An internet provider gave my bank details to another customer

bax1971

Hi, just wondering if anyone could guide me with an issue I have with an Internet provider. They got my account and bank details mixed up with another customer - they posted my full bank details including IBAN and BIC number to another customer. I wonder where I stand with regards to compensation or otherwise. Thanks.

whomitconcerns

compensation for what? They made a mistake. I would make a complaint (not sure how you know this is what happened anyway) But why would they owe you compensation? Have you suffered a loss?

bax1971

I know this is what happened because myself and the other customer (who is, luckily, not a fraudster), have been in touch and we have both been on to the Data Protection Commissioner and the provider.

whomitconcerns

messy by the telco..and Im not on their side but why would they owe you compensation? Have you suffered a loss? I could see them being fined, but realisticaly there is little the other person could do with your iban and bic on their own anyway, so wouldnt see any compo coming up

Tom Young

The case of Collins v FBD Insurance Plc. per Feeney J answered that very question. If you can't show loss, arising as a consequence of the breach, then damages are not available to a claimant. General damages do not arise under the DP Acts, as amended, more is the pity.

This was/is a mistake, some offer of amends would be appropriate from the service provider, but I'd personally be uncomfortable if someone made an honest mistake and lost their job and was disciplined, even if the mistake was minor.

gerrybbadd

I'd say an apology and some good grace move like a free month's service will be about the height of the "compensation" you'll get.

Compensation culture in this country is mad

ct5amr2ig1nfhp

Compensation for what? Have you suffered loss, suffering or injury?
"Compensation: something, typically money, awarded to someone in recognition of loss, suffering, or injury"

Let the DPC give them a warning and that's it.

bax1971

It wasn't just the IBAN and BIC, it was my name, bank name, sort code and account number also and I believe that's enough for my account to have been cleared out if these details had've fallen into the wrong hands. As it stands, the provider has already offered a €200 credit on the account. Thanks for your input.

NewCorkLad

Anyone who gives out a cheque gives away the same information so its not really that dangerous.

Id take the €200.

gerrybbadd

bax1971 wrote: »

It wasn't just the IBAN and BIC, it was my name, bank name, sort code and account number also and I believe that's enough for my account to have been cleared out if these details had've fallen into the wrong hands. As it stands, the provider has already offered a €200 credit on the account. Thanks for your input.

Take it and run. Amazing offer

seamus

bax1971 wrote: »

It wasn't just the IBAN and BIC, it was my name, bank name, sort code and account number also and I believe that's enough for my account to have been cleared out if these details had've fallen into the wrong hands. As it stands, the provider has already offered a €200 credit on the account. Thanks for your input.

"If", being the big word there.

The details didn't fall into the wrong hands, so you have suffered no loss as a result of this incident. €200 credit is a nice result.

TireeTerror

I would love to know how they would be clearing out your account? Every bill you ever received has had the companies details on the girobank part at the bottom. Its not as if they had your credit or debit card number, expiry date and signature strip security number.

Calm down and snatch that €200 if they are stupid enough to offer it to you.

bax1971

Ok. thanks everyone. Just wanted to put my mind at ease and be content with myself in not being easily pacified as a result.

Boom_Bap

bax1971 wrote: »

It wasn't just the IBAN and BIC, it was my name, bank name, sort code and account number also and I believe that's enough for my account to have been cleared out if these details had've fallen into the wrong hands. As it stands, the provider has already offered a €200 credit on the account. Thanks for your input.

They should not be storing that information in plain text for it to be printed on outgoing materials. That would mean that your and every other customer has their info stored in plain text on thier database. That's pretty f*cking sketchy.

seamus

TireeTerror wrote: »

I would love to know how they would be clearing out your account? Every bill you ever received has had the companies details on the girobank part at the bottom. Its not as if they had your credit or debit card number, expiry date and signature strip security number.

Fraudsters are pretty good at this and with a bit of social engineering can take those details and blag their way into making a withdrawal. It's a high-effort, high-stakes game for fraudsters though so they're unlikely to do it unless they're guaranteed a decent payout from it.

The odds of these details accidentally falling into the hands of a fraudster clever enough to use them is very slim.

whomitconcerns

Nope, your doing well to be honest. Itw as silly on their part. But the chances of you suffering a loss through that data being shared is very very small. And inded other data and info would have been needed anyway.

Take the 200 squids and enjoy

bax1971

Thanks BoomBap. My thoughts exactly.

