It has been reported today that thousands of customers’ financial details held by one of Britain’s biggest estate agents are being freely accessed on the dark web. Foxtons Group was victim to a malware attack in October last year when hackers targeted the company, with it closing down its web portal for home sellers, renters, and landlords. The company said that Alexander Hall, its mortgage broking business, was affected and that no “sensitive data” had been stolen. It reported itself to the Information Commissioner’s Office (ICO), the data watchdog. But when the firm was informed in January that financial and personal information was freely accessible on the dark web from an attack on ‘Foxtons Group plc.’ customers, it did not take any action.
13 Responses
<div class=\"gmail_attr\" dir=\"ltr\">It is not unusual for service-oriented organisations to store customer data. This might include names, contact details, personal and even financial data. These companies bear a big responsibility of keeping this data safe. It is not enough to just follow procedures and best practices, they need to go above and beyond to safeguard their customers\’ data. In the case of a breach, such as this, each and every customer affected should be contacted and made aware of the situation. These customers, be it private persons or partnering companies, can then take the appropriate actions to mitigate the effects of the breach. </div> <div> <p> </p> <p>Attackers can exploit private information for identity theft, scamming affected individuals. With more data on individuals, attackers can better mislead victims into falling for a phishing email, believing that they are a legitimate caller or to convince them to vouch or confirm a financial transaction. Therefore, it is critical that we take the following threat seriously: “If you are a client who refused to conclude a contact and did not find information about yourself on our website or did not find some of your files, this does mean that we forgot about you, it only means that your information was sold and only therefore it did not appear in free access!</p> </div>
<p>This is about as worrying as it gets. Identify and card fraud are big business for malicious actors and up-to-date card details belonging to those unaware of the breach are worth a huge amount on the black market. When the financial data leaked is connected to mortgages it can be that much more impactful, as the large amounts of money being exchanged create a more tempting and lucrative target for criminals. With this data having been viewed thousands of times on the dark web I would be highly surprised if there are people whose details feature on this compromised list who haven’t already been targeted. Those affected must urgently contact their banks and follow procedures to make sure they are protected from such inevitable attacks.</p>
<div>Unfortunately, in this case, Foxtons Group took the \"maybe if we ignore it and keep quiet, it will go away\" approach to their data breach. </div> <div> </div> <div> <p>Foxtons Group customers will want to invest in credit monitoring services, keep a close eye on all of their accounts, and stay alert for phishing emails, texts, and phone calls. Unfortunately, these customers have been exposed since last October, so in some cases, the damage may have already been done.</p> </div>
<p>The latest revelations about Foxton clearly look like a \’he said, she said\’ moment with a lot of finger-pointing. At the same time, it is a sobering reminder that cyber criminals are stealing sensitive data from consumers on a daily basis and yielding massive profits by selling the information on the dark web. To Foxton, I encourage more transparency and hope they will further come clean on what happened and disclose the preventive measures they are taking to tighten security and limit further exposure of sensitive information. It is clearly no laughing matter to Foxton\’s customers and they are looking for reassurance that their credit card numbers and other personal information aren\’t part of an extortion campaign against Foxton. My advice to Foxton\’s customers is to pay close attention to their bank statements and if anything looks suspicious to immediately contact their credit card company. They should also be offered free credit monitoring services for at least the next year by Foxton.</p>
<p>This is an example of what not to do when the victim of a cyber-attack. It appears the company at the centre of this breach just ticked the boxes in notifying the authorities that they were victim here, but either did not go any further in investigating the types of data stolen or kept the results of that investigation from their customers. Failure to notify its customers who may have been affected flies against best practices and ethics, and is an out-dated attitude that will affect the trust between customer and supplier.</p>
<p>It looks like Foxtons could be held liable for negligence if it failed to inform customers that their data had been compromised. When it comes to stolen data, absence of evidence is not evidence of absence. We should always assume and prepare for the worst if it can\’t be determined whether data was actually exfiltrated. Whether an oversight or neglect, Foxton\’s certainly could have taken a more cautious, transparent approach.</p>
<p>While the full scope of this security incident is not yet clear, it is still recommended that any customers of Foxtons contact their bank to immediately cancel any cards linked to your Foxtons account. However, since these details have potentially been available for over three months, it is also worthwhile looking through bank statements to identify any suspicious activity. It is also important to change passwords for Foxtons’s accounts and any other sites that use the same password, as well as being vigilant for phishing emails.</p>
