First Capital Connect Data Protection Breach

AMT · 16 Oct 2013

Hello,

I recently had an issue with FCC and was sent an Intention to Prosecute letter, which i have responded to and haven't heard back... (I won't bore you with the details).

Anyway, I got home today to a letter, with a first class stamp on it, telling me that FCC have my personal information (presumably from the details form the RPI's have) in public view on their "C.R.I.M.S website". It goes on to say that this data protection breach has 90,000 victims, and it mentions the things that you could possibly claim compensation for and what you can do to take the issue further etc.

Has anyone else received or heard of this issue? I've tried searching on Google but I can't find anything about it. Obviously my details are out there somewhere otherwise whoever sent me the letter (it doesn't actually say who it's from) wouldn't have known my address details and that I have recently had an issue with FCC.

Any thoughts?

Many thanks.

RailUK Forums

soil · 16 Oct 2013

Could you post a copy (scan/photo) of the letter here?

maniacmartin · 16 Oct 2013

CRIMS appears to be a piece of software that TOCs can buy to record details of fare evasion. It's used by numerous TOCs. If FCC's database has indeed been leake, this is big news

AMT · 17 Oct 2013

soil said:
Could you post a copy (scan/photo) of the letter here?

Yeah sure. Will have to be in the morning though when I get to work. I don't have a scanner at home and it's too long to type.

Maybe I'm one of the first to receive it. It seems odd that there's nothing about it online (at least that I can find).

I deal with data at my work so I'm aware of data protection issues. If what the letter claims is true then it is indeed quite a serious breach.

Will post the scanned letter tomorrow. Thanks for your interest!

FGW_DID · 17 Oct 2013

From the sounds of it CRIMS isn't a public database, only viewable to the TOC revenue dept and those who need to to carry out their duties. I don't think FCC has breached the Data Protection Act, it's more likely they have been hacked and the records stolen, if someone can hack NASA then FCC's security system shouldn't be too much of a challenge to a half decent hacker ( especially one who may have a grudge against FCC)

Actually thinking about it could also be a very disgruntled employee who has access to the system.

--- old post above --- --- new post below ---

AMT said:
Hello,

I recently had an issue with FCC and was sent an Intention to Prosecute letter, which i have responded to and haven't heard back... (I won't bore you with the details).......

Is this the same issue there is three pages of discussion about, in the Disputes & Prosecutions forum?

EM2 · 17 Oct 2013

FGW_DID said:
Actually thinking about it could also be a very disgruntled employee who has access to the system.

Thinking aloud, there is one such person who has released internal FCC performance data, from after this person left the company, via their blog.

185 · 17 Oct 2013

FGW_DID said:
From the sounds of it CRIMS isn't a public database, only viewable to the TOC revenue dept and those who need to to carry out their duties. I don't think FCC has breached the Data Protection Act, it's more likely they have been hacked and the records stolen, if someone can hack NASA then FCC's security system shouldn't be too much of a challenge to a half decent hacker ( especially one who may have a grudge against FCC)

Actually thinking about it could also be a very disgruntled employee who has access to the system.

Regardless of the method or nature of the breach, if the custodian of data namely the company has not taken appropriate steps to ensure data is secure, then they have committed the breach.

FGW_DID · 17 Oct 2013

Quite agree, if they haven't taken the appropriate steps but if they have taken appropriate measures then not guilty.
That's like someone breaking into the Doctors surgery, breaking into the locked records store then taking and using the details held within for their own means. The Doctor isn't going to have breached the DPA because they took appropriate measures to protect them.

Mk75 · 17 Oct 2013

Actually its true that anyone can see peoples details on their website. I was told that if you follow the link at the bottom of the letter (notice to prosecute letter) you can see everything without having to login as an employee. It made sense because I never give out my address and started receiving junk mail (address was slightly wrong) ....this was the same (slightly wrong) address that first cap connect had used.

I told the train company about this a few weeks ago (as I dont want people having my address) so they definately know about this problem.

rf_ioliver · 17 Oct 2013

AMT said:
Anyway, I got home today to a letter, with a first class stamp on it, telling me that FCC have my personal information (presumably from the details form the RPI's have) in public view on their "C.R.I.M.S website". It goes on to say that this data protection breach has 90,000 victims, and it mentions the things that you could possibly claim compensation for and what you can do to take the issue further etc.

