To panic over this???? (GDPR breach)

[aconfusedperson]

Hi all,

So I was emailing a company back and forth regarding a faulty product.

Included in this email thread was my full name, old address, new address, and personal mail address.

I replied to an email in the thread this afternoon and it somehow reached a customer who has a similar first name to me. She replied asking to be removed from the conversation but upon investigation, she has access to the whole thread, meaning a random stranger out there knows very personal information.

I am an extremely private person and things like this give me a lot of anxiety. I especially keep my address private due to past problems with stalkers etc.

Any advice on what to do? Can I sue this company for GDPR breach?

Thanks

What sort of “justice” are you hoping for? Someone to lose their job over a human error? Have you never, ever made a mistake in your life?

I’m sure the other woman just wants her complaint resolved also (I assume she also has an ongoing complaint with the company for her email address to be on the customer service database) and has no interest in stalking you or robbing you.

I’m surprised that someone whose “life was at risk” has so freely shared all sorts of information on an email chain. Email is not secure. A phone call would have been more secure. Or the old-fashioned snail mail.

How would suing them stop this?

By putting a cost on the mistake that makes it a good business decision to invest in the technology and training to prevent it from happening again.

If all businesses have to do when they make a mistake is say "sorry" they will take the cheapest route they can and keep saying sorry. If they have to pay out, either through being sued or a fine, they will be more likely to invest in preventing the mistakes from happening.

None of this makes sense. Emails aren't encrypted, you wouldn't need to submit bank details to receive a cheque, and you say the woman replied saying please delete me from this, but later on say you emailed them and had no reply? Also there is no way if you reply just to the company email address it will coincidentally ping to someone random but with a similar name, unless they have set up a forwarding rule which is extremely unlikely. Report it to them by all means, but I'm not really sure what you want?

@Scaraffito

None of this makes sense. Emails aren't encrypted, you wouldn't need to submit bank details to receive a cheque, and you say the woman replied saying please delete me from this, but later on say you emailed them and had no reply? Also there is no way if you reply just to the company email address it will coincidentally ping to someone random but with a similar name, unless they have set up a forwarding rule which is extremely unlikely. Report it to them by all means, but I'm not really sure what you want?

Yeah, it’s quite a garbled mess and makes very little sense

Sounds like the company made a mistake (remember when those were allowed??) and you are being completely ott about the situation. By all means report them though, if you’re lucky enough maybe the poor employee who was emailing you will lose their job in the middle of a pandemic.

Do you generally catastrophise?
I don't mean that in a condescending way, it sounds like given the history of harassment and stalking you're probably particularly on edge. But I wouldn't give this a seconds more thought.

Cal the bank ASAP and cancel your cards, new ones can get sent out and to you within 3
Days.

Personally, I wouldn’t bother suing, could waste a lot of your time and effort.

I was under mental health care and the team leader sent me a generic message about a group session... and made it (by mistake) into a group text message, so we were all receiving each other’s replies... about mental health!!! This was a NHS mental health team- didn’t even cross my mind to sue, I called them, Explained The mistake, they were mortified... done!

@OverTheRainbow88 why would OP need to cancel her cards? She gave her bank details, so I presume account number and sort code?

What would cancelling her card achieve? It'll still be the same bank details.

In an email you put your personal information and bank details? WHY?! How silly.

I am after justice!!

What does that mean to you? What outcome would satisfy you?

@whatsyournamenow

Oh haha oops!!!

The woman asked to be removed from the thread. Doesn't suggest she intends to go all Single White Female on you.

Flag a concern by all means but otherwise, get a hold of yourself.

@BoomBoomsCousin

How would suing them stop this?

By putting a cost on the mistake that makes it a good business decision to invest in the technology and training to prevent it from happening again.

If all businesses have to do when they make a mistake is say "sorry" they will take the cheapest route they can and keep saying sorry. If they have to pay out, either through being sued or a fine, they will be more likely to invest in preventing the mistakes from happening.

Don’t be ridiculous. Mistakes happen. All the technology in the world won’t stop the odd incident of a human being copying an incorrect person into an email.

