Ffrees information security incident

This page answers key questions about an information security incident that was identified and rectified

An incident was identified where information was temporarily exposed on one of our systems. It was immediately rectified so that the affected information was no longer exposed, but we do know that there was one incident of unauthorised access to the information, that was reported and dealt with promptly.

The exposure involved information held by Ffrees between 2012 and early 2014. It included personal information and Ffrees account information for some accounts. Some Ffrees account passwords stored in an encrypted form were also accessed.

For security reasons we have been advised not to go into detail about how the information was accessed, but we can confirm that we immediately reviewed and re-established full security measures immediately upon being notified of the problem.

No, we do not believe this incident is connected to the recent cyber attack or to the WannaCry / WannaCrypt ransomware.

There was an incident of unauthorised access to the information, which included some personal data. We’ve seen no evidence nor received any reports that the exposed information has been misused. However, there is a risk of misuse so we recommend the following precautions that will help to keep your information safe:

  • If you have a Ffrees Account, you’ll need to change your password next time you log in
    We’ve secured your account by disabling your old password, so you’ll need to set a new password next time you log in. On-screen instructions will take you through this process securely.
  • If you use other services with passwords that are the same or similar to your Ffrees password, you should also change those straight away.
  • Stay vigilant for any signs of identity theft
    Although we are not aware of identity theft arising from this incident, we strongly advise you take the recommended precautions at ico.org.uk/for-the-public/identity-theft/.

We have identified two main risks: A potential risk of identity theft and, if you have a Ffrees Account, a potential risk to the security of your Ffrees password.

Risk of identity theft: There is a potential risk that your personal data could be used for identity theft so stay vigilant. Although we are not aware of identity theft arising from this incident, we strongly advise you take the recommended precautions at ico.org.uk/for-the-public/identity-theft/.

Although we are not aware of identity theft arising from this incident, we strongly advise you take the recommended precautions.

Risk to password security: Account passwords in the database were stored using encryption, however, as a precaution we’ve secured your account by disabling your old password, so you’ll need to set a new password next time you log in. On-screen instructions will take you through this process securely.

If you use other services with passwords that are the same or similar to your Ffrees password, you should also change those straight away.

Since it was identified, managing this incident has been our top priority. A summary of what we’ve done so far:

  • We have rectified the exposure and made sure our systems are secure.
  • We have appointed independent security advisors to ensure we are doing everything we can to respond to the incident in the best way possible, to ensure best practice and to protect customers.
  • We have notified people affected by this incident.
  • We have notified the Information Commissioner’s Office (ICO).
  • We are monitoring accounts for signs of suspicious activity, in line with our normal anti-fraud processes.
  • We are continuing to investigate the incident.

It is unlikely that your Ffrees account could have been accessed as a result of the incident, but as a precaution we’ve secured your account by disabling your old password, so you’ll need to set a new password next time you log in. On-screen instructions will take you through this process securely.

There is a risk that your personal data could be used for identity theft. Although we are not aware of identity theft arising from this incident, we strongly advise you take the recommended precautions at ico.org.uk/for-the-public/identity-theft/.

It is unlikely that your Ffrees account could have been accessed as a result of the breach, but as a precaution you should change your password straight away. There is a risk that your personal data could be used for identity theft. You can find out more about the signs of identity theft, and what you can do about it, on the Information Commissioner’s website, here: ico.org.uk/for-the-public/identity-theft/.

Even if you’ve closed your Ffrees Account, there is a risk that your personal data could be used for identity theft. Although we are not aware of identity theft arising from this incident, we strongly advise you take the recommended precautions at ico.org.uk/for-the-public/identity-theft/.

If you held a Ffrees Account between 2012 and 2014 then some of your personal data may have been exposed. The U Account team has taken the precaution of securing your account by disabling your old password, so you’ll need to set a new password next time you log in.

On-screen instructions will take you through this process securely.

If you use other services with passwords that are the same or similar to your Ffrees password, you should also change those straight away.

There is a risk that your personal data could be used for identity theft. Although we are not aware of identity theft arising from this incident, we strongly advise you take the recommended precautions at ico.org.uk/for-the-public/identity-theft/.

No. We’ve disabled your old password so your account can’t be accessed. You only need to change your password if you’re still using your Ffrees Account.

  • If you opened a Ffrees Account between 2012 and 2014, we’ve already taken the precaution of securing your account by disabling the old password, so you’ll need to set a new password next time you log in. On-screen instructions will take you through this process securely.
  • If you switched to a U Account, we’ve already taken the precaution of securing your account by disabling the old password, so you’ll need to set a new password next time you log in. On-screen instructions will take you through this process securely.
  • f you use other services with passwords that are the same or similar to your Ffrees password, you should also change those straight away.
  • Although we are not aware of identity theft arising from this incident, we strongly advise you take the recommended precautions at ico.org.uk/for-the-public/identity-theft/.

The following are the key signs that your identity might have been stolen:

  • Mail from your bank or utility provider doesn’t arrive.
  • Items that you don’t recognise appear on your bank or credit card statement.
  • You apply for state benefits, but are told you are already claiming.
  • You receive bills or receipts for goods or services you haven’t asked for.
  • You are refused financial services, credit cards or a loan, despite having a good credit rating.
  • You receive letters in your name from solicitors or debt collectors for debts that aren’t yours.

If you think you are a victim of identity theft or fraud, act quickly to ensure you are not liable for any financial losses.

  • Report all lost or stolen documents, such as passports, driving licences, credit cards and cheque books to the organisation that issued them.
  • Inform your bank, building society and credit card company of any unusual transactions on your statement.
  • Request a copy of your credit file to check for any suspicious credit applications.
  • Report the theft of personal documents and suspicious credit applications to the police and ask for a crime reference number.
  • Contact CIFAS (the UK’s Fraud Prevention Service) to apply for protective registration. Once you’ve registered you should be aware that CIFAS members will carry out extra checks to see when anyone, including you, applies for a financial service, such as a loan, using your address.

CIFAS - The UK’s Fraud Prevention Service
6th Floor
Lynton House
7 - 12 Tavistock Square
London
WC1H 9LT
www.cifas.org.uk

You can also get more advice at:

Action Fraud
www.actionfraud.police.uk

Financial Ombudsman Service
Telephone: 0800 0 234567
www.financial-ombudsman.org.uk

CardWatch c/o APACS
Mercury House
Triton Court
14 Finsbury Square
London EC2A 1LQ
www.cardwatch.org.uk

To report the theft or loss of post and other important documents:

Royal Mail
Telephone: 08457 740 740

  • By telephone
    We’ve set up a dedicated telephone line to answer your questions about this incident. If you received a notification by email, it will contain details. Or you can just call us on 0800 063 9124.
  • By email
    You can email us at any time at security@ffrees.co.uk