London-based payment processing firm GoCardless is warning customers that their personal information might have been exposed following the theft of 19 laptops from its offices last month.
The "password protected" (not encrypted) laptops contained a file with customer personal data including email address, passport number, date of birth, and name. Leak of the data into the wrong hands might lead onto follow-up phishing scams or other potential malfeasance, such as identity theft. Payment data was not exposed.
GoCardless is nonetheless offering exposed parties credit card monitoring services, as a breach notification advisory (extract below) explains.
We wanted to let you know that on the 7 January 2017, our premises were the victim of a burglary which affected our office and another company in the building. Despite CCTV surveillance, locked doors, and a 24/7 security guard, nineteen password protected GoCardless staff laptops were stolen.
All of our payment processing systems are secure, remain uncompromised and were unaffected by the burglary. There has been no impact on our day to day business and we continue to process payments as normal.
We have already informed the police, the Financial Conduct Authority and the Information Commissioner's Office of this burglary. We have also conducted an exhaustive internal investigation so that we can communicate to you any potential risks from this burglary.
Our investigation has concluded that the stolen laptops may contain a file with personal data provided when setting up an account with us. This information is stored by GoCardless to ensure we can evidence checks we needed to perform on you when you signed up with us. The file contains the following personal details of the person that verified your GoCardless account: email address, passport number, date of birth, and name.
There is a very low risk that this burglary will affect you as none of your financial data was involved, all the laptops were password protected, there is no firm evidence that any of the data was available on any stolen laptop, and the burglars appear to have been targeting high value electronics rather than our data. However, we believe in transparency and so wanted to inform you of this burglary anyway.
Despite the above, we take even this small risk seriously. We are therefore offering to organise and pay for a web alert monitoring service from Experian for a period of 12 months.
The incident illustrates that data breaches can result from causes other than hacking attacks, the most publicised cause. Lost and stolen laptops also pose a risk.
A GoCardless spokeswoman confirmed the thefts, adding that police and other relevant authorities had been informed.
"I can confirm that on the 7th January 2017, we were the victim of a burglary which affected our office and another company in the building. Despite CCTV surveillance and a 24/7 security guard, 19 password protected GoCardless staff laptops were stolen," the spokeswoman told El Reg.
"All of our payment processing systems, remain secure and uncompromised and were unaffected by the burglary.
"We have informed the police, the Financial Conduct Authority and the Information Commissioner's’ Office. We have also conducted an exhaustive internal investigation and, despite the very low risk, have contacted all our partners and merchants," she added.
GoCardless offers an internet-based direct service to its enterprise clients. ®