just had an email from Renault saying our personal info, no financials though, has been hacked in a cyber attack on them. When will they send the SAS in !!
Renault Hacked
4 reading
Jeffrey Cooper
21 - 40 of 51 Posts
BTW I have written to their data protection officer as well as replying to the email since it may be an unmonitored in-box.
Joined
·
2,224 Posts
Anyone who holds any personally identifable information has a duty of care with that information. That is what most of the laws and policies around this stuff make clear, and that includes any third parties they share that information with. The original source of the information has the obligation to protect your data, as they were the first recipient.
Let's be honest with ourselves here. Renault will care about their legal obligations and whether they are at risk of any fines. So all of their effort will be in those areas, and 0.00000001% will be related to any individuals who may take issue with their failure.
If an individual contacts them, so long as they do so via the appropriate email address relating to their ICO/DPO obligations, then they are required to respond. But don't expect that response to be what you want; it will be the minimum they are required to provide by law.
We live in a world of corporate greed first, with mere humans at the bottom of the food chain. They don't give a sh*t about any of this outside of reputational damage.
These sorts of information hacks are increasing exponentially, with law enforcement unable to make much of a dent. So far, we've had a few that create some impact, but it is only a matter of time before there's a major cyber incident that wreaks havoc.
It's a wake up call for all companies to actually invest in their IT and security systems, rather than be complacent and just shoving a firewall in front of some stuff does the sum total of bugger all. Defense in Depth, Zero Trust communication, encrypted in transit and at rest, RBAC organisation-wide, and many others, are all basic concepts all systems should adhere to. Sadly, in my time working in IT over the last 35+ years I've rarely seen anyone take this genuinely seriously and do it even vaguely properly because they also baulk at the costs rather than consider the impact if something happens.
Let's be honest with ourselves here. Renault will care about their legal obligations and whether they are at risk of any fines. So all of their effort will be in those areas, and 0.00000001% will be related to any individuals who may take issue with their failure.
If an individual contacts them, so long as they do so via the appropriate email address relating to their ICO/DPO obligations, then they are required to respond. But don't expect that response to be what you want; it will be the minimum they are required to provide by law.
We live in a world of corporate greed first, with mere humans at the bottom of the food chain. They don't give a sh*t about any of this outside of reputational damage.
These sorts of information hacks are increasing exponentially, with law enforcement unable to make much of a dent. So far, we've had a few that create some impact, but it is only a matter of time before there's a major cyber incident that wreaks havoc.
It's a wake up call for all companies to actually invest in their IT and security systems, rather than be complacent and just shoving a firewall in front of some stuff does the sum total of bugger all. Defense in Depth, Zero Trust communication, encrypted in transit and at rest, RBAC organisation-wide, and many others, are all basic concepts all systems should adhere to. Sadly, in my time working in IT over the last 35+ years I've rarely seen anyone take this genuinely seriously and do it even vaguely properly because they also baulk at the costs rather than consider the impact if something happens.
Joined
·
1,544 Posts
I got the same email.
Probably be an advert on local radio in a couple of years promising ÂŁÂŁÂŁ in compo for all this stuff.
I'll keep the email just in case, along with the ones I got from co-op and m&s.
Probably be an advert on local radio in a couple of years promising ÂŁÂŁÂŁ in compo for all this stuff.
I'll keep the email just in case, along with the ones I got from co-op and m&s.
Joined
·
224 Posts
They do not need your consent - they have five other legal bases to choose from of which contract, legal obligation and LI will form the bulk.
They do need to provide a privacy notice which explains their interaction with third parties. Putting my DPO hat on I would say that their privacy notice is a tad vague - it fails to name which data, which third parties and the legal bases relied upon.
It is interesting the number of people in other forums that have also received such notifications - including several non car drivers!
Add me to the list of those who’ve had the email. Never owned a Renault but do remember signing up for info when the R5 was first on the horizon. Given this, it seems like a good enough reason to look elsewhere, not that anyone else is likely to be a whole lot better.
Joined
·
95 Posts
We have been assured this morning that this is solely a Renault UK problem and doesn't affect any Renault owners outside the UK. We were told that someone at Renault UK allowed unauthorised access to an Amazon-provided cloud data storage service. I have no idea of the veracity of this as it was told to us by our own Renault dealer and they are generally incompetent.
Sounds like incompetence is a company trait then!
Joined
·
1,580 Posts
So Renault are breaking the terms of the Data Protection Act and GDPR (as well as having shoddy cybersecurity). They're retaining your personal data for far longer than they have any business need for.
I've heard of people who merely asked for a brochure in a showroom in 2016 who never actually ordered, leased or owned a Renault being informed their personal data has been stolen, so that's certainly a GDPR violation.
Joined
·
224 Posts
So remind me which bit of the GDPR does it actually violate, again?
