Comment: Could Foxtons cyber-attack be more serious than first thought?

Foxtons Group PLC is coming under pressure after an investigation by the i newspaper last week revealed the company suffered a data breach that could be putting customers at enormous risk.

According to the investigation, a malware attack that occurred last year was much more serious than the business is letting on. If true, it raises very serious concerns for consumers.

The story revolves around a malware attack originally self-reported to the Information Commissioner’s Office in October of last year. At the time, Foxtons claimed that hackers had been unsuccessful in their attempts to steal sensitive consumer records.

Since the story broke, Foxtons has again gone on the record to claim that all necessary disclosures were made, and that the attack “did not result in the loss of any data that could be damaging to customers.” So what’s the truth?

According to the investigation, the data circulating on the dark web is much more problematic than Foxtons is claiming. What’s more, it is alleged that Foxtons knew just days after the cyber attack that hackers had not only stolen data from Alexander Hall’s servers – but had begun passing it around on the dark web.

Under the rules of GDPR, companies have an obligation not only to inform the ICO about security incidents but also to ensure that affected consumers have been notified. This begs the question, if data stolen from Foxtons is already circulating on the dark web, why has Foxtons failed to inform customers about the breach?

Admittedly, GDPR specifies that a company need not inform individuals about a breach if effective technical and organizational protection measures can ensure that there is no direct risk to affected data subjects. Under the circumstances, this exception would seem not to apply to Foxtons.

Supposedly 20% of the customer card details stolen from Foxtons are still active and vulnerable to fraud. This raises enormous concerns for consumers because the investigation claims to have uncovered evidence of 16,000 cards in total, in addition to names, addresses, and confidential correspondence information.

If this is accurate, there is no doubt that the breach is causing an immediate threat to those affected, because criminals could leverage the data to engage in phishing, fraud, and identity theft.

To make things worse, the data that has been sitting around on the dark web for three months has already been accessed over 15,000 times.

If this is true, why not inform customers to allow them to check their bank statements and cancel any active cards? Is that really too much trouble?

To add salt to the wound, the I article also alleges that some of the data leaked on the dark web all predates 2010. The age of the data could be the reason why Foxtons believes it is in the clear.

However, the hackers responsible for the breach claim that they have only published 1% of the stolen data, and that the free data is only an advertisement to tempt hackers into purchasing the more recent, valuable data.

If there is even the slightest possibility that this is true, it would make sense for Foxtons to warn consumers, and it is essential for the ICO to look more closely at the case.

If Foxtons has even an inkling that there might be more to the breach, failure to warn consumers is a serious dereliction of duty and it is likely that further investigation will lead to substantial fines.

Foxtons confidence that it has done nothing wrong – despite all the evidence to the contrary – rings alarm bells.

Foxtons customers who fear that hackers could have stolen their data are advised to act quickly to protect themselves from identity fraud and card fraud by cancelling their cards and looking closely at their statements to flag any suspicious activity with their bank. Better safe than sorry.

Ray Walsh, digital privacy expert at ProPrivacy.


Data stolen from Foxtons leaked online by hackers


Email the story to a friend

One Comment

  1. Oliver Wharmby

    Agents are being hacked on a regular basis and they won’t know until it’s too late. We have seen a dramatic increase in cyber breaches occurring against property professionals. The reason being they hold valuable data and In many cases there are weak security measure in place.

    The knock on effect is cyber liability insurance premiums are increasing and will often exceed PI premiums.


You must be logged in to report this comment!

Comments are closed.

Thank you for signing up to our newsletter, we have sent you an email asking you to confirm your subscription. Additionally if you would like to create a free EYE account which allows you to comment on news stories and manage your email subscriptions please enter a password below.