On 20 February 2020 there was a cyber-attack on the LOQBOX computer system. This page explains more about how the LOQBOX data breach happened.
Some financial information was also breached – namely two digits of the bank account number used to make payments to LOQBOX and card expiry dates.
There was a delay in letting customers know that LOQBOX had been hacked and that personal information had been compromised.
LOQBOX claimed that it could not contact users and let them know about the hack until it knew more about how people had been affected. So, it took over a week before many people found out that their data was at increased risk of being used in phishing scams. This placed people at increased risk of fraud and might have caused more long-term distress.
“Following the breach, I was contacted by many of the affected LOQBOX customers. Most of them were suffering a high degree of stress and anxiety.
“When a hack occurs, people often worry about their finances. As the LOQBOX breach included some degree of financial information, it’s only natural that people were concerned. LOQBOX admitted that, while the data exposed in the breach could not be used on its own to access a person’s bank account, it could be used for phishing scams.
“The bottom line is that, despite assurances from LOQBOX, it could not say with any certainty that the breach would not result in future fraud and financial loss. And, without that certainty, people were subject to increased levels of stress and apprehension.
“Of course, everyone reacts differently. But for some people, the effects of a data breach can include a lack of sleep, feeling ill, unsettled or confused. I’ve seen situations where the level of stress suffered after a privacy violation has affected a person’s relationships with their friends and family, and even their ability to do their job. So we should not play the LOQBOX hack down.
“Despite the increased risk to customers following the hack – a risk that was acknowledged by LOQBOX – it took over a week before many people found out that their data had been breached. LOQBOX said that it wanted to let people know sooner. But it felt doing so would have been irresponsible because, without knowing more, LOQBOX would not have been able to advise customers on what measures they should take to protect themselves.
“I would question this decision. My experience is that any delay in contacting victims of a data breach immediately places people at increased risk of fraud and causes more long-term distress.”
Similar data breaches have resulted in fraud, blackmail, and identity theft, so victims of the LOQBOX breach were at high risk of being targeted by cybercriminals. The delay in reporting the incident meant that victims of the breach were left even more vulnerable to cyber fraud and scams.
Following the breach, LOQBOX stated that the information “on its own cannot be used to access your bank accounts or other accounts”. However, it did, acknowledge that the data could be used for phishing scams. This is where a fraudster poses as a legitimate organisation, the police, or someone else you trust to trick you into handing over sensitive information such as usernames and passwords.
See our answers to the FAQs we get asked about the LOQBOX Data Breach.
On 20 February 2020 there was a cyber-attack on the LOQBOX computer system.
The information included in the LOQBOX data hack included:
Some financial information was also breached – namely two digits of the bank account number used to make payments to LOQBOX and card expiry dates.
LOQBOX became aware of the attack very shortly after it happened.
It immediately took steps to protect its customers’ personal information and appointed a cyber-security expert to find out more about what happened. The company took additional steps to improve the defences of the LOQBOX computer system, and it liaised with the relevant regulators – the FCA (Financial Conduct Authority) and the ICO (Information Commissioner’s Office). It also reported the incident to the police.
However, LOQBOX claimed that it could not contact victims of the breach until “we knew how you had been affected”
It said: “The simple reason it took the time it did to respond is that we had to get our response right. We had cyber-security experts going through our systems, almost immediately, in order to understand what happened and who had been affected, but this took time. We instructed a specialist law firm to make sure that we were compliant with all the relevant regulations. We also made sure that the Information Commissioner’s Office and the Financial Conduct Authority were informed about exactly how we were responding. We really wanted to let you know sooner but felt it would have been irresponsible to contact our customers with only a partial picture because you would not have known what measures you should take to protect yourselves”.
LOQBOX has contacted those affected.
KP Law has some of the most skilled data breach lawyers in England and Wales. Here are just some of our success stories.
KP Law is a founding member of the Collective Redress Lawyers Association (CORLA). CORLA aims to improve access to justice for claimants by way of collective redress.