It's quite clear that the letter sender has a grudge (as he doesn't even give consideration to the idea that many people on there are on there becuase they deliberately attempted fare evasion), that doesn't make the breach of data security less serious.
-
Our booking engine at tickets.railforums.co.uk (powered by TrainSplit) helps support the running of the forum with every ticket purchase! Find out more and ask any questions/give us feedback in this thread!
First Capital Connect Data Protection Breach
- Thread starter AMT
- Start date
- Status
Sponsor Post - registered members do not see these adverts; click here to register, or click here to log in
R
RailUK Forums
Tetchytyke
Veteran Member
If an employee has used the data incorrectly or inappropriately then the company are at fault and are liable for the breach. There have been plenty of firms fined for staff losing laptops, etc.
If the person sending these mailshots is a former employee, that is even worse, as access to the systems should have been prevented the day they left the company.
Of course the person sending the mailshots has an ulterior motive, but given First Capital Connect's treatment of their customers throughout the years, this is hardly a surprise. FCC are notorious for using intention to prosecute letters to extract more money from innocent people than they can get from a penalty fare. It looks like this mailshot is payback for that, from person(s) unknown.
As for the reason why FCC hold this data, that actually makes this breach MORE serious than if their telemarketing database had been breached. This type of data, along with data regarding health and financial issues, should be held at only the highest level of security. The fact you can log on to this website on a non-FCC machine goes against most of what I've been taught about data protection in my job.
If the person sending these mailshots is a former employee, that is even worse, as access to the systems should have been prevented the day they left the company.
Of course the person sending the mailshots has an ulterior motive, but given First Capital Connect's treatment of their customers throughout the years, this is hardly a surprise. FCC are notorious for using intention to prosecute letters to extract more money from innocent people than they can get from a penalty fare. It looks like this mailshot is payback for that, from person(s) unknown.
As for the reason why FCC hold this data, that actually makes this breach MORE serious than if their telemarketing database had been breached. This type of data, along with data regarding health and financial issues, should be held at only the highest level of security. The fact you can log on to this website on a non-FCC machine goes against most of what I've been taught about data protection in my job.
On the first post - that is correct. I have access to tons of stuff about my company, its employees and so on and so forth, my employees and others not so much info. However I do not have access to any of the rolling stocks departments files as I have no need for them.
For the second post - I think they mean the fare paying customers' data is safe. I would imagine that that is kept on a different server with a more secure encryption - given that it is powered by someone else - cant remember who though.
Some good points here. I agree that it seems a bit dodgy to have data stored on an online/external platform, but surely CRIMS (or IQM Software) is inline with the Data Protection Act? Where I work we're pretty big on data protection and we use an internal database. All the data reports we run are linked to that database so can't be accessed externally.
I'm just about to call the ICO anyway. I will let you know what they have to say about it.
Tetchytyke
Veteran Member
Tough one. I run a legal advise service and we use an online-based case management system, owned and operated by a third party. We're discharging our DPA requirements by using appropriate software. I doubt CRIMS could be argued to be inappropriate software.
But CRIMS deals with extremely confidential information, far more than what my service uses. You wouldn't expect to be able to boot up the police's criminal record system or your GP's medical reporting system from any laptop, and this information is at that level.
But CRIMS deals with extremely confidential information, far more than what my service uses. You wouldn't expect to be able to boot up the police's criminal record system or your GP's medical reporting system from any laptop, and this information is at that level.
I spoke to ICO and they advised me to contact the FCC Prosecution Department. I have just been on the phone with the Manager of the department and he was aware of the issue already, they are currently investigating. He was very apologetic and I was convinced by his manner that he is taking this issue seriously.
I am going to email the letter I received and request a written explanation within 28 days (as advised by ICO) and see what they come back with.
I am going to email the letter I received and request a written explanation within 28 days (as advised by ICO) and see what they come back with.
But can you? Has anybody on here managed to find this 'website' and access it?
Google certainly doesn't throw up anything apart from the trade blurb from the designers.
http://www.iqmsoftware.co.uk/Products/Details/crims
After reading what it does and the info it holds, I agree with whoever said this should be protected to a really high level.
hock:The letter looks like an internal effort from a current or former employee of FCC.
The claims are plausible, but who knows.
I can't find any reason to believe that the CRIMS product is more likely than average to be shoddy/insecure. Job ads for their company state 'IQM Software, Shoreham. Good experience in the following environments:C#, MVC 3/4, JQuery, OO Design', which aren't particular alarm bells from a security perspective.
That said there crap programming is everywhere.....
The claims are plausible, but who knows.
I can't find any reason to believe that the CRIMS product is more likely than average to be shoddy/insecure. Job ads for their company state 'IQM Software, Shoreham. Good experience in the following environments:C#, MVC 3/4, JQuery, OO Design', which aren't particular alarm bells from a security perspective.
That said there crap programming is everywhere.....
GoByThameslink
Member
- Joined
- 6 Mar 2010
- Messages
- 75
Thanks for uploading the letter. As to whether or not there was a Data Protection Act breach [see posts by others], this will become clear when it is known which of these apply:
- The data was available to a third party (eg via a hacking). Highly likely to be a breach, but it will depend on the circumstances (eg a previously unknown error vs a known problem where an update was not applied)
- An ex member of FCC staff - who still retained access after they left - almost certainly a breach
- A current member of FCC staff who should not have had access - almost certainly a breach
- A current member of staff who did have legitimate access - this will very much depend on the circumstances. As, in principle it is very sensitive data, it is reasonable to protect it to a very high standard - eg to expect very few people to be able to take a download.
