Touchnote Hack â A Notification Failure?

The personalised postcard company reported it has become the latest UK online service to have lost the personal information of millions of individuals as a result of an attack on its systems.

It seems I am one of them, but it looks like they are not planning on telling me. This seems to me a big hole in their breach notification strategy.

I am not one of their customers, but somebody I know is and I have received postcards via their service. So my address details are in their systems. I know that my data is part of the breach only because the person who is the account holder told me they had received an email confirming that the information in their account was amongst the stolen records – and that includes my address.

However, Touchnote seems not to be too concerned about this, as its online notice about the incident contains the following:

We also confirm the card recipient’s name and postal address regrettably has been stolen as part of this data theft. However there is no action required by the recipient as this information alone cannot cause identity breach.

Now, I have taken care to avoid get my address information being widely available. I opt out of the edited electoral register, and registered with the Mail Preference Service. As a result I don’t get much promotional mail – which I am happy about as it saves everybody time and money, not to mention the environment.

I am now expecting this to change as the criminals will no doubt seek to get a return on their investment by selling my details on.

Worse than this, an obvious attack would now be to send me some mail, perhaps pretending to be Touchnote, to try and sell me some kind of identity protection. It is not too hard to imagine how a cleverly worded letter, perhaps referencing the online news about the hack, could find enough people who would fall for some con that will result in them handing over money to the criminals. It would be even more effective if the criminals also had copies of the images used in past postcards – although this appears not to be the case.

Consider that the nature of the Touchnote service probably means the addresses of lots of elderly relatives who love to get personalised postcards of the grandchildren on holiday. There are already too many stories of the exploitation of the elderly and vulnerable in this way to not consider this a serious threat. Then of course such people also get added to ‘suckers’ lists and further monetised.

So Touchnote may be doing a reasonable job informing its customers, but logically, this represents less than half of the people who have had their information compromised. At the moment it appears they have not thought about risks to them.

It is worth noting that under new breach notification rules in the forthcoming EU GDPR – all data subjects, have a right to be notified when a breach takes place. Companies need to realise that this means a lot more people than just their paying customers.

Editorial Note: A correction was made at 15.30 on the date of publication. The original article stated it was not known if Touchnote had lost uploaded photos. It was later stated that no photos were accessed illegally in the hack. This is now clear in the article.