Months after breach at the 'UnBank' Ffrees, customers complain: No one told us Customers of UK financial services firm FFrees said they were unaware of a breach that took place there four months ago until a security researcher got in touch with them. The same anonymous white hat who discovered the now infamous AA shop accessories breach back in April also uncovered the exposure of data by Ffrees Family …
The right thing being a boycott of companies that try to hide the failures that expose their customers, instead of trying to protect their customers.
In an ideal world, this would either force the badly behaving companies out of business, or scare them into doing the right thing; sadly though, we have the example of Talk Talk, where multiple MASSIVE breaches have meant only a temporary drop in idiots signing up with them.
The Great Unwashed don't see a breach as a big problem. I have had many a frustrating conversation with people about how much data there is on them and how big a deal things like this are. In general, they just don't care. Unless it hits them financially, people are happy to just ignore this sort of thing.
The right thing to do is for companies that store this sort of data to do so in an unstructured way and to encrypt everything, including the bloody transactions that re-structure it.
Stop keeping atomic pieces of coherent information physically proximate. Make ot logically proximate on business demand, not haxxor demand.
And keep it all in Furbish for fuck's sake!
The Ffrees Card and associated Ffrees Account is an electronic money product and although it is a product regulated by the Financial Conduct Authority, it is not covered by the Financial Services Compensation Scheme. No other compensation scheme exists to cover losses claimed in connection with the Ffrees Card and associated Ffrees Account. We will however ensure that any funds received by you are held in a segregated account so that should we become insolvent your funds will be protected against claims made by our creditors.
and:
It’s no longer possible to sign up for a new Ffrees Account
Probably just as well.
This might not be the place but can anyone provide a counterargument to the following two points, most commonly used by people who definitely wouldn't survive long in 1984?
"If you've got nothing to hide, you have nothing to be afraid of"
"They gather so much data they'll never pick you out specifically"
I do object, but I can't tell why.
Everybody has something to hide for personal safety and security. You could be "victimised" - since people will do that - because of who you work for, who you vote for, whether you are in a trade union (employer blacklists are a thing), if you or a friend or family member is homosexual or black or Muslim or Jewish or Irish or financially gullible or reads the "Private Eye" investigative journal, what you say in public about things.
As for picking you out specifically: one, yes "they" can obtain a list of all known homosexual sympathisers in their database and mail anthrax baggies to every one of them; two, every one-to-one interaction that you have is specific. The cashier at Waitrose - or the self-service machine - can identify you as "one of those' and, again, sprinkle anthrax spores on your receipt. Yes, all right, the anthrax thing is radical and impractical. Instead they can alert the person who pushes a train of 20 shopping carts around the parking lot to "accidentally" run over you.
I can tell you why I object :
The fact that I do have nothing to hide does not mean you have permission to rifle through my life without a warrant (implying probably cause, which you don't have since I have nothing to hide).
The fact that so much data is gathered on everyone allows Big Data to find correlations that a human would take thousands of years to spot, meaning that advancements in data mining imply that all that data can conceivably find a way to implicate me personally in something I absolutely had no intention of participating in.
As in, if I somehow go every week at about the same time to the same place as an actual terrorist (think supermarket for food), my bloomin' so-called smartphone localizes me in the same general area at the same times, and I happen to be on camera with said terrorist (in the canned food aisle because he was asking about a specific price), I may get flagged as a potential contact, become a suspect and get my life invaded and overturned to find whatever excuse to jail me or at least ruin my future when I was just frakkin' shopping and so was he (because terrists eat too).
I'm not disagreeing with the commentators above, but this particular breach shows that even a hypothetical person who has nothing to hide from the world, is still at risk of someone taking their personal information and using it for fraud.
Sure, the government might not hunt you down personally and lock you up (they probably have more important things to worry about), but there's enough thieves and fraudsters out there that between them they can try to scam pretty much anybody who's details they get hold of.
tl/dr you shouldn't worry about the government more than you worry about criminalss
I respectfully disagree.
A criminal can steal your money, eventually your identity. That's bad, of course. You have recourse against that, and, with time and effort, you can prevail in proving your innocence.
A government can destroy your life. Lock you up for years on baseless charges, or simply record the fact that you have been accused of something and therefor remove all possibility of getting a job. You have no recourse.
Which is worse ?
I'm not worried about 'the government' as much as the people IN the government. For example (using US laws, ymmv): you rub some low-level bureaucrat, maybe your neighbor, the wrong way. He does an unauthorized search of your Amazon purchases and sees you bought a weekly pillcase (where you can distribute a week's worth of meds, by day, for covenience, especially traveling). Then he looks at the list of prescribed drugs you take, and see that it's quite a few (not unusual). This indicates the pillcase was not for over the counter meds, but prescriptive ones. He makes a sinle call anonymously and reports you as illegally transporting prescriptive drugs. Not carrying such medication in their original bottles with the proper labeling is a felony in most states (the law was passed as a way to combat the improper sale of prescriptive drugs).
Quite a few people unwittingly commit felonies such as this. The aren't enforced by 'the government' because they are not after you. Individuals in the government, though, may have different agendas..
True story. Some years ago a British tourist lost his passport. A criminal used the passport details to start a business in Germany. This criminal decided not to pay some taxes (I think it was a case of VAT fraud). The German revenue commissioner came knocking on on the Brit's door demanding their money.
Details of identity documents can be abused for large financial gains. I have nothing to hide but I don't want to be investigated by some foreign government for tax fraud.
Ever looked at the "Sofort Überweisung" in Germany? In order to do your online shopping, you have to hand over your online banking password and a transaction number to a third party who will check your account, slurp as much data as possible, make the required bank transfer from your account to the vendor and notify the vendor that the transaction has been made. (The "sofort" aspect - the vendor doesn't have to wait for the money to actually reach their bank account.) That's the brave new world of FinTechs to you. No way that can go wrong...
"All organisations have a duty under the Data Protection Act to keep people's personal information safe and secure,"
I wonder if that carries an implication about what sort of response would be required.
Here's an analogy. A ship operator has a responsibility to keep passengers safe from falling overboard. The first line of this might be a guardrail. But if, despite this a passenger were to go over the side then one would expect some form of rescue attempt - anything from throwing a lifebelt to calling out air-sea rescue as appropriate.
So perhaps a mere "oops" to the ICO isn't sufficient response to a breach. The requirement to keep data subjects safe continues and one element of discharging that would be to alert those affected to that they could help themselves - in addition, of course, to any additional help from the company which would be appropriate.
"If you've got nothing to hide, you have nothing to be afraid of"
Today.
First they came for.....
"They gather so much data they'll never pick you out specifically"
I proved to a couple of security team folks just how granular a search could be done with a one line query. 3.5M identities, 4 element query, 4 results. One was the target.
What? They don't have to tell their customers? Oh man, this American justice system sucks @xx. Oh wait... in the USA, the FFIEC and OCC requires all banks to notify customers within 48 hours of a confirmed breach. They must also prove they attempted to contact 100% of their customers using more than one method. So, this can't be in the USA.
Wait.. this can't be in England can it? All the people there believe their system is the best, fair and most protective of its people; while saying the USA is the worst system in the world.
BAH. Again, know your own system before blasting the system of others.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
