back to article Touchnote breach: Wrote a postcard with us? Thieves have your pal's name, address

London-based postcard biz Touchnote has offered more details about a data breach it confessed to on Bonfire Night. In a statement published on its site on 5 November, Touchnote claimed it had the previous day "received information confirming that Touchnote has been victim of criminal activity, resulting in the theft of some of …

  1. tentimes

    It's ALL of the customers, not some - as usual

    What I HATE about these confessions is that they always pretend that "some of our customers" were affected.

    If there was a breach then safe to say the infiltrators did a bang up job of getting the whole DB, as per usual.

    But we have to have this minimisation poppycock as usual. Makes me sick.

    1. sysconfig

      Re: It's ALL of the customers, not some - as usual

      Exactly. It's surprising how they can't avert a breach, and if the breach happens, their forensics are supposedly super accurate and can work out in records time the exact number of datasets siphoned off (like in the TalkTalk case).

  2. Martin Summers Silver badge

    Shall we all revert back to buying from physical shops? Seems we are getting shafted from all angles online right now. This must be the third or fourth service I've used that has allowed my data to be half inched recently so much so that I'm not sure I want to part with my details anymore! At least cash in a physical shop is mostly anonymous and won't get my bank account ransacked.

    1. frank ly

      About 3 years ago (maybe), the staff at Asda started asking people for their postcode when buying things at the tobacconist counter and paying by cash. This lasted for a few months. The first time it happened, I said that I couldn't remember but after that happened I started giving them the postcode for the Asda store, which they typed into the till terminal. I assume it was an experimental marketing exercise and I know it was bloody annoying.

      1. Anonymous Coward
        Anonymous Coward

        " [...] I started giving them the postcode for the Asda store, [...]"

        I always use the post code of the Royal Mail sorting office in situation where it is not necessary for them to know the information but the form won't complete without it. It is near enough so that correlation with any other geographical references would be plausible. Some of them are getting canny and have decided that the memorable old post code of a major bank is not plausible since they moved locations.

      2. John Brown (no body) Silver badge

        "the staff at Asda started asking people for their postcode"

        I just said "No" and the staff were happy with that. It was rather telling how many people happily gave over their postcode though.

      3. Mike Flugennock

        Oh, yeah, Radio Shack pulled that crap some years ago

        Sounds like Radio Shack when started pulling that crap here in the States about eight, ten years ago. Pretty goddamn' outrageous, considering they could've gotten my zip code if I were paying by credit card. I don't know if they still do that anymore, as I stopped shopping there after they started doing it.

    2. Robert Helpmann??
      Childcatcher

      Revert Back!

      Perhaps the best way to go is to register with different information at every site for which we are forced to enter our personal details and to set up several electronic accounts that we only transfer money to via several intermediate hops just as we are ready to spend it. Figure out a way to automate this process without also causing red flags to fly for our government overlords and you should be well paid via very secure and untraceable means.

      Makes me wonder when paranoia turns out to be the best option.

    3. Anonymous Coward
      Anonymous Coward

      "Shall we all revert back to buying from physical shops?"

      I used to see a book on Amazon 's "recommends" - then order it from my local Ottakars bookshop as a way of supporting local brick stores. Each year I spent about £1K with them - mostly on books that had to be ordered.

      One day when chasing an order in the shop the assistant iterated several books I had bought previously. It transpired that they had a database record of every book I had ever bought from them over several years. Head Office said that records were purged after 12 months. That was patently not true - and the local shop said they had no idea how to do that.

    4. Turtle

      @Martin Summers

      "This must be the third or fourth service I've used that has allowed my data to be half inched recently so much so that I'm not sure I want to part with my details anymore!"

      If you give your details to more online vendors, what does it matter? It would seem that your details have been stolen often enough that you have nothing left to lose...

  3. The Eee 701 Paddock

    This news really made my Friday afternoon...

    I'm one of those folks who really tries to take care, not to provide identity thieves with easy pickings. I routinely shred letters and anything with my name, address or other useful details on them, and although I probably could be even more careful, I do my best not to give this info to just anyone.

    And then on Friday, I received the email from Touchnote (whom I have used a couple of times in the past to send postcards), and I wonder why I bothered. I feel like asking: what is the point of guarding one's personal information, if all it takes is one bunch of muppets who don't bother encrypting* most of their customers' valuable details, getting virtual-ram-raided, and it's suddenly all out there for the taking?

