Computer Related > Personal data security Miscellaneous
Thread Author: bathtub tom Replies: 18

 Personal data security - bathtub tom
I've been having medical treatment by a company acting for the NHS.

I received an email, purportedly, from this company with a link sending me to an unsecured website which requested my email password in order to receive the message - I declined.

I replied stating my reason.

I then received a further email (into my spam) from another address in reply, again with a link which I haven't opened.

I've contacted the company, but have only received promises they're looking into the matter. I've little faith, as they've proved their admin has been less than efficient in the past.

I believe the company have had their records compromised, revealing email addresses of clients at the very least.

Suggestions as to what I should do next? Nothing, just wait and see? Information Commissioners office? Police?
 Personal data security - Falkirk Bairn
NHS are responsible - get them to query company they have hired.
 Personal data security - Zero

>> Suggestions as to what I should do next? Nothing, just wait and see? Information Commissioners
>> office? Police?
Wait and see, let the supplier look into it, at the moment you have insufficient information to report anyone to anyone.

You may be the one who has a compromised email account.
 Personal data security - No FM2R
>>Suggestions as to what I should do next? Nothing, just wait and see? Information Commissioners office? Police?

As Zero says, right now you don't know who has been compromised so there's not much to be done other than ask the company to look in to it, as you have done.

Have you previously received a legitimate email from this company? Because it is more likely that the scammers have got the company's email address from you then it is getting your email address from the company concerned.

If the company had been compromised then almost certainly the internet would have lit up as they mass emailed every email address they'd got hold of. So if a Google search finds nothing, then it may well be at your end.

Equally, if it is a well known company, then it could be entirely coincidence that you got an email seemingly from a company you are actually dealing with.

If you want to send me the email I'll have a look for you if you wish.
Last edited by: No FM2R on Mon 1 Jun 20 at 18:37
 Personal data security - bathtub tom
The email appears to be from the NHS supplier, but is not one they use. A second email referring to the first has the address of a local upper school, but I can't believe any scammer would be so stupid as to do that.
The NHS supplier appear to be prevaricating, so I've alerted Action Fraud (I've read the reviews) and Information Commissioners Office.
There could be a lot of private medical information out there.
 Personal data security - No FM2R
Select and copy the first line of text from the email. Paste it into Google. See what you get, if anything.
 Personal data security - bathtub tom
>> Select and copy the first line of text from the email. Paste it into Google.
>> See what you get, if anything.

There is no text, just the link.
 Personal data security - Zero
>> The email appears to be from the NHS supplier, but is not one they use.

So its not the NHS supplier

>> A second email referring to the first has the address of a local upper school,
>> but I can't believe any scammer would be so stupid as to do that.

They are, but they may have hacked into the local upper school server
>> The NHS supplier appear to be prevaricating, so I've alerted Action Fraud (I've read the
>> reviews) and Information Commissioners Office.

How long did you give them to react - ie when did the issue arise.
Last edited by: Zero on Mon 1 Jun 20 at 20:21
 Personal data security - bathtub tom
>>How long did you give them to react - ie when did the issue arise.

I received the first email Saturday afternoon and responded by clicking the link, but went no further as it asked for my email password. I emailed the NHS provider Sunday morning.
The link: hotmail.co.uk.mobileloadok.bar/message/read/35837548

The link in the second message now leads to the BBC news finance page:

bbc-business.app-web-news.com/top-trending-finance-news-exclusive?news
id=2tn1bhrrsuq


{links made non clickable as there is some doubt as to their authenticity}
Last edited by: VxFan on Tue 2 Jun 20 at 10:18
 Personal data security - Zero
>> >>How long did you give them to react - ie when did the issue arise.
>>
>>
>> I received the first email Saturday afternoon and responded by clicking the link, but went
>> no further as it asked for my email password. I emailed the NHS provider Sunday
>> morning.

So in effect you gave them 1 working day to investigate and come up with a response? You really think that is prevarication?
 Personal data security WARNING - sherlock47
Are you sure that this a BBC site - it appears convincing but results in ad linked pop ups.
 Personal data security WARNING - No FM2R
That is *NOT* a BBC site. It is not even their domain.

And the other is *NOT* a Hotmail site nor their domain.

With respect, you need to look more carefully at a link *before* clicking on it.
Last edited by: No FM2R on Tue 2 Jun 20 at 07:17
 Personal data security WARNING - VxFan
I've left the link addresses in place, but have made them non clickable.
 Personal data security WARNING - Zero
This is looking more and more like the issue is at your end.

It looks like a classic spoofing attack, in that someone has used a fake email address and you have responded to it, Right now I would be changing passwords on my social media and email accounts, after doing a malware scan
 Personal data security WARNING - bathtub tom
>>Right now I would be changing passwords on my social media and email accounts, after doing a malware scan

I'd already done that, although I hadn't disclosed any info.

In my defence, I had been having treatment from the company the mail appeared to come from that had stopped during lockdown and they had my email address.
I'd heard appointments were re-starting and was expecting to hear from them.
The email account the second link came from is a school that's local to me.

Too many coincidences?
 Personal data security WARNING - smokie
This isn't any criticism of you BT as I think many would fall for it, but it does just go to show how easy it is to be tricked, esp if they can drag up a few details which mean something to someone
 Personal data security WARNING - bathtub tom
Just had a call from a 'suit' who admitted they had no technical expertise, but did admit to having a cluster a spam emails like mine to patients of theirs. Claimed they could not find a security breach, although admitted there was a geographical link! I've asked to speak to someone with more technical expertise.

'Suit' claimed they couldn't identify the source of the emails. I thought they could be traced if appearing to come from the company's address?

Any suggestions as to what questions I should ask?
 Personal data security WARNING - No FM2R
I suggest that since the technical possibilities are so many that instead you focus on the non-technical.

How have you lost my data? What data have you lost? How will you stop it happening again? Have you reported the data loss? etc etc.

If the suit doesn't understand the technical issues then focus on pressuring on the stuff that might get him into the newspaper.

 Personal data security WARNING - bathtub tom
>>If the suit doesn't understand the technical issues then focus on pressuring on the stuff that might get him into the newspaper.

I like that, didn't think of it.
Latest Forum Posts