compensation claim

At Hayes Connor Solicitors, we are watching this case with interest, and, if LOQBOX has failed to protect its customers, we will launch a no-win, no-fee group litigation action.

We can take on your claim on a no-win, no-fee basis.

We have already been contacted by people concerned that LOQBOX has breached their data; all of whom are understandably upset and anxious about the breach.  But you do not need to have suffered any financial loss or emotional distress to claim against LOQBOX. If you have suffered a privacy violation caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. So, should personal data be found to be compromised, customers can claim for:

  • Financial losses. A data breach can lead to both financial and/or identity theft. And the result of either of these can be devastating. With enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts
  • Distress. Being the victim of a crime can have a significant impact on you mentally and physically. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job
  • Loss of privacy. You can claim for any loss of privacy suffered as a result of a data breach (e.g. having an email address stolen).

To become part of our LOQBOX group action, we need you to register with us. This guarantees that you will form part of the group action compensation claims that will be lodged by us.

A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also known as class actions or multi-party actions.

With a group action claim, this group of people (the Claimants) collectively bring their cases to court against a Defendant (in this case, LOQBOX). These victims then fight together to achieve compensation in the High Court of Justice.

Where cases are very similar, group actions can be a powerful tool and can have a bigger impact than a single claim.

Register today to join our no-win, no fee LOQBOX data breach action

At Hayes Connor Solicitors, we have the expertise to investigate the impact of such breaches. We also steer you through the aftermath of a data breach – minimising the impact on you as much as possible.

Crucially, at Hayes Connor, our data protection breach solicitors are true experts in this type of law. Unlike other firms, it is all we do, and we have been doing it for longer than most.

In addition to our data protection solicitors, we also work with expert barristers to help us win our cases. So, we are confident that our team will get the results you deserve. We have all the experience and know-how necessary to get the best possible result for you.

Our process is fully compliant with ICO guidance, and we never put your details at risk.

Register now