You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
I’ve seen a few unconfirmed reports on t’internet that my employer has been recently hacked by a ransomware-type group of interweb baddies and they’ve made off with info including financial info, passport and driving licence info etc.
Any cyber boffins care to advise what I should be doing about this, if anything?
I’m slightly uncomfortable that some bad actor is potentially in possession of my banking info and several forms of my ID.
Bosses claim to know nothing about it.
I’m slightly uncomfortable that some bad actor is potentially in possession of my banking info and several forms of my ID.
Very timely article in the guardian about how those details can be used
https://www.theguardian.com/money/2024/feb/19/sim-swap-how-your-bank-account-can-be-emptied-by-phone
although those kinds of attacks can be done without that kind of done without so much personal data. You can just herangue a mobile phone provider into giving phone account access, so many customers can't remember their own passwords and get arsey about it that malicious attempts are lost amongst the noise. So people have pulled off the same fraud, taking over someones phone account to get access to one-time codes with minimal personal data.
Bosses claim to know nothing about it.
Show them the internet noise and ask them to look into it again/escalate to someone who might be better placed to know the truth.
Just sent you a pm PP.
How do we know this is the REAL perchypanther and not some 'bad actor' who has stolen his credentials?
Southern Water by any chance? In any case speak to your company Data Protection Officer - if there is high risk of actual harm the organisation has to inform impacted data subjects (people). If you are not sure who your DPO is their contact details should be on their privacy notice published on company website.
Speak to your company data controller. They will then deal with it.
How do we know this is the REAL perchypanther and not some ‘bad actor’ who has stolen his credentials?
I think you’ll find I have always been a shadowy figure of chaos.
You can't speak to your company data controller any more than you can speak to your company building. It is the legal entity responsible for data protection compliance which is usually the organisation (legal person) as opposed to a living human (natural person). The DPO will be an actual person.
If it is the water company then it is properly grim if they can't fix the leaks in the real world and now have to contend with leaks in the digital world as well! More rate hikes to pay for these fixes as well...
(Is meant to be a bit of light humour, but suspect it isn't going to land that way!)
Not a water company.
I’ve reported it up the line but no one seems to know anything about it.
Might never have happened, might have happened and no one has realised or it might be an elaborate cover up.
it might be an elaborate cover up
The GDPR rules are very strict about not covering data breaches up - so if it has happened you should find out soon enough.
The UK GDPR introduces a duty on all organisations to report certain personal data breaches to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
It definitely happens. I know it does first hand because I investigated one. Loads of files - thousands - were compromised and they contained (amongst other things) access details and credentials to computer systems within and without the company. We were ordered only to report to the IT head and no-one else, then ordered to cease and desist because we were "duplicating effort" with his own investigation. The final line back to the company was that there had been a breach but no PII was taken. To the best of my knowledge it was never reported to ICO. I contemplated reporting them myself, with hindsight I probably should have and I wish I had.
The DPO will be an actual person.
...although when you meet them you may question this....
if you're email / pwd has been leaked. Have a look on https://haveibeenpwned.com/ enter your email or pwd and you'll see if any data relating to those credentials have been leaked.
Don't worry - that is a legitimate website - run by an IT security professional
Don’t worry – that is a legitimate website – run by an IT security professional
That's exactly what someone phishing would say... 😉
That’s exactly what someone phishing would say… 😉
very true - you'll have to do your own research 😉
if you’re email / pwd has been leaked. Have a look on> https://haveibeenpwned.com/
Think it was that website I was reading about the other week in relation to APIs... he set it all up and was initially expecting a handful of API calls a day and had to scale it up/out almost immediately due to the massive amount of API traffic it was getting
Many years ago - at least 10 - there was some data potentially exposed at a previous company I worked for. Those affected were given paid credit monitoring services (Experian I think) for a couple of years to watch for any identity theft issues.
If this is a real breach, perhaps request something similar?
We had something similar quite recently. I've now got a couple of years paid for covering my Experian account. It'll alert you if anyone has a nibble at getting credit for you. Think you might actually put a type of lock on there too (not sure if this is part of the paid service or not) to stop things actually progressing, bit of pain though as you've got to remember to unlock it when you're doing proper things yourself like new bank accounts etc. but better than the alternative.
If the bosses don't know anything then I'd suggest asking them on email what they do know and informing them that there are suspicions on t'interweb. Its possible they may be dealing with the ransomware people in the background (not that they'd tell you that) but worth letting them know you know and they should know as well.
Ultimately, without changing bank accounts, credit cards, address etc. then now info out there, there is going to be an element of exposure.
Sadly, and its a bit depressing to say this, you just need to make your details a bit more of a faff to scam than the next poor punter on the list. Its a bit like the online equivalent of the burglar seeing your house with alarm, window locks etc. - yes they could still put a brick through the window but the house next door left the window open so...
as a vaguely related aside; i heartly enjoy a regular perusal of this: https://ico.org.uk/action-weve-taken/enforcement/
As already mentioned track down the DPO (or the person that foolishly agreed to be DPO in a last minute panic back in may 2018).