British estate agency Foxtons Group suffered a major data breach in October last year, which enabled attackers to exfiltrate a database of personal and financial information. The personal identifiable information was then uploaded on dark web forums, where evidence suggests it was accessed over 15,073 times.
According to iNews, Foxtons Group was informed by the concerned client that its customers’ card details had been leaked online more than three weeks ago, but failed to inform either potential victims or authorities.
Paul Bischoff, privacy advocate at Comparitech.com
“It looks like Foxtons could be held liable for negligence if it failed to inform customers that their data had been compromised. When it comes to stolen data, absence of evidence is not evidence of absence. We should always assume and prepare for the worst if it can’t be determined whether data was actually exfiltrated. Whether an oversight or neglect, Foxton’s certainly could have taken a more cautious, transparent approach.”
Cyaran Byrne, head of platform operations at Edgescan:
“This is an example of what not to do when the victim of a cyber-attack. It appears the company at the centre of this breach just ticked the boxes in notifying the authorities that they were victim here, but did either did not go any further in investigating the types of data stolen or kept that the results of that investigation from their customers. Failure to notify its customers who may have been affected flies against best practices and ethics, and is an out-dated attitude that will affect the trust between customer and supplier.”
Chris Hauk, consumer privacy champion at Pixel Privacy :
“Unfortunately, in this case, Foxtons Group took the “maybe if we ignore it and keep quiet, it will go away” approach to their data breach.
Foxtons Group customers will want to invest in credit monitoring services, keep a close eye on all of their accounts, and stay alert for phishing emails, texts, and phone calls. Unfortunately, these customers have been exposed since last October, so in some cases the damage may have already been done.”
Sam Curry, Chief Security Officer, Cybereason
“The latest revelations about Foxton clearly look like a ‘he said, she said’ moment with a lot of finger pointing. At the same time, it is a sobering reminder that cyber criminals are stealing sensitive data from consumers on a daily basis and yielding massive profits by selling the information on the dark web. To Foxton I encourage more transparency and hope they will further come clean on what happened and disclose the preventive measures they are taking to tighten security and limit further exposure of sensitive information. It is clearly no laughing matter to Foxton’s customers and they are looking for reassurance that their credit card numbers and other personal information isn’t part of an extortion campaign against Foxton. My advice to Foxton’s customers is to pay close attention to their bank statements and if anything looks suspicious to immediately contact their credit card company. They should also be offered free credit monitoring services for at least the next year by Foxton.”