Data leak – pursue claim or not?

Hi all

I wouldn’t usually bother with something like this but this one irks.

I have received a letter from a ‘finance product’ provider stating that they had been hacked.   Two years ago I bought a life cover product via an IFA and it seems they ultimately sold / own the product.  This was related to my role at work but gave away huge amounts of personal medical information as well as all of the normal address and financial stuff.

I get that hacking occurs but this letter specifically stated that they hadn’t contacted me straight away as they thought that they had contained the leak.  They then relised at a later date the severity of the leak.  They state that there is reason to be concerned that the degree of my details released could leave me open to identify fraud.  So double incompetence.

Their apology took the form of two years access to some type of Experian (I think) online platform where I could monitor activity in my name.  Essentially shouldering all of the donkey work onto me.  Now all of this takes time, personally and professionally and of course has a related cost.  I am minded to approach them to compensate me / the company for the man hours that this will take to take precautionary action.

Has anybody else dealt with this type of scenario? The detail of the medical records leaves me particularly vulnerable I think and it will take quite some time to change all IT security in the business and monitor all transactions going forward.

Is this hard luck or worth pursuing?

this has happened to me three times now. industry standard seems to be give a free years membership to experion and say sorry. sucks but Im not sure what else you are expecting?

My medical info was one of 100,000 others to be hacked as part of the HSE Covid data breach. My response was….meh. Shit happens. My work payroll provider was also hacked and, as mentioned above, we got a years Experian but I never used it.

It’s a pretty poor show if they are only going to give you 12 months access to a credit reference agency.. For your own bloody file..

I mean.. A £100 Amazon voucher would be less of a kick in the teeth than that.

What spineless a cop-out!

Happened to me a couple of times.  I suspect it would be hard to prove any financial loss unless there’s some class action thing.  No harm asking tho.

Happened to me a couple of times. I suspect it would be hard to prove any financial loss unless there’s some class action thing. No harm asking tho.

I think the crux of the issue is you should have more ability to deny data access, or have held data deleted as a default rather than waiting until you suffer a breach

At which point the culprit, with a simple simple shrug of the shoulders, can say.. well here’s 12 months Equi-fuqt membership, SO OUR  responsibility has been fullfilled, now GTFO.

Until companies start having to pay massive fines for data breaches, there’s no incentive to properly protect it….

Companies do get fined. Large sums too. The ICO impose them and these fines fall outside insurance so it can and does hit the company who allowed the breach but there probably isn’t much recourse you can ask for aside from Experian membership.  You would need to prove material or financial loss or harm, psychological injury for example.

Their apology took the form of two years access to some type of Experian (I think) online platform where I could monitor activity in my name.  Essentially shouldering all of the donkey work onto me.  Now all of this takes time, personally and professionally and of course has a related cost.  I am minded to approach them to compensate me / the company for the man hours that this will take to take precautionary action.

Whilst I’m inclined to agree that simply saying “check your records at Experian for two years” so we can absolve ourselves of responsibility is not really a good fix, unless you can quantify the loss in some way that (theoretically) you can stand in front of a judge and him not laugh, I don’t know how you would know if this is 5 minutes every 3 months (probably now worth the hassle of “claiming”) or multiple hours because you log in to Experian and find something bad happened.

Has anybody else dealt with this type of scenario? The detail of the medical records leaves me particularly vulnerable I think

Your medical records are obviously particularly sensitive (special category data at GDPR call it).  How they might be used against you depends on who you are and what they say.  Mine would be spectacularly dull, but obviously there will be people with specific conditions, addiction histories, mental health problems, STIs etc who may feel more vulnerable to them being exposed.  I would say that unless you are a “celeb” that there’s probably little wider interest in your personal medical records – so whilst they certainly should be secret the risk of actual harm is probably low in general.  That’s not to say that policies around them should not be tight, but the things people often worry about, like insurers misusing that information are probably not likely to occur through leaked data.

and it will take quite some time to change all IT security in the business and monitor all transactions going forward.

Well that sounds like “your” problem (assuming your company) – constantly addressing security risks is a cost of doing business.

The Experian membership is for a fraud monitoring service, rather than your credit score. Normally a paid for service. (In my case it wa, anyway)

Until companies start having to pay massive fines for data breaches, there’s no incentive to properly protect it….

€1.2 billion against meta by Irish DPO feels pretty big.

I got that Experian check free after the University Pensions provider, USS, lost all our personal information. You can set it up so it pings you if your data appears anywhere. Mine has, several times, and it’s allowed me to double check everything is secure. No great hassle, although obviously better if it hadn’t happened!

Twice myself, USS when I worked for a Uni and then the Capita one (Environment Agency). It’s infuriating that they really don’t have any ideas to compensate, you just now have to do the leg work to keep an eye on the Experian and every other account for anything that looks dodgy. We had to fight to get two years’ Experian, when you think of the number of people affected it could be years before the data is fraudulently used. It’s an arse.

Interesting where the fines money goes isn’t it.

It certainly not those directly affected by the data loss.

Thanks all, probably futile to chase this.  As suggested up there, it is possible to claim for financial loss and  / or distress but how can the latter ever be valued?

I’ve had free experion for a few years now thanks to multiple hacks. It’s helpful but as soon as you go all comparethemarket on insurance quotations, it can get a bit excited. Otherwise it’s been a bit of a non-event Nobody has applied for loans in my name (so far). Set it up to ping you on applications and credit checks. It’s informative at the very least about the industry in general. It does nothing to your credit score.