If their data retention policy says ten years, which a lot of businesses set as the default for customer contacts, then 2016 might be valid.
Joined
·
203 Posts
This is VERY unfortunate, but the hackers will be somewhat disappointed when they try to actually control my car using this stolen data. Renault have already made it so unreliable I might not even notice I have been hacked....
Joined
·
95 Posts
Our experience this year would support such a view. Shame, as we have been loyal Renault customers, using the same dealer, for years. We went back to them as they had always been helpful and their prices were reasonable. This only started to go wrong over the past few months when they caused us so much frustration that I opted to Google the particular problem we were having with the rear view camera and so found this forum.
I remember a saying from years ago about reputation. It went along the lines of it being easier to lose a good reputation from a moment of inattention than to build it. Our recent experience is that the local Renault dealer doesn't value reputation. Perhaps this is a valid view in this age where few check out the experiences of others before choosing to do business with a company.
Joined
·
64 Posts
They often make it mandatory to provide personal data they don't need, then lose it. Lots of pre-2018 non-GDPR-compliant data collected was never cleaned up.
I didn't get an email but did get a text message. I've asked them to provide clarity over whether my date of birth was stolen but they've given away all the information required for fraudulent credit applications to be made in my name. This has happened a couple of times in the past and took months to sort out. The companies that failed to guard the data offered nothing other than apologies.
When our passports and other details were stolen from our solicitors, they did at least offer a free year of a credit protection service from Experian. But then made me email them repeatedly for 2 months before they'd provide the activation code, which made it clear it was just a gesture they hoped they wouldn't have to pay a few pounds for.
I would really like to see UK law changed and it made mandatory for companies to compensate hacking victims and also to underwrite any consequential losses we suffer.
As it is, any fines that are levied get paid to the Information Commissioners Office - who must be rolling in money by now.
I didn't get an email but did get a text message. I've asked them to provide clarity over whether my date of birth was stolen but they've given away all the information required for fraudulent credit applications to be made in my name. This has happened a couple of times in the past and took months to sort out. The companies that failed to guard the data offered nothing other than apologies.
When our passports and other details were stolen from our solicitors, they did at least offer a free year of a credit protection service from Experian. But then made me email them repeatedly for 2 months before they'd provide the activation code, which made it clear it was just a gesture they hoped they wouldn't have to pay a few pounds for.
I would really like to see UK law changed and it made mandatory for companies to compensate hacking victims and also to underwrite any consequential losses we suffer.
As it is, any fines that are levied get paid to the Information Commissioners Office - who must be rolling in money by now.
Joined
·
1,580 Posts
A potential customer walks into a showroom and asks for a brochure. The potential customer decides not to buy. No contract has been made.
The business has no reason whatsoever to retain the personal information for longer than would be reasonable for a prospective sale. If they really need to, for statistical analysis of marketing, then personal data should be redacted or one-way hashed with a salt.
e.g. Roland walks into a showroom, asks for a brochure. Sales person makes a note of their name, and possibly contact details for short-term use, hands them a brochure and business card. That's fairly common behaviour.
No sale made and no further interest shown. No sales contract, or even test drive contract signed or completed.
Roland's marketing database entry should after something like three months, be changed so his name is now not "Roland Butter" but something like "9a0660a1b15c5bf4e6e8a8870cdc8643", or deleted entirely. Keeping a hashed value would mean that car dealership can still recognise the person if they provide an identical name again when they find a new model attractive.
I've seen many companies with a 'hoard all the data' attitute. These policies will bite them sooner or later. If they desire analytics, there's a sensible way of doing it, understanding the life cycle of the data and taking into account what the data is, and what it represents; and there's the blind drunk way of doing it.
Have you heard of Jaguar Land Rover?
It's far too plausible to have simply just been made up
. Google "unsecured S3 bucket" and you will see that this kind of misconfiguration has been going on for years.
Just signed up to CIFAS for a little piece of mind, extra checks done if somebody tries to open accounts using my details... ÂŁ30 for 2 years.
Joined
·
2,224 Posts
Yes, absolutely. My last ICE car was a lovely Jaguar XF V6 diesel, which was a fabulous car, so I've followed the sorry tale closely.
Whilst it has been bad, for all the secondary companies and services tied to Jaguar, which are often smaller and are struggling, this isn't a 'wreak havoc' type cyber attack.
It's bad for sure, and costs money, businesses, and livelihoods, but hopefully no one will die as a direct result of the attack.
I'm not trying to minimise the scale and impact of the JLR attack, and am sure those it is affecting are deeply impacted.
We're yet to see multiple successful large-scale cyber events that target critical areas of infrastructure, which in turn affect all of society and potentially cause deaths. That will be much worse, and a true havoc event.
Both myself and my mate have had the same e-mail. 🤬🤬🤬🤯🤯🤯
21 - 40 of 51 Posts
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
-
?
