A Personal Data Breach Story

Our director, Colin Tankard, recently identified a personal data breach in action when buying a new car.

In the process of buying the car, Colin received poor service from a main dealer and when he complained about this, he didn’t receive a response.

He did receive an email from the car manufacturer’s marketing team inviting him to complete an online survey about his experience and, like many surveys, offered the chance to be entered into a competition.

Following the link in the email, Colin took the opportunity to provide feedback about the poor service he received and at the end of the survey, was surprised that he wasn’t given the choice of entering the competition by being asked to input his contact details. Instead, a message thanked him for completing the survey and automatically entered him into the competition but, the message didn’t thank him personally, it thanked a ‘Miss Cartwright’.

Hovering over the link in the email, Colin discovered the link contained Miss Cartwright’s personal information, including her email address and post code.

For surveys of this kind, each participant accesses the survey via a unique link sent to them in an email, which enables the company’s systems to identify them and access their existing data. Parts of the form are then pre-populated with this information.

Somewhere along the line, the company’s pre-populated survey links were sent to the wrong recipients. It is unclear why, but even if one row of the company’s database is incorrect, this could nudge the entire data out of line, causing the survey links to be sent to the wrong recipients. If Colin received a link to a survey pre-populated with Miss Cartwright’s information, it seemed likely someone had wrongly received one with his details too.

Colin contacted the car manufacturer to inform them of the breach but they weren’t interested in looking into the issue, claiming it to be the responsibility of their third-party marketing company, even though the email originated from a fully qualified domain of the manufacturer. They suggested that none of his personal data had been disclosed, however, based on his survey experience, Colin deemed it likely that it had and that someone else had his information within their pre-populated entry form. After many emails it became evident that the manufacturer had no way of tracing what went wrong nor who had Colin’s data.

Under the EU’s General Data Protection Regulations (GDPR) due to come into force from May 2018, this would be seen as a failure to comply, and more worryingly the manufacturer in this case would also not be able to comply with Chapter 3 Article 15 which requires them to disclose personal information held by them within 10 days of a request.

The GDPR will replace the Data Protection Act in the UK, and will provide tougher penalties for companies who fail to adequately secure personal information. Firms who fail to comply could face a fine of up to 4% of their global annual turnover, or €20,000,000, according to which is greater.

With the stakes so high, it is vital to carefully consider who to entrust with your company’s compliance and reputation. Under the GDPR, not only will organisations need to keep their own house in order, but they will need to be confident in the compliance of third parties’ houses as well, in order to avoid significant financial penalty.

Data: When is it personal?
How Can You Protect Your Business Against Malware?