licence renewals

[LesGriff]

The CRT have sent me a licence renewal email with a PDF attached, unfortunately there is also another 320 PDFs for other people’s licence renewals including all their personal details, I have informed them but no reply yet, is it just me?

 

Please excuse any spelling grammar mistakes I have just recovered from a stroke and my brain is not what it was.

[WotEver]

321 PDF’s all attached to one email? They must be tiny. 

 

As the small print no doubt says, “if the contents of this email are not for you, please delete them”. 

[Arthur Marshall]

I think it mean that you have won the lottery and now have to pay for 320 other people's licences.  Can you let me know if I'm on the list just so I don't make a mistake and pay it meself??

Seriously though, when you say personal details, do you mean just boat names and the owners name and address, or are there bank account details included too on the PDFs? If the former, it's not too dreadful (someone's hit CC instead of BCC, I suspect), if the latter, dangerous.

[Robbo]

Oh dear, a slight GDPR violation then    CRT will need to report the breach.   A google points here; https://ico.org.uk/for-organisations/report-a-breach/.

 

As they are now aware they will need to report with in 72hours.

Edited August 22, 2018 by Robbo

[Nut]

first of all hope you are on the mend, secondly report them

[LesGriff]

Thanks everyone for the reply's,

WotEver The email was just over .6 Gig i have deleted them.

 

Arthur Marshall No bank details but name address boat name and number also mooring details and phone number, was Bcc.

 

Robbo I have reported it to the CRT but no reply yet.

 

Nut  I am much better thank you just my brain not working properly yet my wife says it never did, I doesn't stop me going to the boat so all is well.

Edited August 22, 2018 by LesGriff

[Tim Lewis]

From Facebook:

 

This morning (22 August 2018) the Canal & River Trust discovered a data breach in relation to licensing renewals affecting around 950 customers. The breach was due to a technical issue at our sub-contractor and not a breach of the Trust’s security system. We do not believe that anyone has been put at financial risk but the Trust offers sincere apologies for this error. We are contacting those customers that have been affected (look out for an email) but any customer with concerns can contact the Trust customer service team on 0303 040 4040. Damian

[koukouvagia]

If this is true, then it is staggeringly incompetent.  The penalties for this sort of breach under the new GDPR regulations are severe.  This needs reporting to the ICO.

 

eta. Sorry, didn't see Robbo's post #4

Just tried to get on to the ICO website and, guess what, it's not working!

Edited August 22, 2018 by koukouvagia

[Jen-in-Wellies]

19 minutes ago, Tim Lewis said:

From Facebook:

 

This morning (22 August 2018) the Canal & River Trust discovered a data breach in relation to licensing renewals affecting around 950 customers. The breach was due to a technical issue at our sub-contractor and not a breach of the Trust’s security system. We do not believe that anyone has been put at financial risk but the Trust offers sincere apologies for this error. We are contacting those customers that have been affected (look out for an email) but any customer with concerns can contact the Trust customer service team on 0303 040 4040. Damian

The same canned statement is in a pdf downloadable from the CaRT web site if you do a search for data breach.

https://canalrivertrust.org.uk/media/original/38589-statement-re-data-breach-in-relation-to-licensing-renewals.pdf?v=c3fca5

 

Jen

[Phil.]

22 minutes ago, koukouvagia said:

If this is true, then it is staggeringly incompetent.  The penalties for this sort of breach under the new GDPR regulations are severe.  This needs reporting to the ICO.

 

eta. Sorry, didn't see Robbo's post #4

Just tried to get on to the ICO website and, guess what, it's not working!

Yeah great, let's hope crt get fined tens of thousands of our licence fee pounds, and then we can have even less spent on maintaining the canals.

[mrsmelly]

1 hour ago, Phil. said:

Yeah great, let's hope crt get fined tens of thousands of our licence fee pounds, and then we can have even less spent on maintaining the canals.

Completely agree. Like these numpty overpaid solicitors advertising on how to make a medical cock up claim. Yeah  we should all help stuff solicitors pockets with money whilst sat at their cushy desk jobs at the expense of our fantastic nhs who obviously make some mistakes.

5 hours ago, LesGriff said:

The CRT have sent me a licence renewal email with a PDF attached, unfortunately there is also another 320 PDFs for other people’s licence renewals including all their personal details, I have informed them but no reply yet, is it just me?

 

 

 

Please excuse any spelling grammar mistakes I have just recovered from a stroke and my brain is not what it was.

 

If mine is amongst them please pay it for me ??

[Chewbacka]

2 hours ago, Phil. said:

Yeah great, let's hope crt get fined tens of thousands of our licence fee pounds, and then we can have even less spent on maintaining the canals.

Yep, get gun, aim at own foot, bang, that will teach them..........

[Jo_]

I have also had the licence renewal email (and the ooops email) and 132 .pdfs of other people boat/insurance/telephone/mobile/home address details.

 

Catch me renewing online at the moment .............

[Robbo]

There is no reason for the pdf in the first place, email is insecure so why is personal details been sent via that method in the first place!