    I'm also now wondering: how many other websites who have my personal data stored, have a similarly cavalier attitude to it? I think I'm long overdue for an audit of which sites I have accounts with, but rarely or never use any more... and time to start closing them.

    Maybe I might start with Touchnote... but the burglars are over the hills now with their loot, so what would be the point?

    * - This, BTW, is also why I'm keeping a nervous eye on the future of encryption in the UK.

    1. mdava

      Re: This news really made my Friday afternoon...

      " I think I'm long overdue for an audit of which sites I have accounts with, but rarely or never use any more... and time to start closing them.

      Maybe I might start with Touchnote... but the burglars are over the hills now with their loot, so what would be the point?"

      There isn't any point re the data, but perhaps there is in the sense of "I won't do business with people who don't care about my data."

      1. sysconfig

        Re: This news really made my Friday afternoon...

        "There isn't any point re the data, but perhaps there is in the sense of "I won't do business with people who don't care about my data.""

        Problem with that is that you can only apply this knowledge in hindsight -- when the crims have lifted details and the company demonstrated carelessness. You never know in advance, which company you can trust to keep your data safe. Hell, you can't even trust government, agencies, and public service; they might just lose a laptop or USB stick somewhere (as has been demonstrated several times in recent years). To make matters worse, they don't have any competitors you could use instead.

    2. Doctor Syntax Silver badge

      Re: This news really made my Friday afternoon...

      "rarely or never use any more... and time to start closing them."

      Which will have no effect as they'll not remove your data.

      1. Anonymous Coward
        Anonymous Coward

        Re: This news really made my Friday afternoon...

        "Which will have no effect as they'll not remove your data."

        I always edit my personal data to rubbish values before closing any account.

    3. Anonymous Coward
      Anonymous Coward

      Re: This news really made my Friday afternoon...

      This is a great idea, and I'd like to close out a few services -- including two Microsoft properties -- but I find it's increasingly common that I can't revive stale accounts without also providing a phone number 'for my security'.

      IDFTS* - I'd rather let the data rot with bogus locations and names than activate the accounts with fresh data, only to try (with futility) to close them out.

      *I don't ... think so.

    4. Mutton Jeff
      FAIL

      Re: This news really made my Friday afternoon...

      Makes me wonder, how many breaches have been swept under the carpet.

  4. The Nazz

    So what's the difference between ...

    An organisation like this having it's data nicked and an organisation (usually the same one) selling the same data to it's "partners".?

  5. Anonymous Coward
    Anonymous Coward

    There has been a flurry of spam the last couple of days. The target email addresses are either my amazon account or one used for a charity site's CD shop several years ago. Neither of them should have been allowed to leak.

    1. John Brown (no body) Silver badge

      I've been using unique email addresses for many years now, usually companyname@mydomain.com. The only one that attracts spam is svp@mydomain.com.; I emailed them about it and they claimed they had not had a data breach.

  6. Neil Barnes Silver badge

    Is there actually any business need

    To keep a name and address and in particular payment details once the transaction is completed? In the vast majority of cases, things I buy online are one-off events and I'm unlikely ever to use the store again; or if I do, it is of no consequence to type in my details again. Certainly I don't want so see advertising, and I don't want a 'relationship' with a retailer...

    1. Doctor Syntax Silver badge

      Re: Is there actually any business need

      "To keep a name and address and in particular payment details once the transaction is completed?"

      No. Earlier today I wanted to buy a book advertised on Abe books. To do that it wants me to set up an account. That would mean either giving them the current odds & ends email address that gets zapped after a few weeks in which case I wouldn't be able to reuse the account anyway or log into my email provider and set up another special address for them. As the shop isn't too far away I just rang them up, asked them to put the book to one side & I'll collect it later. The only downside is that SWMBO will probably come with me and letting her loose in a bookshop will cost several hours of time if no actual money. In the mean time Abe books lose their commission.

    2. edge_e
      Flame

      Re: Is there actually any business need

      as well as admitting that "there have also been some recorded instances of dates of birth being accessed."

      This has to stop. The DPA is pretty damn clear on this.

      Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed

      Why are they asking for, let alone storing, dates of birth?

  7. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like