[BreachExchange] Jaywing suffers data breach affecting CollectPlus, Vodafone and other clients

Fri Nov 10 20:15:19 EST 2017

http://www.thedrum.com/news/2017/11/10/jaywing-suffers-
data-breach-affecting-collectplus-vodafone-and-other-clients

Digital and CRM agency Jaywing has suffered a security breach after its
intranet was exposed following a routine update, leaking private
information from client CollectPlus as well as internal documents for
Vodafone.

The intranet – usually a depository for internal material like training
manuals – for the Jaywing Contact division, which does customer servicing,
customer research and telemarketing for clients, underwent an upgrade on 17
September.

However, the leak was only detected last week by Reviews.io, a company
which as part of its services will scan the internet looking for mentions
of brands and their employees.

Its chief executive Callum McKeefery told The Drum that its algorithm found
a link to the internal site leading to what he described as a “black hole”
of data.

He reported it to Jaywing as well as clients that he’d identified including
CollectPlus and Vodafone.

Jaywing Contact’s managing director Chris Hancock confirmed that four
clients in total had been affected but declined to name the other two.

For three clients, no customer data was implicated but for CollectPlus some
personal customer data was exposed as well as some employee log-in
information, giving access to CollectPlus’ parcel tracking system.

Hancock admitted that while the this “shouldn’t have been on [the
intranet]” none of the data was sensitive, such as bank account details.

He added that it currently amounts to 11,200 records of which the majority
were contained within a single document looked at by a single IP address,
meaning it has not been widely accessed.

A spokesperson for CollectPlus said it was aware that a limited amount of
non-sensitive customer contact information was accessible publicly for a
short time.

“We believe that the incident impacted a very small proportion of our
customers and the technical issue has now been contained,” they said.

“We are working closely with our service provider to ensure this does not
happen again. We take the security of our customer data extremely seriously
and will continue to work closely with our partners and suppliers to ensure
that they adhere to security best practices.”

Meanwhile, a Vodafone spokesperson said it had conducted a “thorough
investigation and there has been no breach of customer-related data.”

Though not legally necessary, Jaywing said the Information Commissioner's
Office (ICO) had been informed as a matter of good practice.

An ICO spokesperson said: “Businesses and organisations are required under
the Data Protection Act to keep people’s personal data safe and secure. If
people have concerns about the way an organisation is handling their
personal data, they can report them to us.”

It comes ahead of the implementation of the European Union (EU) General
Data Protection Regulations (GDPR), a wide ranging reform which, among
other things, will require companies to report any data breaches within 72
hours or risk a fine standing at €20m, or 4% of an organisation’s global
revenue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171110/50fb03b1/attachment.html>