Of note is that the OP mentioned a first class stamp, so if the letter writer really did write to all 90,000 people on the list then they spent £54,000 on it, so I suspect they only wrote to some people at random, in the hope that this would be enough to generate adverse publicity and pain for FCC.
One important point to note is that we do not know where the alleged breach occurred, for instance, it may be nothing to do with the CRIMS software - an administrator might have had direct database access, or an authorised user might have taken it, or it could have been legitimately downloaded and then stolen etc etc.
It's also possible that someone who knew of the existence of CRIMS and knew the OP was stopped by a member of railway staff generated a single letter and never even saw the database. This could have been someone at FCC, a friend of the OP or even the OP themselves.
Well they were already aware of the incident from other people reporting that they had also received the letter, so how would I have access to their details as well?
You weren't directly being accused of it, but I think it's fair to say that every possibility had to be considered when someone posts on a forum. I guess you could class it as due diligence.
Something the mainstream media ought to do more often!
Something the mainstream media ought to do more often!
I appreciate that but saying
You can't get more direct than that.
Anyway, I know I definitely wasn't the first to contact them about it, and probably won't be the last either.
There should be a contact number for the ICO in the letter. Contact them first, and then contact FCC (details also in letter).
That is if the content of the letter was the same as mine. I attached it as a PDF document earlier on in this thread.
Let us know what they say. It would be good to know if there is any consistency in how this is being dealt with.
What about data on people who aren't paying customers, though?
Is there an internal enquiry ongoing?
What about people who are concerned that they may be on this database, and that their information has been acquired by this third party?
EM2
Established Member
On a similar theme, there is an FCC ex-employee who has someone feeding him internal information which he is posting on Twitter, as well as waging an ongoing campaign about a supposed cover-up relating to his dismissal.
I assume FCC are conducting internal enquiries into who is passing confidential company information to this person?
I assume FCC are conducting internal enquiries into who is passing confidential company information to this person?
I just wanted to update everyone on the situation.
I received the attached letter from the FCC Customer Relations Exec. It explains that there was an error with the system they use, which has now been fixed. They are also investigating the unauthorised access.
It's obviously a shame that this has happened. When these breaches occur the important thing is how they're dealt with and I personally think FCC are dealing with it pretty well, considering the situation. The only thing in the letter I wouldn't agree with is the part about sensitive data not being compromised, because from the training I've had in data protection I was under the impression that address details are considered to be sensitive data. I'm not sure if there are different definitions out there but in this case I'm assuming that they're referring to bank details etc. I agree that it could have been a lot worse.
I appreciate them waving the travel irregularity payment. I had received a court summons dated a few days earlier but i have contacted the Prosecutions Manager and he has confirmed that I won't have to attend.
I received the attached letter from the FCC Customer Relations Exec. It explains that there was an error with the system they use, which has now been fixed. They are also investigating the unauthorised access.
It's obviously a shame that this has happened. When these breaches occur the important thing is how they're dealt with and I personally think FCC are dealing with it pretty well, considering the situation. The only thing in the letter I wouldn't agree with is the part about sensitive data not being compromised, because from the training I've had in data protection I was under the impression that address details are considered to be sensitive data. I'm not sure if there are different definitions out there but in this case I'm assuming that they're referring to bank details etc. I agree that it could have been a lot worse.
I appreciate them waving the travel irregularity payment. I had received a court summons dated a few days earlier but i have contacted the Prosecutions Manager and he has confirmed that I won't have to attend.
Last edited:
Ralph Ayres
Member
I'm amused by the irony of posting a PDF which shows your full name and address!
It's okay. It isn't sensitive information!
There is a long history of apparent disgruntled FCC (ex-)employees 'whistleblowing' about incorrect practices within FCC.
Is it all just one person causing trouble? Or is there a big problem within FCC leading to several (ex-)employees exposing bad practice?
Is it all just one person causing trouble? Or is there a big problem within FCC leading to several (ex-)employees exposing bad practice?
Good question. If it's the one person I think it is, I think he was particularly bitter and has probably made it his lifelong ambition to get back at the company - but surely it can't just be one person doing all of this? I mean, they'd surely have moved on by now?
EM2
Established Member
He certainly hasn't. Pretty much every day, he will tweet the FCC account with the same thing, demanding that the same members of staff be investigated about lying, leading to his dismissal.
He will lay in to the FCC Twitter team at any opportunity, anyone who takes him to task is met with abuse and insults, and woe betide anyone who happens to send FCC an appreciative tweet!
I've had someone starting to converse with me on Twitter (and including GA in the Tweet) when I said something nice to Greater Anglia a month or two ago. It was clearly from someone very bitter who took exception to me suggesting they could do a good job*.
I think my Tweet had been about how friendly and efficient the ticket staff were at Liverpool Street, which they were. He then started on some unrelated rant, such that I had to pretty much tell him to butt out and start his own thread.
* Yes, I know you've all got a potential suspect lined up.
I think my Tweet had been about how friendly and efficient the ticket staff were at Liverpool Street, which they were. He then started on some unrelated rant, such that I had to pretty much tell him to butt out and start his own thread.
* Yes, I know you've all got a potential suspect lined up.
Last edited:
- Status