DivideBuy Finance, data breach - Need advice.

Whackeygrunt

Whackeygrunt

Whackeygrunt

Associate
Joined
6 May 2009
Posts
371
Hi all,

So, it turns out the company Dividebuy have suffered a data breach and have emailed all customers affected (including myself) to inform us that potentially the following has been hacked:

Name
Date of Birth
Address
Telephone Number
Email address
Associated Alias (not that I have one...)

No bank details have been leaked apparently.

The rest have been let out into the wild. Obviously this could be a breach of GDPR and I'm now concerned about what this could mean for me.

Their email highly suggests that I use a service called TrueIdentity from a company called Transunion UK to monitor my credit file for suspicious activity for the next 12 months. They have paid for this service on my behalf, if I choose to use it.

I've suffered minor data breaches of my info in the past (email address and such) but their offer to pay to monitor my credit file is baffling to say the least. Shove the onus onto the customer to resolve this issue?

Speaking of being a customer..... I'm not anymore. I used them back in 2018 to pay for a mattress over 12 months, a service I concluded with payment in full sometime back in 2019. So why they still had my details on record is suspect. I thought companies have to wipe details after 12 months of no use?

A quick Google shows that they have been somewhat review bombed on Trustpilot and several legal firms are already circling, advertising for no win no fee consultations with the aim of suing Dividebuy for breach of GDPR.

Thing is folks.... I'm not sure what to do, or even what the implications are for me?

Am I at risk of someone taking out finance in my name?

Will it just be marketing spam, as in the past due to countless companies that have undoubtedly leaked my email address?

Is this serious? Thankfully I used a unique password that I've not used anywhere else. So I don't think any other service I use is at risk of being logged into.

Should I use this TrueIdentity service?

I'm inexperienced in these things.... I've got no credit agreements for anything at the moment (house is paid for, I lend from no one currently) and only ever used DivideBuy for my mattress and Hitachi Finance for my tv, which is now fully paid off. My only contracts are utilities and a mobile phone.

Please advise..... :confused:
 
You should come on the Internet and post on OcUK for help.

Whackeygrunt said:
Should I use this TrueIdentity service?
Click to expand...

My advice (which doesn't count) is to use MFA/2FA where possible and don't use the same password anywhere. This might include setting up something like BitWarden.

Whackeygrunt said:
Am I at risk of someone taking out finance in my name?
Click to expand...

You are always at risk of someone taking out credit. You are no different to anyone who posts in this thread. :p
 
Whackeygrunt said:
Speaking of being a customer..... I'm not anymore. I used them back in 2018 to pay for a mattress over 12 months, a service I concluded with payment in full sometime back in 2019. So why they still had my details on record is suspect. I thought companies have to wipe details after 12 months of no use?
Click to expand...

I don't think there's a legal definition of exactly how long they should keep your data (it's something like "no longer than necessary"). Most places use 6 years for this timescale.

Whackeygrunt said:
A quick Google shows that they have been somewhat review bombed on Trustpilot and several legal firms are already circling, advertising for no win no fee consultations with the aim of suing Dividebuy for breach of GDPR.
Click to expand...

You don't just automatically get $$$$$$ compensation for being subject to a GDPR breach. You need to show consequential loss.
 
As above, sign up to TrueIdentity, let them pay for it, forget it happened. Most of that data is 'meh' imo; I'm sure some of the better OcUK detectives here could find most of it out just from Google and social platforms. Plus with a whole heap of records, I would imagine phishing will be more common than identity theft based on that information alone.

Just be aware of "this parcel has been underpaid so we need your cc details to pay the £4.23 outstanding to deliver it to <insert your address here>" around your birthday and such.
 
It's always a good idea to sign up to these credit watch services, or at least have a regular view of your credit file.

It is quite surprising how little data someone actually needs in order to take out credit in your name, but at least you can be proactive about it rather than finding out in several years time that you owe X balance for a car you supposedly bought a few years ago.
 
Bouton Aide said:
You are always at risk of someone taking out credit. You are no different to anyone who posts in this thread. :p
Click to expand...
everytime I see people rummaging through the bins outside I'm always curious if they are after old electronics etc or peoples letters....

I'm tempted to start mocking the people who do it :P

the road and refuge service is all privately maintained, council won't even fix a damaged lamp post, all our bins basically get pooled together and then emptied by a private company and it seems to be a big magnet for dumpster divers.
 
arknor said:
everytime I see people rummaging through the bins outside I'm always curious if they are after old electronics etc or peoples letters....

