[BreachExchange] Foxtons customer data leaked onto the dark web

[Destry Winant]

https://www.itpro.co.uk/security/data-breaches/358510/foxtons-customer-data-found-available-on-dark-web

Financial details belonging to customers of UK estate agency Foxtons
are widely available on the dark web following a malware attack in
October last year that affected parent company Foxtons Group.

Despite admitting that the incident affected its subsidiary Alexander
Hall, which specialises in mortgage broking, Foxtons assured its
customers at the time that no “sensitive data” had been stolen.

However, it has now been revealed that anyone with access to the dark
web can view 16,000 card details, addresses and private correspondence
- such as details of paid fees - belonging to Foxtons Group customers
prior to 2010.

ICO restarts AdTech probe following threats of legal action
Barclays faces ICO probe for 'spying on staff'
Foxtons investigates website hacking claims

The personal information has been available since at least 12 October
2020, inews reports, two days after the malware attack took place.
Since then, the files have been viewed over 15,000 times.

The company is accused of having knowledge of the availability of the
data since last month and of failing to inform its customers,
particularly those affected by the breach.

According to its website, the estate agency holds “over three million
customer records”.

Ray Walsh, digital privacy expert at ProPrivacy, told IT Pro that it’s
unsurprising that “sensitive consumer data stolen from Foxtons Group
last October is floating around the dark web”.

“This is, after all, the point of these types of hacks,” he added.

Walsh noted that around 20% of the analysed cards details stolen in
the attack are still active, “meaning that those consumers need to be
informed now so that they can cancel their cards, and check back
through their statements for any irregularity”.

“If Foxtons knew the full scale of this breach two days after the
attack – and did nothing to warn consumers – it would be an
astonishing dereliction of duty, but we must now wait for the ICO
investigation to assess what happened and what kind of fines Foxton
should face,” he said.

Foxtons reportedly informed the Information Commissioner’s Office
(ICO) of the attack last year, but Walsh believes that “it is likely a
fine will be imminent”.

“Some of the data that has been unearthed on the dark web predates
2010, and the hacker has suggested that the older information is being
used to advertise the hack while selling more up-to-date records in
secret. If this is true the risk to consumers is even bigger and it is
vital that Foxtons immediately contact all customers potentially
caught up in this mess,” he added.

However, a Foxtons spokesperson told IT Pro that the company had
"forensically been through all the stolen data and confirm it is both
old and incomplete therefore not useable by a third party and not
possible for it to cause financial loss or harm to those affected
customers".

"All necessary disclosures have been made and full details of the
attack were provided to the FCA and ICO at the time. We are satisfied
that the attack did not result in the loss of any data that could be
damaging to customers and believe that the FCA and ICO are satisfied
with our response," they added.