Category: Data Breach

Morrison’s to Pay Staff after Data Breach

In 2014, the personal details of thousands of Morrison’s staff including salaries, bank account details and home addresses were stolen and published online.

At the time, Morrisons said that all the staff details published were put on an unspecified location on the web for a few hours and were taken down immediately when they were discovered. It said in a statement: “We can confirm there has been no loss of customer data and no colleague will be left financially disadvantaged.” It was working with police to identify the source of the theft.

The hacker posted the information – including names, addresses, bank account details and salaries – online and sent it to newspapers.

It turned out that it was an employee, Andrew Skelton, who had posted the data online. He was caught and jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data.

However, Morrisons faced a huge payout to staff whose personal data were posted on the Internet after workers brought a claim against the company for “upset and distress”.

The High Court ruling that Morrisons is liable for the data breach then the Court of Appeal upheld the original decision against the supermarket. Morrisons said it would now appeal to the Supreme Court.

This case is the first data leak class action in the UK.

Morrisons had argued that it could not be held liable for the criminal misuse of its data, but three Court of Appeal judges rejected the company’s appeal, saying they agreed with the High Court’s earlier decision.

They said Morrisons was “vicariously liable for the offences committed by Mr Skelton against the claimants”.

Skelton was given eight years in prison for fraud, securing unauthorised access to computer material and disclosing personal data at a criminal trial in 2015.

The case continues.

If you have any experiences with scammers, spammers or time-waster do let me know, by email.

Fightback Ninja Signature

Marriot Hotels Data Breach

The personal information of Marriot Hotel group customers has been hacked. This started in 2014 and has only just been found out.

It may affect up to 500 million people. The company do not yet know the exact number but they have started to email all those thought to have been affected.

Marriot is providing all US, Canadian and British customers with free use of the WebWatcher internet security service which can monitor your Internet devices.

The data stolen includes name, address, phone number, email address, passport number, date of birth, hotel stay information and possibly more. It also includes financial information for some customers.

This is an extremely serious data breach and may lead to financial theft and identity theft.

Law enforcement agencies are investigating what happened but it may time for the picture to become clear.

Many hackers use a long slow approach to siphoning out data from a company and it can very difficult to determine exactly what they took.

If your data has been stolen then you will be contacted by Marriot.

However, scammers will also send out fake messages claiming to from Marriot about the data breach so if you have been a Marriot customer since 2014 then be careful with any messages or calls you receive.

What Can You Do?

  1. Check the website setup by Marriot about this at answers.kroll.co.uk
  2. You can call their support line on 0808 189 1065 if concerned
  3. Check your payment card transactions regularly and look for anything out of the ordinary
  4. If your login and password have been used on other accounts then consider changing them

If you have had any problems with your data being compromised – do let me know by email.

Fightback Ninja Signature

Google and Google+

Google has said that it found a software glitch in its Google+ social network in March 2018 that could have exposed the personal data of as many as half a million users, but decided not to tell the public until months later.

Google found the flaw in March during an extensive privacy and security review according to Ben Smith, Google vice president of engineering. An internal committee decided not to disclose the potential breach of Google+ because there wasn’t evidence of any misuse of the exposed data, which included names, email addresses, ages and occupations. The bug was immediately fixed at the time, he said.

The Federal Trade Commission, as the nation’s chief privacy watchdog, has the authority to investigate data breaches. The FTC can fine companies when they violate terms of a consent decree.

Google has said it plans to shut down Google+ for consumers (but leave it running for businesses) and introduce new privacy tools restricting how developers can use information on products ranging from email to file storage.

Google+ was never anywhere near as successful as Facebook and social media networks. Even so, many users still have a profile that has personal information on it. Google will shut it down over the coming months for consumers, but keep the version built for businesses open and operating.

The other changes Google is making include requiring apps to ask separately for each type of information they want from a user, such as access to calendars or address books. On Gmail, Google’s ubiquitous email service, only apps that improve email functionality will be allowed to request access.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

Tesco Bank Fined for Data Breach

Tesco Bank was fined £16.4m by the City watchdog over a cyber-attack it suffered that netted cyber criminals £2.26m.

The Financial Conduct Authority (FCA) said deficiencies at the bank had left account holders vulnerable to the incident. The bank had received a specific warning that was not properly addressed until the attack had started and the response was “too little, too late”.

This is the first time the FCA has issued a fine for a cyber-related incident.

Tesco Bank said that since the incident in November 2016 it had “significantly enhanced” security measures, and apologised to customers.

Mark Steward, executive director of enforcement and market oversight at the FCA, said the fine “reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks”. Banks must ensure resilience against such crime reducing the risk of a cyber attack occurring in the first place, not only reacting to an attack.

Tesco Bank said the cyber attack in 2016 did not involve the theft or loss of any customers’ data but led to 34 transactions where funds were debited from customers’ accounts, and other customers having normal service disrupted.

The bank’s chief executive Gerry Mallon said: “We are very sorry for the impact that this fraud attack had on our customers.”

Banks and other financial institutions must learn that it’s cheaper to build proper protection that wait for a catastrophe to happen.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

Data Breach Affects Major Fashion Brands

Brands including AX Paris, DLSB, Elle Belle Attire, Perfect Handbags and Traffic People are among those affected by a data breach at IT ecommerce supplier Fashion Nexus with White Room Solutions.

Fashion Nexus stated that that on or around 9 July a “white hat hacker” or “ethical hacker” breached one of company’s web servers. Fashion Nexus advised its clients using the software to file reports with the Information Commissioner’s Office and Fashion Nexus also filed a breach report.

Around 650,000 of its clients’ customers were believed to be affected.

The majority had their names and email addresses accessed, and one-fifth also had their home address details accessed. There was no payment card information stored in the databases. But the data did include hashed passwords, names, email addresses, phone numbers, and other data.

Rob Sherwood, director at Fashion Nexus, said: “Our experience with this as a small company has been extremely stressful and unsettling. Contrary to the way we’ve been portrayed in the IT security press, we care deeply about our clients and the rights of their customers.

“As a small business with limited resource and funding, we had put in place security measures but clearly, somehow, this wasn’t sufficient to prevent an attack, and we can’t apologise enough to our clients and their customers.”

The personally identifiable information accessed can lead to scammers carrying out identity fraud and identity theft.

If you are a customer of one of the affected brands, then change your password immediately and also the login and passwords of any other accounts using the same login details.

Do click on the Facebook or Twitter icons on top right to follow Fight Back Ninja.

Fightback Ninja Signature