[Clodi]

In the CRT statement they make it clear that the mistake lies with a 'subcontractor' therefor surely said 'subbi' is at fault and liable?

[George and Dragon]

5 minutes ago, Clodi said:

In the CRT statement they make it clear that the mistake lies with a 'subcontractor' therefor surely said 'subbi' is at fault and liable?

Subcontractor may have some liability, responsibility ultimately rests with the data controller which will be CRT.

Best we can hope for is subcontractor has insurance which will pay the fine.

 

[Arthur Marshall]

As I've said in another thread on this,  It is no longer logical to expect that ANY information held on a database by any company is secure.  All the evidence points the other way, from government sites being hacked or just leaving CDs about, to almost every mobile phone company losing its info to, in fact, virtually everyone who holds any info on their computer and is connected to the internet, or just backs up onto a separate drive.

It's pointless legislating, and as pointless getting upset. It's just the price you pay for things being done online.  Anyone who knows anything about internet security knows that there is no such thing.  It's not just that the systems themselves aren't secure, but people are also involved, and they're not.  They make mistakes.  You can't legislate that out of existence.

In this case, no damage has been done - any info out there as regards names and addresses is readily available and has probably been sold fourteen times already, and guess what? You can look phone numbers up on the net...

[MtB]

1 hour ago, Arthur Marshall said:

As I've said in another thread on this,  It is no longer logical to expect that ANY information held on a database by any company is secure.  All the evidence points the other way, from government sites being hacked or just leaving CDs about, to almost every mobile phone company losing its info to, in fact, virtually everyone who holds any info on their computer and is connected to the internet, or just backs up onto a separate drive.

It's pointless legislating, and as pointless getting upset. It's just the price you pay for things being done online.  Anyone who knows anything about internet security knows that there is no such thing.  It's not just that the systems themselves aren't secure, but people are also involved, and they're not.  They make mistakes.  You can't legislate that out of existence.

In this case, no damage has been done - any info out there as regards names and addresses is readily available and has probably been sold fourteen times already, and guess what? You can look phone numbers up on the net...

 

I think you’re right, and I also think there are probably hundreds of trivial breaches like this every day so reporting to the ICO will result in a deafening silence as they will have far bigger fish fry rather than waste their limited resources on a non event like this. 

[BruceinSanity]

7 hours ago, Mike the Boilerman said:

 

I think you’re right, and I also think there are probably hundreds of trivial breaches like this every day so reporting to the ICO will result in a deafening silence as they will have far bigger fish fry rather than waste their limited resources on a non event like this. 

I imagine it’s a bit like reporting a near miss to the HSE under RIDDOR. Big form to fill in but unless you make a habit of it, nothing else eventuates.

[MtB]

5 minutes ago, BruceinSanity said:

eventuates.

 

New word of the day!

 

Does it mean 'happens'?!

 

Certainly RIDDOR reports of unsafe gas work are just used for stat collecting and analysis. No action is ever taken to correct the individual problems reported. 

[BruceinSanity]

4 hours ago, Mike the Boilerman said:

Does it mean 'happens'?!

You are correct, sir. Not sure why I used it except I’d not finished drinking the first cup of tea of the day, so not all the neurones had got going. ?

[Jo_]

This 'data breach' was surely a case of local human error. Someone told to send the .pdfs and the letters to the relevant addresses just got it wrong big time!

[Mike Todd]

On 22/08/2018 at 21:57, Arthur Marshall said:

As I've said in another thread on this,  It is no longer logical to expect that ANY information held on a database by any company is secure.  All the evidence points the other way, from government sites being hacked or just leaving CDs about, to almost every mobile phone company losing its info to, in fact, virtually everyone who holds any info on their computer and is connected to the internet, or just backs up onto a separate drive.

It's pointless legislating, and as pointless getting upset. It's just the price you pay for things being done online.  Anyone who knows anything about internet security knows that there is no such thing.  It's not just that the systems themselves aren't secure, but people are also involved, and they're not.  They make mistakes.  You can't legislate that out of existence.

In this case, no damage has been done - any info out there as regards names and addresses is readily available and has probably been sold fourteen times already, and guess what? You can look phone numbers up on the net...

The only wholly secure system sits inside a Faraday cage with no external connections at all, even fir power. In other words, wholly without use.

On 23/08/2018 at 07:28, BruceinSanity said:

I imagine it’s a bit like reporting a near miss to the HSE under RIDDOR. Big form to fill in but unless you make a habit of it, nothing else eventuates.

In some contexts, like drug side effects, it is the collation of lots of small reports that enables the bigger finding.

Edited August 24, 2018 by Mike Todd

[Rob-M]

I've now received two emails an hour apart, one to say my details have not been leaked and one to apologise for leaking my details. A bit of a shambles in terms of looking after my personal information.

Edited August 24, 2018 by Rob-M

[Chewbacka]

1 hour ago, Rob-M said:

I've now received two emails an hour apart, one to say my details have not been leaked and one to apologise for leaking my details. A bit of a shambles in terms of looking after my personal information.

Do you have more than one licence by any chance?