Customers of UK financial services firm FFrees said they were unaware of a breach that took place there four months ago until a security researcher got in touch with them.
The same anonymous white hat who discovered the now infamous AA shop accessories breach back in April also uncovered the exposure of data by Ffrees Family Finance, a Sheffield-based firm that offers a no-frills digital current account, at around the same time.
Obfuscated sample query of Ffrees leak dump. Note extent of info exposed (including the driver’s licence numbers) courtesy Troy Hunt
The leaked information, the researcher told us, included physical addresses; 94,574 unique email addresses; phone numbers; dates of birth; and driving licence numbers; as well as over 300k transaction logs. Passport numbers and their expiry dates have also been exposed. A small number of the records, around 95, appeared to relate to children.
The researcher said they'd contacted Ffrees immediately after coming across the data to tip it off about the problem. He followed up three months later in July, becoming concerned after his outfit failed to get a clear assurance from Ffrees that it had informed potentially affected parties. The researcher was told that "appropriate action has been taken".
The white hat then enlisted the help of Troy Hunt, who runs the Have I Been Pwned? breach notification service, to assess the validity of the seemingly leaked data and exclude the possibility that it was dummy or test data.
Multiple Have I Been Pwned? subscribers confirmed their data including addresses, phone numbers, transactions and driver's licence number were inside the leaked information, yet, curiously, none of those people reported having received breach notifications from Ffrees.
While Ffrees did post information on the breach, notifications to some of the people affected by the incident and an FAQ section on its website that repeatedly brought up the idea that ID theft was a possibility due to exposure of users' "personal data", it omitted any specific mention of the possibility that passport or driving licence data or transaction records might have been exposed.
The notice on its site reads:
The exposure involved information held by Ffrees between 2012 and early 2014. It included personal information and Ffrees account information for some accounts. A batch of Ffrees account passwords stored in an encrypted form were also accessed.
The financial service also appears to have notified some of the affected users, although the users Hunt contacted maintain they were not contacted.
"Multiple HIBP subscribers found themselves in there and had no idea why they were in a Ffrees data breach," Hunt told El Reg.
Full programme of customer notification
In response to queries from El Reg, Alex Letts, chief exec of Ffrees Family Finance, said:
"There was an incident of data exposure which was reported to us. It was fixed straight away and we are grateful that we were informed about it.
"There has been a full programme of customer notification with dedicated support line and apology made; we reported the incident to the relevant authorities too, as we have to.
"We worked hard to remedy the problem and continue to monitor accounts for signs of suspicious activity."
Data privacy watchdogs at the Information Commissioner's Office (ICO) confirmed they had been notified. "We are aware of an incident involving Ffrees Family Finance Ltd and are looking into the details."
"All organisations have a duty under the Data Protection Act to keep people's personal information safe and secure," the ICO spokesman added.
The breach at Ffrees received little coverage aside from a report on a legal website in mid-June. That report omits any mention of the passport and driving licence numbers and expiry dates security researchers say were exposed, although it does mention that transaction details were exposed.
What are organisations obliged to report?
The upcoming General Data Protection Regulation (GDPR) will require that:
Businesses must notify the ICO within 72 hours of a data breach taking place, if the breach risks the rights and freedoms of an individual. In cases where there is a high risk, businesses must notify the individuals affected.
It's worth noting, however, that under current legislation, the Data Protection Act of 1998 (DPA) data controllers are not obliged to report the scope of security breaches, or the breaches themselves, to the data subjects.
Ffrees' Letts declined to respond to a request from El Reg to clarify the scope of compromised information. As we stated previously, it does appear to have sent out a breach notice to some of the affected customers and provided an FAQ on its website.
A copy of a breach notification from Ffrees that one customer had received was posted to a forum on personal finance website Money Saving Expert in May.
However, there was no mention that passport or driving licence data or transaction records might have been exposed in the notice, which referred only to "information held for marketing purposes between 2012 and early 2014". This, the notice added, included users' full names, dates of birth and email addresses.
In the dark
Hunt put us in touch with a number of HIBP? subscribers affected by the breach who said that they hadn't heard anything from Ffrees.
Daniel B, a Ffrees customer for around three or four years, confirmed his driving licence details had been exposed.
"My driver's licence was exposed on the internet and I was not contacted by FFrees themselves; I was only made aware [of] the situation by Troy [Hunt] because he contacted me with partial data that he had been sent regarding the breach – and it indeed was my personal data," he told El Reg.
The personal details of Michael W, who had signed up through a restaurant booking website to the OscarUK service, which was later bought by Ffrees, were also exposed, he confirmed. Ffrees acquired Oscar (OscarUK.co.uk), a leading concessions website for the over-50s, back in 2013.
"I was somewhat upset to find out the my full name, date of birth, address, maybe password of the time and booking detail (only used once!) has suddenly been released for anybody with knowledge to view," he said. "I have had no contact about this so-called breach or how it was allowed to occur, nor understand what is being done to protect me."
Independent security consultant Scott Helme said he had serious concerns after reviewing the data.
"It seems there are many or possibly even tens of thousands of valid sets of credentials [that are] able to log in on this payment gateway," Helme told El Reg. "There was some data related to children as young as five at the time of the breach and personal notes on accounts like the reasons they opened them including weddings, holidays, life savings and money for children. It was pretty grim reading for some of them."
Ffrees provides customers with a "virtual account" with MasterCard. Users transfer money to accounts linked to a "pre-paid card". They earn financial rewards for using this card to buy products and services from Ffrees' partners.
The firm declined multiple requests from El Reg to share the timing and content of the breach notification it sent to affected customers.
Under current UK law there is no legal obligation to notify customers about the suspected leak of financial information, something that will change next May once the UK's Data Protection Bill (which will incorporate EU General Data Protection Regulation legislation) comes into effect, as previously noted in the case of the recent AA accessories shop breach.
A data protection Bill incorporating the EU General Data Protection Regulation (which comes into force in May 2018) is expected to be introduced in Parliament after summer recess. ®