Thankfully our laws are not in agreement with your thinking and this is not a “suable” matter.

I made a complaint to the ICO about a GDPR breach by an estate agent.
They found in my favour.
All the EA had to do was apologise and remove my data from their records.
That’s it.
They caused me a load of stress it was very upsetting for me but all they had to do was say sorry, which they did through gritted teeth.

Don’t expect much even if you ‘win’ your complaint.

I am very confused as to how this happened.

I then replied to the ENCRYPTED thread asking for a cheque to be sent. This was at 9-something PM and their offices all close at 6pm. The email was not forwarded due to human error. They either have some sort of bug or their system is just not built well and the email automatically got bounced to a customer. There is no good reason why she should have or could have received the email

I am struggling to see how an encrypted email gets bounced to another customer.

I work in GDPR and deal with encrypted email systems a lot.

I can't really see how this could happen.

How would suing them stop this?

By putting a cost on the mistake that makes it a good business decision to invest in the technology and training to prevent it from happening again

Exactly. Most people in this situation want the problem rectified and the company to fix its inept processes. People talk about "sueing" because they don't know how else to express it.

I'm astonished how complacent people are about personal financial information being shared (which absolutely can be used for fraud) which could result in them having bad credit ratings and losing money. If you are a previous victim of stalking/abuse then its also terrifying.

OP as others have said, report the breach both to the company and the ICO.

If the lady who received the email chain was planning on hacking into your account or stealing your details, it's not really likely she would have revealed herself by asking to be removed from the thread. You know in your heart of hearts that the very strong likelihood is that she's an innocent stranger who has already forgotten all about this. However, if you are worried you can contact your bank and get them to change your bank account number.

People assume that, when you say you want to sue, you must be after money because that is the normal remedy you get by suing. What would you be claiming for instead?

Bear in mind no-one can use your bank account details for anything useful without things like passwords and your debit card number.

Great post, C8H10N4O2.

OP as others have said, report the breach both to the company and the ICO

Or ask for more details on how it happened, ask them to see their response, and if not happy, report to the ICO

Organisations have to self report if they feel the breach was serious enough.

Seriousness depends on many things - it could be a high volume of not very sensitive information or a low volume of extremely sensitive information.

Failure to report can affect the level of penalty.

But - they need to find out what happened first.

I would be interested to see technically what has happened - especially if it involves a secure email system like Egress for example.

So you acting all paranoid about it from your first post but forgot to mention your bank details were on it. Yeah right!

@chomalungma

OP as others have said, report the breach both to the company and the ICO

Or ask for more details on how it happened, ask them to see their response, and if not happy, report to the ICO

Organisations have to self report if they feel the breach was serious enough.

Seriousness depends on many things - it could be a high volume of not very sensitive information or a low volume of extremely sensitive information.

Failure to report can affect the level of penalty.

But - they need to find out what happened first.

I would be interested to see technically what has happened - especially if it involves a secure email system like Egress for example.

This seems to be the correct measured response. That's what I would do.

My bank details go on every invoice to a client so loads of people have them and that does not concern me as they do not have the rest of the details to hack in.

here if you want money from the company you would need to sue not just complain to the ICO but it is unlikely it would be worth it once you had paid for the costs etc particularly as litigation is risky and you might not win. It is probably best just to think how lovely the lady is who got it by mistake and wants no further contact other than telling you and that everyone makes mistakes and leave it at that.

Sue them? Do you think this other customer is somehow miraculously going to be an opportunist and use your details in some way?

Human error. It happens. Maybe YOU should be more careful when sending emails to make sure they are going to the right person

Random emails do not get automatically added to emails. Either a human accidentally added it or the system is set up to add an email (highly unlikely) and picked the wrong one (even more unlikely). The data you've got in the email is not realistically going to cause any problems, even in the wrong hands, and it's realistically not going to end up in the hands of the person(s) you moved away from. Bear in mind the random customer had a breach too as you now have her email address which is her personal information. And you've directly emailed her on that email address, which you should not have done. Report the breach to the company and let them investigate what happened and deal with it. Forget about suing, stop stressing over it (you'll only harm yourself), and don't email the other customer again.