LoqBox Cyber Attack

Hello Monzo,

LoqBox has informed it users on the 20thnof February it has become a victim of a Cyberatack.

We are writing to inform you of a cyber-attack on the LOQBOX computer system.

We became aware of the attack very shortly after it happened on 20 February 2020 at which point we immediately took steps to protect the system and your personal information. We also appointed cyber-security experts to help us find out how it happened and whether our customers were at risk.

Since the attack, we have been working to establish the extent of the issue. We could not contact you until we knew how you had been affected. Based on the findings of our investigation, which is still ongoing, it is extremely likely that some of our customers’ personal information has been compromised by the attackers.

We are deeply sorry to inform you that this included some of your personal information, such as your name, postal address, date of birth, email address, phone number and the following payment information linked to your LOQBOX:

• the first six and last four digits of your 16-digit card number; and

• your card expiry date.

This information on its own cannot be used to access your bank accounts or other accounts. However, it could be used for “phishing” scams. This is where an individual or someone posing as a legitimate business lures you into providing sensitive information such as usernames and passwords. We need you to be aware of this so that you can take any necessary precautions against this, including some of the steps listed below.

Please be assured that all LOQBOX Funds remain absolutely secure and whilst we are deeply concerned about what has happened, the business is still functioning completely as normal.

We are doing everything we can to understand how this happened. We know from our security experts that this was a sophisticated attack. We constantly monitor our systems but have now taken further steps to improve the defences of the LOQBOX computer system. We are also liaising with the relevant regulators and have reported the incident to the police.

Should I replace my cards instantly?

No.

However, you will want to watch out you don’t fall for any phishing scams in the event someone’s trying to fill the gaps in the data. Never give usernames or passwords, or PINs to anyone, and don’t take phone calls from anyone claiming to be your bank.

I’m presuming you’ve not pasted all the email in as there are no ‘steps listed below’, so some of the above may have been covered already for you.

Incidentally, this is incredibly poor security from LoqBox. I can only imagine they’ll get hit with a huge fine for this. Name AND address AND d.o.b. AND phone AND email? Ouch.

Hi thank you for your response this is the other part of the email.

What steps can you take to protect yourself?

We suggest that you contact your bank or card issuer for advice on whether you should take any action. Unfortunately, such attacks are now common and so your bank or card issuer will be experienced in advising customers on what to do. They will also be able to help you identify any suspicious activity.

You should be careful of inbound telephone calls, emails or texts that make reference to your bank account or where you are being asked for further personal information. These may be attempted phishing scams. Such communications can often be very convincing, especially when received on a mobile phone.

LOQBOX will never call, text, or email you to ask for your full bank account number or card details. If you suspect any unusual activity, we recommend that you contact your bank or card issuer straight away.

Action Fraud has published some helpful information on how individuals can protect themselves from fraud and cyber crime and can also be contacted for advice.

I am just wondering is their a legal claws that now I can back out of my LoqBox agreement as if has failed to protect customer data?

These two paragraphs offer the best advice on how to protect yourself now your data is potentially out there. In practice it means if you get an official sounding phone call where they know some things about you and just need you to confirm others - be it from someone claiming to be your bank, LoqBox, or another company you use - then you can’t trust them and shouldn’t reveal information.

I’m afraid I don’t know about the LoqBox agreement so can’t advise specifically on that. Complaining to customer services about loss of confidence following the hack might be the first thing to try, see what they say, and take it from there.

Thank you,

Spoken to Mozno within the app they have replaced the card and will be informing their fraud team.

Due to this will most likely effect Monzo customers using LoqBox.

I don’t trust them anymore and I’m going to close my account. Now they’re going to ask me to pay them their silly £30 for just getting my own money back after they lose my personal info into the wild. So I’m actually going to pay them for giving up my identity to the criminals.

So what do you guys think, is there a legal ground to deman to return my money back for free after such an accident?

Hi,

I do believe I have discovered a legal claws, I have contacted customer service and spoken to a solisitor this evening.

LoqBox can either return me my money without the £30 charge or I can legally sue LoqBox for failure to protect my customer data.

LoqBox will likely chose to return the money, as I’d they get sued they would lose due to the scale of the data breache.

I suggest you contact customer support.

Please also ask Mozno to replace your monzo card if you used your Monzo card with LoqBox.

[Your full address]
[Phone number]
[The date]

[Name and address of the organisation]
[Reference number (if provided within the initial response)]

Dear [Sir or Madam / name of the person you have been in contact with]

Information rights concern
[Your full name and address and any other details such as account number to help identify you]

I am concerned that you have not handled my personal information properly.

[Give details of your concern, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.]

I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.

If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.

You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.

Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me on the following number [telephone number].

Yours faithfully
[Signature]

(We need to send this to LoqBox before we can begin to report them to ICO, then take them to a small claims court for the data breach as outlined in https://www.which.co.uk/consumer-rights/advice/my-data-has-been-lost-what-are-my-rights)

LoqBox will likely apply as if they are to get sued, the amount can range https://www.forbessolicitors.co.uk/personal/data-breach-claims.htm

This is nit good I only just started using them for two mouths thought it was a good idea now this happend I do nit fill I can trust them. I do use my monzo car with them as its my main bank.
I nit got this email yet from them.

Speak to customer services, and get your money back without the £30 fee.

You can set up a Monese account for free and then withdraw the money from Loqbox to that account. That’s what I did and it costs nothing. You can also use Pockit which is a prepaid card and withdraw from Loqbox for free but transfers cost 99p I think.

Or you can use any of their partnered banks: TSB, RBS, NatWest, Shepherds Friendly

If you already have an account with any of these banks/pre-paid cards then you can use them and withdraw from LoqBox for free.

|### LOQBOX help team help@loqbox.co.uk|16:30 (11 minutes ago)||

to me

|

Hello David,

We are sorry to hear that you want to cancel your LOQBOX as a result of this but we do understand.

In this instance we are able to offer you a free Flexi Unlock which will allow you to redeem your LOQBOX Funds to your existing account free of charge. When you are ready, just log in and unlock the LOQBOX and select Flexi Unlock. We have set your account to have a free Flexi Unlock. Your LOQBOX Funds will be sent the next working day.

If you have any problems please do let us know.

Kind regards,

Josh you can get free withdrawal, just ask customer service.

At least they gave free withdrawal. I sent message to them as well.

Very strange they didn’t even recommended to change passwords in this information email, very irresponsible of them…

Yeah you can do it, but then you’ll need to provide LOQBOX with some more of your banking information which sounds like a stupid idea.

PS: Just in case if you wonder how else I’ll get money out I can always give them some credentials for transfer that are not a bank, e.g Transferwise account where I never keep a lot of money.

Only time will tell, when we start getting random calls who our personal infomation has been sold onto.

You trying to make sure that anyone who didn’t get your email in the hack now has it?

I have deleted the email anywho, the gmail account is closed.

You can also self register on CIFAS, it puts a marker on your credit record that you could be at risk of identity theft and it forces financial companies to perform more stringent checks on any applications for credit etc.

The passwords probably didn’t get stolen, otherwise they would have said I assume.

True, but I will begin to Sue LoqBox Monday for failure to protect my data as with ICO regulations.