'"> ');

Author Topic: CurrysPCWorld Data Breach  (Read 13482 times)

0 Members and 1 Guest are viewing this topic.

Banjo

  • Junior Member
  • **
  • Posts: 73
  • Giggerdy-Giggerdy
CurrysPCWorld Data Breach
« on: October 15, 2018, 10:41:11 am »
On 13 June 2018 CurrysPCWorld advised it's customers:
Quote
"I am writing to you as a precaution after we discovered during a review of our systems that some non-financial personal data held by Currys PC World and Dixons Travel had been accessed in the past using sophisticated malware."

So following a  Subject Access Request it transpires that CurrysPCWorld potentially hold and use a substantial amount of data about its customers.

Confirm to me whether my personal data is being processed?

Quote
"We collect personal information about you when you visit one of our stores, use our Websites (“Websites”), or use our web or mobile device applications ("Mobile Apps") or if you communicate with us by phone, e-mail and social media. We refer to our Websites and Apps collectively as “Online Services".
 
The types of personal information we collect includes:
 
• Personal details such as your name, address, date of birth, email address, phone number and other contact information Transaction information, such as the product you purchased, its price, your method of payment and your payment details.
• Information about you like your employment details, financial position and information taken from identification documents like your passport or driving licence when we review your application for insurance or loans offered by selected third parties partners
• Your account information – such as dates of payments owed and received, the subscription services you use or any other information related to your account
• The phone numbers that you call/send messages to or the phone numbers that you receive calls/messages from.
• The date and time of the calls and messages you send or receive through our network, and your location at the time these communications take place.
 
When you’re online the information we collect includes:
 
• Account information, like your username, password, and other identifiers or credentials you use to access our online services or to buy our products and services, details of your shopping preferences, such as your favourite brands and products, as well as which of our stores you prefer to shop in
• Details of your visits to the Website, in-store WIFI or App and the resources that you access. Examples include ads that you click, device information and your location
• IP address and cookie data
• Information that you provide in your dealings with us. This includes when you register to use our online services, or when you subscribe to our services or request further services and/or information from us.
 
The situations when you provide personal information could include when you:
 
• Purchase products at our stores or through our contact centre
• Register or use our Online Services
• Request to receive marketing or other communications
• Use our Wi-Fi networks or other in-store tech
• Enter one of our competitions or when you complete one of our customer surveys
• Submit information when you’re providing feedback
• Use interactive features of our Online Services.
 
Which countries my personal data is stored:
 
From time to time we may transfer your personal information to our suppliers, service providers and other company offices based outside of the European Economic Area (EEA) for the purposes described in this privacy policy. If we do this your personal information will continue to be subject to one or more appropriate safeguards set out in the law.
 
If we do transfer information to our agents or advisers outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA. We’ll use one of these safeguards:
 
We'll transfer it to a non-EEA country with privacy laws that give the same protection as the EEA. Learn more on the European Commission Justice website. We'll put in place a contract with the recipient that means they must protect it to the same standards as the EEA. Read more about this here on the European Commission Justice website.
 
Who we share your personal information with:
 
We share personal information within the Dixons Carphone PLC Group. Members of the Dixons Carphone Group that receive this information are not authorised to use or disclose the information except as provided in this privacy policy.
 
Our service providers
 
We work with partners, suppliers, insurers and agencies so they can process your personal information on our behalf and only where they meet our standards on the processing of data and security. We only share information that helps them provide their services to us or to help them provide their services to you. For example, some of our service providers place advertising for us online, about our products and services and those of our retail partners, suppliers and third parties. As a result, where you have indicated you are happy to receive marketing from us, you might see online advertising that we have placed on the web sites you visit, or the interactive services you use.
 
Other organisations and individuals
 
We may transfer your personal information to other organisations in certain scenarios. For example:
 
When you apply for credit or purchase an insurance product we’ll pass on your information to trusted third party partners responsible for these products. Please note we act as a credit broker and not as a lender in respect of our insurance products credit facility within our UK and Republic of Ireland stores
If required to by law, under any code of practice by which we are bound or we’re asked to do so by a public or regulatory authority such as the Police or the Department for Work and Pensions
Information may also be shared with fraud prevention agencies to prevent fraudulent claims If we need to do so in order to exercise or protect our legal rights, users, systems and services
In response to requests from individuals (or their representatives) seeking to protect their legal rights or the rights of others.
With emergency services (if you make an emergency call), including your approximate location

Credit Reference Agencies
 
In order to process your application we’ll supply your personal information to credit reference agencies (CRAs) and they will give us information about you.
 
This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information. We will use this information to:
 
Assess your creditworthiness and whether you can afford to take the product
• Verify the accuracy of the data you have provided to us
• Prevent criminal activity, fraud and money laundering
• Trace and recover debts
• To make sure any offers provided to you are appropriate to your circumstances.
 
We'll also continue to exchange information about you with CRAs on an on-going basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates.
 
The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at www.equifax.co.uk/crain
 
How long you store my personal data?
 
We will keep your personal information for as long as you’re a customer. If you haven’t made a purchase or engaged with us for 3 years or more, then we’ll remove you from our marketing mailing lists. After you stop being a customer, we may keep your data for up to 7 years after the last time you interacted with us. This could include one of the ways specified in ‘How we use your personal information’ and for one of these reasons:
 
• To respond to any questions or complaints
• To show that we treated you fairly
• To maintain records according to rules that applies to us
• To establish, bring or defend legal claims.
 
We may keep your data for longer than 7 years if we cannot delete it for legal, regulatory or technical reasons. We may also keep it in order to help support product recalls or safety notices. If we do, we will make sure that your privacy is protected and only use it for those purposes. We do not retain personal information in an identifiable format for longer than is necessary.
 
What safeguards have been put in place?
 
• Data encryption during transfer and rest
• If data is transferred we will use a secure approved method to do this
• Access control
• No physical transfer of the data to the 3rd parties network but rather keeping it within our secure network and only providing access
• Ensure that those that have access to the data have completed Information/GDPR training
• Right to audit 3rd parties
• Audit trail of access and changes to personal data
• We can obtain data destruction certificates from 3rd parties to ensure that they follow our stipulated retention periods
 
Our Policies and Standards are in line with ISO27001
 
Collecting personal data about me from any source other than me
 
In order to process your application we’ll supply your personal information to credit reference agencies (CRAs) and they will give us information about you.
 
This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information. We will use this information to:
 
• Assess your creditworthiness and whether you can afford to take the product
• Verify the accuracy of the data you have provided to us
• Prevent criminal activity, fraud and money laundering
• Trace and recover debts
• To make sure any offers provided to you are appropriate to your circumstances.
 
We’ll also continue to exchange information about you with CRAs on an on-going basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates.   
 
The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at www.equifax.co.uk/crai
 
I would like to know whether or not my personal data has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach.
 
No All companies within the Dixons Carphone Group use technical and organisational security measures to protect the personal information supplied by you against loss, destruction, and any unauthorised access by third parties. All of our employees complete mandatory GDPR and Information Security training.
 
We have extensive security measures in place which naturally includes encryption where appropriate but specific details of our security measures are confidential in order to preserve their purpose. As per our answer above we align our security standards to ISO27001 which should provide you with the assurance you are looking for."