|
|
Post by NottinghamMatt on Jan 31, 2023 17:19:48 GMT
Afternoon, Sure that most people on here have brought tickets from one Planet Ice rink or another. www.bbc.co.uk/news/uk-england-bristol-64388071 I haven't had the email to customers mentioned in the article but someone I work with who goes to Storm games regularly did last week, but it comes up against my personal email address on haveibeenpwned.com/I'm waiting for their data controller to get back to me as to exactly what they've lost and what steps they're taking but haveibeenpwned reckons at least the following have been breached: Dates of birth, Email addresses, Genders, IP addresses, Names, Passwords, Phone numbers, Physical addresses, PurchasesWorth changing passwords if you used the same on Planet Ice as anywhere else to be on the safe side! |
|
|
|
Post by spik on Jan 31, 2023 18:35:18 GMT
Got my email today from them.
|
|
|
|
Post by NottinghamMatt on Jan 31, 2023 19:20:36 GMT
Got my email today from them. Does it give any useful information on what's happened and what they've lost? |
|
|
|
Post by spik on Jan 31, 2023 21:12:24 GMT
Got my email today from them. Does it give any useful information on what's happened and what they've lost? Their points are 'What happened', 'What info is involved', 'What have we done', 'What you can do'. If you send me your email via PM I can foreword you a copy. |
|
|
|
Post by spik on Jan 31, 2023 21:18:05 GMT
Better still.... Dear Customer, Following the recent security incident involving the data of some customers of Planet ice we felt we should provide some additional information. We do not hold payment card details and the affected data is limited. However, we want to advise our customers to be vigilant for scam emails, calls and texts. We take the protection of customer data extremely seriously and we are sorry this has happened. What happened? We were the target of an attack that has resulted in unauthorised access to a system that contained historic customer data and our team responded quickly and there has been no subsequent unauthorised access to this server. We are engaging with the relevant authorities as necessary. What information is involved? Only limited information is held on our system which consists of full name, address, ice card membership number (if applicable), email address, phone number, and order details. What have we done? We have undertaken a full review of our systems and as a result we have introduced a number of improvements. What you can do While you do not need to take any specific action, please remain vigilant to fraud attempts and be alert for any suspicious emails, calls or texts and avoid clicking on links in any unexpected emails or texts. You can also find helpful information about protecting yourself from phishing scams at the National Cyber Security Centre at ncsc.gov.uk/collection/phishing-scams/spot-scams. If you want to report any suspicious activity to law enforcement, please contact Action Fraud (the UK’s National Fraud and Cyber Crime Reporting Centre) at actionfraud.police.uk. Additionally you can use this online tool, www.f-secure.com/gb-en/home/free-tools/identity-theft-checker, to check if your data has been involved in a data breach. Please do not reply to this email. If you would like to contact us about this matter, you can email us at dataprotect@imp-uk.co.uk |
|
|
|
Post by NottinghamMatt on Feb 1, 2023 13:12:18 GMT
Looks like a nice and generic one.
Interesting that haveibeenpwd reckons they've lost passwords too but they don't reference it. Waiting for an F-Secure scan to come through to see what that says if it ever comes through!
|
|
|
|
Post by spik on Feb 1, 2023 14:26:00 GMT
I notice I can’t reply to that email.
What might be the best contact email I should write to them?.
Sure I’ve not been to any planet ice rinks for years. Surely after so long I should be deleted from the system?
|
|
|
|
Post by NottinghamMatt on Feb 1, 2023 15:57:33 GMT
I notice I can’t reply to that email. What might be the best contact email I should write to them?. Sure I’ve not been to any planet ice rinks for years. Surely after so long I should be deleted from the system? dataprotect@imp-uk.co.uk Is the one they've asked you to use and which I emailed with no reply as yet, which looks like the people who do their ticketing/event management previously known as Ice Media Productions Ltd can't find them on companies house or Data Protection Register. A quick search of the Data Protection Register seems to show each rink as a separate listing without a holding company. You'd think/I'd say they should have some process to purge old client data, evidently not. |
|
|
|
Post by bobness on Feb 5, 2023 17:34:15 GMT
I notice I can’t reply to that email. What might be the best contact email I should write to them?. Sure I’ve not been to any planet ice rinks for years. Surely after so long I should be deleted from the system? dataprotect@imp-uk.co.uk Is the one they've asked you to use and which I emailed with no reply as yet, which looks like the people who do their ticketing/event management previously known as Ice Media Productions Ltd can't find them on companies house or Data Protection Register. A quick search of the Data Protection Register seems to show each rink as a separate listing without a holding company. You'd think/I'd say they should have some process to purge old client data, evidently not. Under GDPR, personal data should only be kept as long as needed to be. However, if you have an account with the third party (buying tickets etc) the data will probably be kept as long as the account is "active". And that's where the grey area comes in, I think. Would you be annoyed if you'd not bought a ticket from a rink for 2 seasons, and they said you needed to reregister all over again, as they have deleted your data due to inactivity? Maybe you would, but this kind of thing is what GDPR is getting at. You shouldn't just keep personal data forever, in any structured format. |
|
|
|
Post by NottinghamMatt on Feb 6, 2023 7:51:08 GMT
dataprotect@imp-uk.co.uk Is the one they've asked you to use and which I emailed with no reply as yet, which looks like the people who do their ticketing/event management previously known as Ice Media Productions Ltd can't find them on companies house or Data Protection Register. A quick search of the Data Protection Register seems to show each rink as a separate listing without a holding company. You'd think/I'd say they should have some process to purge old client data, evidently not. Under GDPR, personal data should only be kept as long as needed to be. However, if you have an account with the third party (buying tickets etc) the data will probably be kept as long as the account is "active". And that's where the grey area comes in, I think. Would you be annoyed if you'd not bought a ticket from a rink for 2 seasons, and they said you needed to reregister all over again, as they have deleted your data due to inactivity? Maybe you would, but this kind of thing is what GDPR is getting at. You shouldn't just keep personal data forever, in any structured format. No I wouldn't because most organisations have a GDPR policy that tells you how long they keep it for. So if that was 2 years of inactivity then so be it. Don't think the ICO are going to be particularly impressed but given IMP UK aren't registered as a data processor as far as I can see its not looking good for them. It's a week tomorrow since I contacted them and no response still. Tempted to do subject access request next for my amusement! |
|
|
|
Post by NottinghamMatt on Feb 7, 2023 17:11:28 GMT
Tempted to do subject access request next for my amusement! I'm amused, they took an email which specifically asked "Can you please advise what if any of my personal data you hold has been breached? What steps have and are being taken regarding this? Based on your assessment of the data what steps should I take to protect myself?" As a subject access request and replied accordingly! |
|
