Data Protection Breach - Passwords disclosed / stored

[pussycat10]

I wasn't sure which forum to post this in however decided on the CRA forum as I would imagine those on here would have the best knowledge of Data Protection.

 

The long story cut short

is that a very large UK business has disclosed my password for my account with them to various other bodies including several solicitors acting for them and have also submitted this information to the HM courts as a part of their "evidence" to defend my claim.

 

 

The account is still very much active and had I not gone through their bundle with a fine tooth comb

I would not have spotted the breach.

 

 

This information has already been on circulation for some time now with their solicitor and now the courts.

 

My concern is the format in which the password has been disclosed is in the form of a "screenshot" of their computer system which would indicate that all of their operators also have complete access to the whole password.

 

 

I had always understood that passwords were stored in such a manner as the operator would only ever have access to 2 letters / characters.

 

 

If this is the case then it would seem to be quite a serious breach of data protection in itself that passwords are stored like this.

 

 

In my own case to say I am furious that my password has been circulated to the courts and their solicitor would be an understatement and I would l like advice on how you would deal with this.

 

 

I would rather not say the company at this time as I do not want to compromise my own case,

however this is a very large UK business.

[Mr.P]

• Log in to the account and change the password (if at all possible).
  
• Report the breach to the information Commissioner's Office.
  
• Send a strongly worded letter of complaint to the data controller of this company - Inform him that you will hold him personally liable for any losses incurred.
  

If/when you get opportunity to make a statement in court, point out this gross breach of confidentiality - Passwords should never be disclosed and should always be encrypted (basic and fundamental principle of computer security).

[pussycat10]

Thanks for the advice.

 

I'm still calming down from the rage of seeing what they had done.

 

In the bigger picture, the concern is that they're systems seem to be able to show the password to anybody who had access. I had, foolishly, assumed that when asked for say the 3rd and 7th letter of the password that would be all the call centre operator would be able to see. It would seem they have access to the whole password. Potentially should somebody use the same password for various accounts this could be catastrophic in the wrong hands.

[Mr.P]

Ah, a pass phrase used to verify a caller (for example) using a telephone banking service - Not quite the same thing as a login password, but still open to abuse if it fell in to the wrong hands.

 

Still worth raising the issue with the ICO and any regulating bodies governing this business.

[BRIGADIER2JCS]

A Formal Complaint to the Data Controller of the company concerned, this ensures that your complaint is dealt with and responded to within 56 days.

 

 

Is the "password" vital to their defence?