Graham

Boom_Bap wrote: »

They should not be storing that information in plain text for it to be printed on outgoing materials. That would mean that your and every other customer has their info stored in plain text on thier database. That's pretty f*cking sketchy.

Just because it can be printed does not mean it is stored as plain text. It may mean it is unencrypted before it is printed.

Boom_Bap

Graham wrote: »

Just because it can be printed does not mean it is stored as plain text. It may mean it is unencrypted before it is printed.

If they are silly enough to sent the info out and to the wrong person then I would suggest they have no encryption.
The problem is that they shouldnt be decrypting to plain text ever after storage.

seamus

Boom_Bap wrote: »

They should not be storing that information in plain text for it to be printed on outgoing materials. That would mean that your and every other customer has their info stored in plain text on thier database. That's pretty f*cking sketchy.

Actually that's quite standard across the board.

The data security standards that most retailers have to conform to do not include bank account numbers in scope to be encrypted. Data Protection law only requires that it is stored securely and accessible only to people who need access to it. It does not explicitly specify encryption - security at the username/password level is adequate.
Credit card data is typically encrypted because PCI standards require it and failure to adhere to these standards will prevent your business being able to take payments from credit and debit cards.
No such standard exists for bank accounts.

Some places will also encrypt this data because it's a good idea, but there is some overhead to it, so companies often won't do it because they legally don't have to.

Boom_Bap

seamus wrote: »

Actually that's quite standard across the board.

The data security standards that most retailers have to conform to do not include bank account numbers in scope to be encrypted. Data Protection law only requires that it is stored securely and accessible only to people who need access to it. It does not explicitly specify encryption - security at the username/password level is adequate.
Credit card data is typically encrypted because PCI standards require it and failure to adhere to these standards will prevent your business being able to take payments from credit and debit cards.
No such standard exists for bank accounts.

Some places will also encrypt this data because it's a good idea, but there is some overhead to it, so companies often won't do it because they legally don't have to.

OK, that would make sense

Peregrinus

Couple of thoughts.

1. The fact that their systems and standards are such that this was allowed to happen might cause you to wonder whether you want to continue to do business with this outfit.

2. If you think that the release of your bank account details jeopardised the security of your account, you might want to consider closing your account and opening a different one, or otherwise changing your banking arrangements so as to render the accidentally-released data obsolete.

3. But, though you're entitled to be seriously pissed off, you haven't as yet suffered any significant loss which would translate into an award of compensation. You don't get money just for being pissed off at someone else's poor standards and practices.

4. If you do feel the need to adjust your banking arrangements as suggested in para 2, and if this causes you to incur costs in the way of bank charges or whatever, you could look for compensation for that. But the amount you could hope to get would be related to the actual costs you had incurred.

5. If you accept the 200 euro, you are likely to be asked to agree that this is in full and final settlement, etc, etc, meaning that if you subsequently do lose money as a result of your details having been disclosed, there will be a barrier to any claim for further compensation for that.

6. So, if you are genuinely concerned that the security of your money is at risk, (a) change your banking arrangements, and (b) consider not accepting the offer of 200 euros, unless it is accompanied by an indemnity from the provider in respect of any future losses (which, realistically, the provider will never agree to give). If you think the provider's negligence has created a real risk of loss which might yet materialise, why would you give up your right to compensation for a measly 200 euros?

Boskowski

Just because someone knows your IBAN and BIC - which is the same as your account number and sort code btw - does not enable them to 'clean out' your account. Not even paired with your name.

A lot of account numbers can be and are publicly known. For instance in many European countries where bank transfers are the norm of making payments rather than cc many companies have their bank details on their website or can be easily retrieved from eBay. Nobody clears out those accounts.

You're just making wild claims you probably know to be incorrect. Cis you feel you're owed something or other. But sorry your expected windfall just ain't there. It's a slight embarrassment on behalf of the telco and shouldn't have happened hence the €200 offer but it's no more than that.

Take the 200 and stop acting outraged over something next to nothing.

Mellor

bax1971 wrote: »

It wasn't just the IBAN and BIC, it was my name, bank name, sort code and account number also and I believe that's enough for my account to have been cleared out if these details had've fallen into the wrong hands.

The Bank name, sort code and account number is the same the BIC+IBAN. There's no extra info. And you can generate one from the other.

How could they clean you out?
You can't just walk into a bank and give a name (without ID either) and an account number and ask for all the money. That's ridiculous.

Anybody that has ever transferred you money also has that info btw.