<p>When we hear reports of data breaches such as the one concerning Foxtons Group in the UK, we can use the incident as a cautionary tale for the procedural steps to take in the event it happens to our organization. Unfortunately, with the precipitous rise in attacks, breaches, and data leaks, the chances are that more and more businesses—despite best defensive efforts—will face the situation in the future.</p> <p> </p> <p>The smart organization is the one that has prepared for this type of event by documenting an effective response plan. Such plans usually include immediate triage of the situation to close off further breach activity, followed by a comprehensive risk assessment and mitigation of further harm. Communicating internally within the organization to mobilize efforts as well as with external regulators is critical. Of course, providing clear information to all victims as soon as possible enables them to perform their own mitigation effort to limit their exposure and further damage. Lastly, owning up to any and all responsibility and meeting liabilities head-on are efforts that help to soften reputational harm. Ultimately, assessing how the breach occurred and putting in place stronger, more data-centric security measures to thwart any future incidents is the final remedy. Nothing is more detrimental than lightning striking the same place twice!</p>
<p style=\"font-weight: 400;\">With businesses holding sensitive data on thousands of individuals, it’s historically been difficult to detect breaches and leaks from those customer datasets. It’s therefore important to routinely monitor for exposed data outside the organisation’s network as it is critical to know it’s happened as soon as possible – and then act immediately. Early breach detection is a fundamental expectation of GDPR and companies who take a lax approach can expect to face growing regulatory fines.</p> <p> </p> <p style=\"font-weight: 400;\">Speed is important when mitigating digital risk; watermarking data with unique synthetic identities can enable organisations to detect these threats immediately and be the first to find out if their data is available online before someone else does. Setting up email listeners for these watermark identities can detect a breach before the data is shared online, if the hacker is testing for valid addresses</p>
<p style=\"font-weight: 400;\">The recent news about the Foxtons data breach shows, again, the need for organisations to take security seriously and consider ways in which they can further protect their customer’s data. Despite falling victim to a malware attack back in October 2020, Foxtons did not know they had a data breach until a month ago which means these cyber attackers were likely moving laterally throughout their network to find valuable information for a long time prior to the data being dumped on the dark web. </p> <p> </p> <p style=\"font-weight: 400;\">With attackers becoming ever more opportunistic, it is critical that security operations teams have the ability to pervasively detect and respond to attacks and unauthorised access wherever it happens. Typically a large percentage of these breaches start from phishing emails or credential theft from SaaS applications like Office 365. Companies must have a complete view of their attack surface. Detecting and responding to indicators of possible malware lurking on a network can make the difference between a contained incident or a damaging organisation-wide outage, breach, or significant financial loss– something Foxtons are likely to experience due to this attack.</p>
<p>Financial data is subject to both regulatory and compliance requirements. The fundamental security requirement for all industries storing financial data is to understand who and what is trying to access the technology environments that the financial data is stored in. This breach further highlights the importance of identity and access management to support all businesses through digital transformation delivering to security, compliance, and privacy requirements.</p>
<p>It is safe to assume the worst and Foxton customers should look to protect themselves from identity fraud and card fraud as a result of this breach. With both personal information and payment card information lost, Foxtons customers should take some time to validate payments and potential credit history interactions since October and flag anything suspicious to their bank. Even though a subset of the entire customer data has been leaked with the attackers claiming they have the entire data and they have released only 1% publicly, it doesn’t mean it hasn’t be shared and exploited privately.</p>
<p>Criminals are continually evolving their methods and ways in which they can extort victims or cause embarrassment. Anyone can publish details on the dark web claiming it comes from a breach, but people should be careful before jumping to conclusions. </p> <p> </p> <p>However, if someone suspects their details could have been exposed in any breach, they should ensure that any passwords that may have been compromised are changed, not only on the impacted service but also on any other sites which may have used the same credentials. Similarly, people can set up credit monitoring, and be wary of any unsolicited emails or calls they may receive regarding the breach, or claiming to be from the company. Criminals will often try to scam impacted users, adding further insult to injury.</p>