Foxtons Group PLC is coming under pressure after an investigation by the i newspaper last week revealed the company suffered a data breach that could be putting customers at enormous risk.
According to the investigation, a malware attack that occurred last year was much more serious than the business is letting on. If true, it raises very serious concerns for consumers.
The story revolves around a malware attack originally self-reported to the Information Commissioner’s Office in October of last year. At the time, Foxtons claimed that hackers had been unsuccessful in their attempts to steal sensitive consumer records.
Since the story broke, Foxtons has again gone on the record to claim that all necessary disclosures were made, and that the attack “did not result in the loss of any data that could be damaging to customers.” So what’s the truth?
According to the investigation, the data circulating on the dark web is much more problematic than Foxtons is claiming. What’s more, it is alleged that Foxtons knew just days after the cyber attack that hackers had not only stolen data from Alexander Hall’s servers – but had begun passing it around on the dark web.
Under the rules of GDPR, companies have an obligation not only to inform the ICO about security incidents but also to ensure that affected consumers have been notified. This begs the question, if data stolen from Foxtons is already circulating on the dark web, why has Foxtons failed to inform customers about the breach?
Admittedly, GDPR specifies that a company need not inform individuals about a breach if effective technical and organizational protection measures can ensure that there is no direct risk to affected data subjects. Under the circumstances, this exception would seem not to apply to Foxtons.
Supposedly 20% of the customer card details stolen from Foxtons are still active and vulnerable to fraud. This raises enormous concerns for consumers because the investigation claims to have uncovered evidence of 16,000 cards in total, in addition to names, addresses, and confidential correspondence information.
If this is accurate, there is no doubt that the breach is causing an immediate threat to those affected, because criminals could leverage the data to engage in phishing, fraud, and identity theft.
To make things worse, the data that has been sitting around on the dark web for three months has already been accessed over 15,000 times.
If this is true, why not inform customers to allow them to check their bank statements and cancel any active cards? Is that really too much trouble?
To add salt to the wound, the I article also alleges that some of the data leaked on the dark web all predates 2010. The age of the data could be the reason why Foxtons believes it is in the clear.
However, the hackers responsible for the breach claim that they have only published 1% of the stolen data, and that the free data is only an advertisement to tempt hackers into purchasing the more recent, valuable data.
If there is even the slightest possibility that this is true, it would make sense for Foxtons to warn consumers, and it is essential for the ICO to look more closely at the case.
If Foxtons has even an inkling that there might be more to the breach, failure to warn consumers is a serious dereliction of duty and it is likely that further investigation will lead to substantial fines.
Foxtons confidence that it has done nothing wrong – despite all the evidence to the contrary – rings alarm bells.
Foxtons customers who fear that hackers could have stolen their data are advised to act quickly to protect themselves from identity fraud and card fraud by cancelling their cards and looking closely at their statements to flag any suspicious activity with their bank. Better safe than sorry.
Ray Walsh, digital privacy expert at ProPrivacy.