Interesting...was it FCC who sent the letter? Unfortunately some of the data flows with information such as this are quite long and complex, so it could be a targetted mailshot - however without seeing the letter it would be hard to say: please do post (or PM) a scan of the letter (redact any of your personal details, eg: phone number etc).

Normally a data breach would be handled a little differently than this which makes me suspicious - but that level of paranoia comes with my job

t.

Ian

FGW_DID · 17 Oct 2013

Mk75 said:
Actually its true that anyone can see peoples details on their website. I was told that if you follow the link at the bottom of the letter (notice to prosecute letter) you can see everything without having to login as an employee. It made sense because I never give out my address and started receiving junk mail (address was slightly wrong) ....this was the same (slightly wrong) address that first cap connect had used.

I told the train company about this a few weeks ago (as I dont want people having my address) so they definately know about this problem.

in light of this, Id say there is definitely a problem and a very good chance that FCC probably are in breach of the DPA

hock:

Mojo · 17 Oct 2013

rf_ioliver said:
Interesting...was it FCC who sent the letter? Unfortunately some of the data flows with information such as this are quite long and complex, so it could be a targetted mailshot - however without seeing the letter it would be hard to say: please do post (or PM) a scan of the letter (redact any of your personal details, eg: phone number etc).

Normally a data breach would be handled a little differently than this which makes me suspicious - but that level of paranoia comes with my job

t.

Ian

It sounds to me as if it was either some 'do gooder' who has seen that the data is public and wants to warn potential victims, or possibly a legal firm who has seen it and used it to get some work.

DownSouth · 17 Oct 2013

Mojo said:
It sounds to me as if it was either some 'do gooder' who has seen that the data is public and wants to warn potential victims, ...

If that's the case I would say the correct term would be "whistleblower" rather than do-gooder.

FirstCC · 18 Oct 2013

Hello

We take any allegation very seriously, and we are looking into this matter as an urgent priority. An investigation is underway however we can confirm that all customer data is safe.

If you have any concerns please contact us at [email protected]

Thank you

FirstCC

GoByThameslink · 20 Oct 2013

AMT said:
.... Anyway, I got home today to a letter, with a first class stamp on it, telling me that FCC have my personal information (presumably from the details form the RPI's have) in public view on their "C.R.I.M.S website". It goes on to say that this data protection breach has 90,000 victims, and it mentions the things that you could possibly claim compensation for and what you can do to take the issue further etc....

This type of letter is a fairly standard response to a Data Protection breach - either one where the data was actually taken, or where the data was visible on the internet without any access controls for a period - and they do not know whether it was taken. I've heard about this type of letter most often after stolen credit card or banking data, where there will often be an offer of a free credit monitoring service or similar, so you can monitor for any identity theft or the like that may happen to you later.

I would read the letter they sent you carefully and consider what data you have provided to FCC and what they might have gathered from (say) a credit card payment. I would certainly consider following some of the suggestions to protect your identity outlined in the letter.

AMT · 21 Oct 2013

Hello all. thanks for the responses, the letter is attached.

We take any allegation very seriously, and we are looking into this matter as an urgent priority. An investigation is underway however we can confirm that all customer data is safe.

Thank you for the response to this. Obviously I'm a little concerned as to how safe it is, considering that someone has already been able to send a letter to my home address (indicating that they are aware of my recent incident with FCC). If the data is in fact safe then that's a relief, but then it would seem that you have an issue with internal staff.

maniacmartin · 21 Oct 2013

It looks like it was sent by a random member of the public who found the database and contacted people named in it. I doubt FCC would refer to themselves as "deploying troops of inspectors to extort money out of vulnerable people". Also the sender clearly wants to remain anonymous

jon0844 · 21 Oct 2013

I wonder if letters are going out about other TOCs? Surely this will make the news at some point?

AMT · 21 Oct 2013

maniacmartin said:
It looks like it was sent by a random member of the public who found the database and contacted people named in it. I doubt FCC would refer to themselves as "deploying troops of inspectors to extort money out of vulnerable people"

Yes, I was sure the letter wasn't an official FCC communication. I think I can reasonably assume that my details were out there somehow. I don't see how else the sender would have known my address and about the incident.

Clip · 21 Oct 2013

AMT said:
Yes, I was sure the letter wasn't an official FCC communication. I think I can reasonably assume that my details were out there somehow. I don't see how else the sender would have known my address and about the incident.

