Data Protection Breach

joe316

Quick question,

after logging into an account I have with a certain company (shall remain nameless for time being), however instead of seeing my account I see a guy's from Galways account. Full access to his name, address, phone number, etc.. I can even make changes to his account i.e. pin number if I was someone with the know how I could make up cards with his actual number and a pin of my choosing and rack up a fairly massive bill.

Now in the process of contacting the company in question, however I am worried that my own account is in the hands of someone else. I was going to give them 24 hours to resolve it before contacting the data commissioner or should I contact them straight away?

Rabies

You should tell people on the internet first.

Or

Call up the company involved and let them sort it out asap

SunnyDub1

Without doubt contact them straight away.

I'd also name and shame them. That's only his account that's been viewed by a complete stranger who's to say other people accounts aren't on view to others :mad:

Wacker The Attacker

I can fix it.

Whats your password and credit card number?

joe316

Currently getting in contact with them

Was just asking whether I should give them time to fix it or inform the data protection commissioner as well now.

SunnyDub1

joe316 wrote: »

Currently getting in contact with them

Was just asking whether I should give them time to fix it or inform the data protection commissioner as well now.

I'd inform them also!

HondaSami

joe316 wrote: »

Quick question,

after logging into an account I have with a certain company (shall remain nameless for time being), however instead of seeing my account I see a guy's from Galways account. Full access to his name, address, phone number, etc.. I can even make changes to his account i.e. pin number if I was someone with the know how I could make up cards with his actual number and a pin of my choosing and rack up a fairly massive bill.

Now in the process of contacting the company in question, however I am worried that my own account is in the hands of someone else. I was going to give them 24 hours to resolve it before contacting the data commissioner or should I contact them straight away?

Do ye have the same name ?

If not it's a bit weird tbh, did you phone him and inform him as well, he has a right to know imo

Yellowblackbird

Up to the point you found out about it the company was fully liable for any fraud committed on your account during that time. From the point in time where you found out about it and didn't tell them onwards you became at least jointly liable for any fraud. If not 100%.

AnonoBoy

Before you do anything stop and think to yourself.... is there anyway that I can profit from this?

Then do whatever that is and then report it.

And if you get caught blame it on the company for allowing you to profit from their mistakes.

Hownowcow

Inform the Data Protection Commissioner immediately.

withless

Has Mattie McGrath spoken on this yet?

Gongoozler

I used to work in a small company, and this same thing happened. Major panic. We had big clients that would not have been happy if they found out. Actually I think it had happened to one of them, that was how we found out about it.

Well, that's my story.

ash23

You've to contact the company first and let them deal with it.

THEN if you are not happy with their response or action, you get in touch with data protection commissioner. Same applies for all the commissioners, Ombudsman offices etc......you always go to the company first.

From data protection commissioner website

If you think that a person or organisation is not meeting their data protection obligations, and if you are not satisfied with their response to your concerns, then you may complain to the Commissioner, who will look into the matter for you. If the Commissioner upholds your complaint, he has legal powers to ensure that these matters are put right.

Wacker The Attacker

withless wrote: »

Has Mattie McGrath spoken on this yet?

He's just checking to see if either party has been stopped by the gardai . He can then run it past alan shatter and get the ok.

kneemos

Just remember what happened Freddie the gimp for telling tales.

Cody Pomeray

joe316 wrote: »

Quick question,

after logging into an account I have with a certain company (shall remain nameless for time being), however instead of seeing my account I see a guy's from Galways account. Full access to his name, address, phone number, etc.. I can even make changes to his account i.e. pin number if I was someone with the know how I could make up cards with his actual number and a pin of my choosing and rack up a fairly massive bill.

Now in the process of contacting the company in question, however I am worried that my own account is in the hands of someone else. I was going to give them 24 hours to resolve it before contacting the data commissioner or should I contact them straight away?

Yes, you should contact the Data Protection Commissioner, and the firm who operate the website will have to do so also.

You should also inform the firm operating the website. When you do so, provide the name of the individual whose details were disclosed. The firm have an obligation to inform this individual that his details were released.

OldGoat

You should change your password every 3 or 4 minutes until the crisis is past else someone with fewer scruples then yourself might profit.

Scruples is a great word.

beachhead

You should have informed the Data Commissioner immediately to protect yourself and other account holders followed by the institution you are with.There is no respect for personal privacy in this country at all,so help out.

paddydriver

Don't forget to tell Alan Shatter too.. he can use it against them on prime time if ever the need arises. Probably CC Mick Wallace too:D

joe316

Hey folks,

Just wanted your opinion on whether I should contact the data commissioner at the same time as the company in question, phoned them and their response was "Oh no", forwarded them the details and to the company. Will call the guy whose account I can access to let him know as well.

Think thats about as much as I can do.

