Just to help me understand, if someone at a company, who was authorised to do so for a specific reason, printed off a load of personal data concerning its customers, and then left the file on the train, but no one on the train looked at the file, would that be a breach?
Yes - because that would meet the ICOâs definition that danmullen quoted above - that would be a âlossâ of data as there is no longer any level of control over the data by the data owner.
The data here was stored in encrypted log files on Monzoâs own systems that were discovered by a security engineer.
Ultimately given that Monzo have referred themselves to the ICO (as well as the FCA and PRA), they will be able to determine whether they feel that any redress is necessary.
2 Likes
That was me, and I still havenât had a definitive answer, having been told several times I would not be liable and once that I would be. Iâm busy this weekend but will be chasing again with them on Monday.
3 Likes
No Iâm not, what allegations have I made? Monzo have alerted customers and self-reported due to this breach. They themselves think it was a serious enough incident to warrant that.
As I said earlier, theyâve handled it well since becoming aware and I hope the ICO doesnât impose any sort of fine. I doubt they will. The risk to the rights and freedoms of the data subjects is minimal.
Thanks, I couldnât remember who it was that posted about this! Monzo should make an official statement on it. I suspect the person that told you you would be liable gave out wrong information.
1 Like
Monzo have not, at any point, said that it was a breach. That is an allegation. There is, as you quoted above, a definition set our for what a breach is, as it carries penalties. Monzo reported themselves to the ICO in the interests of transparency (and because it was the right thing to do and I hope that most organisations would do the same in the same circumstances). The act of reporting does not mean they consider there to have been a breach.
I just want to make it clear that I acknowledge this, the only thing I take issue with is the suggestion that it is a breach (a claim made in the advert in the original post and repeated by you above).
@bea - in the original community thread - made the following statement (which I quoted above).
I feel this is the right time for me to bow out of this thread â âbreachâ has a specific definition as quoted above, I have yet to see anything that indicates that this incident meets the definition of a breach, Simon VCâs tweet above suggests that Monzo donât believe it meets the definition either. As Monzo have voluntarily referred themselves to the ICO, they can make the final determination.
4 Likes
I havenât actually read definitively that no unauthorised people have accessed the log files. Iâve read that no-one outside the bank has accessed the information, which is different.
Along with this comment from MonzoâŚ
â Engineers at Monzo have access to these log files as part of their job. â
âŚit certainly sounds like they have been accessed. Iâd be delighted for Monzo to come out and categorically state that the files were not accessed during the six month period in question.
1 Like
So Simon VC saying they werenât viewed or used isnât definitive enough?
Did you change your PIN?
3 Likes
Just because someone has the ability to do something, doesnât mean they have done it. The sentence youâve quoted just explains the PIN issue, it definitely doesnât say that someone accessed and copied or used the PINs.
Have a look at this:
1 Like
I mentioned this in a post on the the other main thread. The lack of definitive definitions and oversight on the PR etc of the incident is leading to stuff like Hayes Connor.
Given that we are signing up more users than ever before, our NPS remains incredibly high, and anyone who spends any time at all working on our social media can see the huge amount of delighted customer comments we continue to receive on a daily basis, I think itâs fairly obvious that the answer to this question is no.
But of course, we all knew that, and we also all know that using our company name in any way, shape, or form is a guaranteed way to get a bit of attention these days. A certain bus advert about âmoving overâ springs to mind.
One could probably make a fairly decent living as a freelance business consultant these days by going around the country, meeting with businesses and saying âFind some way to reference Monzo in an advert or blog postâ.
It really is at the point now where people want to find an angle for anything we do. The irony is that it probably does more for us than it does for them by reinforcing us as something worth talking about.
14 Likes
Completely agree Simon.
Itâs funny how journalists etc all want to find a story that scare the general public.
The recent outage drew a flurry of articles (click bait?) which largely repeated the information Monzo yourselves had transparently made available and used it to paint a negative picture of Monzo and the small percentage of disgruntled customers.
However, no media, so far has reacted at all to the latest Monzo blog post with its incredibly detailed account of what happened, what Monzo has learned from it and the actions youâll take to minimise the likelihood of it happening again.
We should all take what the press (and others trying to cash in on Monzoâs success) say with a large pinch of salt.
3 Likes
As someone who has used hays Connor as a customer, in my opinion there not the best, they regularly ignore messages & emails, the best part is they missed the obvious (yup thereâs a NDA with the third party here) they (HC) dropped my case citing lack of evidence without costing me a penny and the third party contacted me to say we screwed up, we broke GDPR we admitted it to your solicitor (hays Connor) but they missed it, third party wrote me a cheque and we both laughed about their (HCâs) lack of common sense.
3 Likes
I donât see the pin as data itâs just a security code
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.