Of course, it may just be someone who has hacked into their website to make First look bad.

I mean, you get a letter, and there are 90K people they claim on there. Did they all get one? Thats a lot of stamps.

AMT · 21 Oct 2013

Clip said:
Of course, it may just be someone who has hacked into their website to make First look bad.

I mean, you get a letter, and there are 90K people they claim on there. Did they all get one? Thats a lot of stamps.

Yes I'm sure they would have just contacted a select few. And yes, if someone has hacked into their system and FCC can prove that they have policies and procedures in place, and have done all they can to protect the data, then there's not a lot that would happen to them.

I guess it all depends on how the investigation goes. I will be contacting them shortly to discuss this more directly.

FGW_DID · 21 Oct 2013

Looks like somebody has a BIG grudge against FCC. :eek:

Flamingo · 21 Oct 2013

FGW_DID said:
Looks like somebody has a BIG grudge against FCC. :eek:

I wonder if their name is also on the list...

DownSouth · 21 Oct 2013

AMT said:
And yes, if someone has hacked into their system and FCC can prove that they have policies and procedures in place, and have done all they can to protect the data, then there's not a lot that would happen to them.

That a whistleblower is sending these letters would tend to suggest that they have not done enough to protect the data and/or their policies/procedures are deficient.

Donny Dave · 21 Oct 2013

DownSouth said:
That a whistleblower is sending these letters would tend to suggest that they have not done enough to protect the data and/or their policies/procedures are deficient.

Who says it is a whistleblower? It could be a disgruntled (former) employee who is using their access to the database in a way they should not be doing.

My advice is to contact First Capital Connect and the Information Commissioners Office as a matter of urgency.

34D · 21 Oct 2013

David said:
Who says it is a whistleblower? It could be a disgruntled (former) employee who is using their access to the database in a way they should not be doing.

My advice is to contact First Capital Connect and the Information Commissioners Office as a matter of urgency.

If the system allows a member of staff to do an export of 90,000 records without setting off alerts, then it isn't fit for purpose.

I'd be very interested to read a response/comment by FCC about this. This forum page is top rank in Google for '"first capital connect" "data protection breach"'

route:oxford · 21 Oct 2013

FirstCC said:
An investigation is underway however we can confirm that all customer data is safe.

That's not exactly reassuring - People who didn't pay aren't "customers"...

I'm guessing there is a url on the letter that allows the individual to review their "case". If it was put together in a simple but logical way, someone has just reverse-engineered it and can review anything.

AMT · 21 Oct 2013

David said:
Who says it is a whistleblower? It could be a disgruntled (former) employee who is using their access to the database in a way they should not be doing.

My advice is to contact First Capital Connect and the Information Commissioners Office as a matter of urgency.

I will contact them tomorrow. Thanks David and others that have responded.

bb21 · 21 Oct 2013

It is almost without a doubt in my mind that the sender had ulterior motives than having the security of other people's personal data in mind, judging by the tone of the letter, nevertheless it is not a bad thing what he has done.

If I were to receive such a letter, I would be highly concerned, too, so the reaction is entirely understandable. There are definitely questions that FCC will need to answer whatever the cause of this is, and it is only right that the matter is taken seriously. Hopefully the perpetrator (whoever it was) would be brought to justice in due course.

maniacmartin · 21 Oct 2013

34D said:
If the system allows a member of staff to do an export of 90,000 records without setting off alerts, then it isn't fit for purpose

It's standard IT practice for some members of staff to be able to access everything. Everywhere I've worked, people in the IT department have been able to access everything, as they're the people who set up the security. There becomes a point where you just have to trust that the staff you hire to do the job - hence why so many employers in offices nowadays do CRB* checks.

Even the NSA find the problem of "who watches the watchers" problematic, so this isn't restricted to FCC.

* or whatever the new name for them is.
--- old post above --- --- new post below ---

FirstCC said:
we can confirm that all customer data is safe.

How can you confirm this so soon if you have only just started the investigation?

First Capital Connect Data Protection Breach

Member

RailUK Forums

Established Member

Established Member

Member

Established Member

Established Member

Established Member

Established Member

New Member

Member

Established Member

Forum Staff

Established Member

New Member

Member

Member

Attachments

Established Member

Veteran Member

Member

Established Member

Member

Established Member

Established Member

Established Member

Established Member

Established Member

Established Member

Member

Emeritus Moderator

Established Member