Friday, 18 July 2014

Micro Direct data leak?

I get loads of spam, like most. A few slip through the filters.

I got one earlier today that was a tad odd - it looks like a genuine report of some sort of order, with someone else's details in it, but the link to "secure login to your paypal account" is clearly bogus. A link to that redirects to and tries to get my details.

OK, spam, what the hell. I noted that it was to an email I only gave to microdirect, so maybe could have been guessed, but maybe a data leak.

Later today I get one saying that my credit card information has been changed and my address removed and QUOTES MY ACTUAL HOME ADDRESS to me in the email. Again a bogus link.

So, this means Micro Direct have leaked not only my email but my details. My address at least, and who knows what else? The latest spam just tries to get my "Verified by Visa" details, which makes me think they have my card details.

I should report to ICO, but they are proving to be such a bunch of muppets, I am unsure if it is worth it.


  1. Report it, please! This is exactly the sort of thing the ICO really must be taking on, and if they're not then there's a public interest issue.

  2. Have you informed Micro Direct? They may also be a bunch of muppets and unaware that this has taken place (although I don't have a lot of faith in companies proactively informing their customers when this kind of thing happens anyway).

    I make a habit of using exim's address suffix system, so addresses I submit to companies are in the form, where the "something" is different for each company I hand my address to. The problem, of course, is that when my details inevitably get released to someone else, how do I prove that it was done illegally - maybe I just failed to spot the "untick this if you don't want your details sold off" box somewhere (and that is, of course, what the offending organisation would claim happened).

    1. Micro Direct went bump a few weeks ago.

      I guess their data security didn't survive the transition..

  3. My latest ICO complaint is against a company that has admitted they are bulk-mailing email addresses scraped from the Companies House database. Their reply to me didn't leave me much confidence that they were going to stop doing that even though I pointed them to the regulations, so a PECR complaint has been filed. It remains to be seen whether the ICO care.

    I did note that the PECR complaints forms seem to have been removed from the ICO website - they have a click through wizard thing now that tells me to phone them as soon as I say I'm a business, rather than letting me submit a complaint form.

  4. It's been some time since MD went out of business. I would not be very surprised if the liquidators didn't care to sanitize anything potentially holding sensitive data when selling off assets.

    Perhaps the bigger surprise is that it took this long for the consequences to surface?

  5. I've reported potential leaks to a big electrical wholesalers and a car hire company, the electrical supplier didn''t even respond while the car higher company responded and asked some more questions but I didn't hear any more.