I'm tempted to start mocking the people who do it :p

the road and refuge service is all privately maintained, council won't even fix a damaged lamp post, all our bins basically get pooled together and then emptied by a private company and it seems to be a big magnet for dumpster divers.
Click to expand...

I'm sure i've seen adverts on TV etc where they try to explain to the audience that your personal data isn't just numbers and letters, it actually has a monetary value attached to it. So would be akin to someone digging through a bin and finding a £20 note.

Expiration of bank/credit cards is always a big one, i'm not sure if banks have cottoned onto it yet, but i remember a good 8-10 years ago when one of my bank cards had reached an expiry date, and i was still able to use it several months after. Now i wonder how many people just bin their bank card whole when a new one arrives?
 
Semple said:
I'm sure i've seen adverts on TV etc where they try to explain to the audience that your personal data isn't just numbers and letters, it actually has a monetary value attached to it. So would be akin to someone digging through a bin and finding a £20 note.

Expiration of bank/credit cards is always a big one, i'm not sure if banks have cottoned onto it yet, but i remember a good 8-10 years ago when one of my bank cards had reached an expiry date, and i was still able to use it several months after. Now i wonder how many people just bin their bank card whole when a new one arrives?
Click to expand...
I always cut mine in to small squares and make sure I cut straight through he chip inside but I guess a lot of people don't
 
Russinating said:
As above, sign up to TrueIdentity, let them pay for it, forget it happened. Most of that data is 'meh' imo; I'm sure some of the better OcUK detectives here could find most of it out just from Google and social platforms. Plus with a whole heap of records, I would imagine phishing will be more common than identity theft based on that information alone.

Just be aware of "this parcel has been underpaid so we need your cc details to pay the £4.23 outstanding to deliver it to <insert your address here>" around your birthday and such.
Click to expand...

Thanks for your advice. I've never used a service like this before so had no idea on Trueidentitys reputation or even worth in using it. I'll look into them some more before deciding.

I admit the data that they claim has been obtained isn't too damaging seeing as how the vast majority of people will have their name and email address "out there" and I'm already subject to the occasional spam email or text message that are automatically blocked.

I've always used separate, unique passwords for all of my accounts and 2 step authentication with my mobile and have updated accordingly.

As for everyone else, the reason as to why I created this thread was due to the email that I received from Dividebuy being something that I have never encountered before and it caused me to become confused and somewhat anxious. I found it very odd to be told about some third party service to monitor my credit file in case of questionable activity. As I said, I'm inexperienced in these things and so thought to seek advice (keyword here) from what I thought was a decent community that I know has some knowledgeable people in it.
 
Yeah you have too much faith in OCUK to be honest. You'll get several variations of "lololol letterbox" and pancake until PsychoSonny shows up with a wall of nonsense after which they just start arguing about semantics until the thread gets locked by a bored moderator (though the worst offender for that has long gone, thankfully).

You'd be better off on /r/ukpersonalfinance or MoneySavingExpert or similar.
 
Whackeygrunt said:
As for everyone else, the reason as to why I created this thread was due to the email that I received from Dividebuy being something that I have never encountered before and it caused me to become confused and somewhat anxious. I found it very odd to be told about some third party service to monitor my credit file in case of questionable activity. As I said, I'm inexperienced in these things and so thought to seek advice (keyword here) from what I thought was a decent community that I know has some knowledgeable people in it.
Click to expand...

They are required by law (under GDPR provisions) to inform you of a data breach and to provide you with "assistance" to help alleviate any potential impact. Which they have done. That's probably where it will end as far as you will be concerned. They may, depending on the circumstances of the breach as well as any prior concerns raised, face a fine from the ICO but that doesn't automatically translate into compensation for any persons affected despite what the circling lawyers may say. For reference their privacy policy is on their website and states that they will hold data for seven years after you last used services - https://dividebuy.co.uk/privacy-policy/
 
Two points here:
The data hacked is pretty much public knowledge anyway. If anyone really wanted to they could find out most of the personal details of everyone in this forum in a day and it really wouldn't be that hard, the hack just made this data easier to get at. They would have been looking for card details, they wont care a bit about addresses. They just wanted to try and make easy money.

Secondly companies can hold onto data for as long as they like providing they have a reason. Typically a well defined data retention policy would be in place but its not a requirement. I would certainly expect a company like this to have data on their books for at least 5-10 years
 
Last edited:
Technically they haven't breached GDPR if their processed or controlled personal and identifiable data was stored adequately, but they are liable and will have to comply to any penalty that is imposed on them. As for compensation, I doubt you would see any unless your data is used in a malicious way and it can be traced back specifically to their data breach.
 
You must log in or register to reply here.
Back
Top Bottom