I dont have a credit card printing machine so cant give you all cards Im afraid!!

Unregistered.

joe316 wrote: »

Hey folks,

Just wanted your opinion on whether I should contact the data commissioner at the same time as the company in question, phoned them and their response was "Oh no", forwarded them the details and to the company. Will call the guy whose account I can access to let him know as well.

Think thats about as much as I can do.

I dont have a credit card printing machine so cant give you all cards Im afraid!!

Tell us the company OP, there could be lots of people on boards with the same issue who don't know about it!

joe316

Not going to say the company just yet, but not happy that they havent the decency to reply to my mails.

Its a fuel card so that narrows it down for people worried.

tin79

joe316 wrote: »

Hey folks,

Just wanted your opinion on whether I should contact the data commissioner at the same time as the company in question, phoned them

It depends. Do you have two phones?

Femme_Fatale

D'oh. Highly likely to be an unintentional system error, but still... bad form, and unpleasant for you. If you sent a mail via their general "Contact us" form, it may take longer than 24 hours to get a response, because of the queue. So you should ring them, especially with it being the weekend.

beachhead wrote: »

You should have informed the Data Commissioner immediately to protect yourself and other account holders followed by the institution you are with.There is no respect for personal privacy in this country at all,so help out.

Huh? Data protection laws in this country are extremely strict.

Yellowblackbird

How do we know you are in fact joe316?

joe316

Femme_Fatale wrote: »

D'oh. Highly likely to be an unintentional system error, but still... bad form, and unpleasant for you. If you sent a mail via their general "Contact us" form, it may take longer than 24 hours to get a response, because of the queue. So you should ring them, especially with it being the weekend.

Huh? Data protection laws in this country are extremely strict.

Just been a bit difficult to call as in work and the reason why I mailed is that when I was setting up the account I was in direct contact with a CSR from the company and she always replied within about 30 minutes so assumed it would have been the same this time.

Will call in a bit though.

stevenmu

This is definitely worth reporting to the Data Protection Commissioner straight away.

For minor breaches, you would normally only report it if the company in question was refusing to correct the issue.

In this case though it sounds like a serious system failure, and that financial details are involved, it possibly even sounds like a bank or credit card company? In a case like this the data protection commissioner should always get involved any way and conduct an investigation into what happened. In fact the company themselves is almost certainly legally obligated to report it themselves, but you still should anyway just to make sure.

joe316

Just tried logging into my account, only to denied access so obviously things are changing.

Bit late in the day and not good that they gave no acknowledgement, glad I took screenshots now.

MonsterCookie

stevenmu wrote: »

This is definitely worth reporting to the Data Protection Commissioner straight away.

For minor breaches, you would normally only report it if the company in question was refusing to correct the issue.

In this case though it sounds like a serious system failure, and that financial details are involved, it possibly even sounds like a bank or credit card company? In a case like this the data protection commissioner should always get involved any way and conduct an investigation into what happened. In fact the company themselves is almost certainly legally obligated to report it themselves, but you still should anyway just to make sure.

Seems from latter posts from the OP that it is a fuel card rather than a Bank. As a minimum, I'd seek an explanation and their assurances that this is an oscillated incident. However, I find it hard to get too excited about given all the other racy sh1t going down these days:rolleyes:

I would write to the DPC as well if I had been able to see sensitive information.

Wompa1

joe316 wrote: »

phoned them and their response was "Oh no"

I picture somebody eating a Pot Noodle while answering the phone leanded back in their chair. Call comes in: "Oh, No..ah ha, ah ha, well we'll get right on it"

Work colleague: "who was that?"

"Some Gob****e trying to report a Data Breach while I'm having me Pot Noodle"

Mr. G

Make a complaint to the DPC straight away then ring the company and ask to speak to the Data Protection Officer there- most large organisations have one.

I wouldn't phone the other person. That's not your job and you're not in a position to do so.

For all you know, this could be happening with several people.

DrGreenthumb

Are you trying to moderate last year?

Rucking_Fetard

Mr. G wrote: »

Make a complaint to the DPC straight away then

Even if it wasn't a year late, you're wasting your time with that lot.

http://www.boards.ie/vbulletin/showthread.php?t=2057275419

UCDVet

I'd be careful - in a lot of places - you'll be treated as a hostile computer hacker. This is particularly true if you are male and between the age of 15 and 30.

Mint Aero

Dammit Joe! Now's a time of action! not floundering about with words man! Take this to the commissioner now god dammit, take it all the way to the god damn president if needs be Joe! GO! GO! GO!

Son Of A Vidic

Probably safe to say that giving retrospective advice 16 months later, is most likely a complete waste of time.

catallus

kneemos wrote: »

Just remember what happened Freddie the gimp for telling tales.

What happened to Freddie the Gimp for telling tales?!