September 2018 - Despite promises from Jon Horsfall, Canal & River Trust’s Head of Customer Services, to nearly a thousand customers affected by a substantial data breach on August 22 that the charity would “be in contact again once we have established the cause of the breach” no explanation has been made, as Peter Underwood reports.
Not only has C&RT not explained the breach other than to say: “We are urgently investigating the cause of this breach, which was due to a technical issue at our sub-contractor system,” it also suffered another breach in it’s cyber security when a scammer used it’s online boat transfer system to transfer the ownership of half a dozen boats, with the Trust’s automatic systems emailing the owners asking them to confirm ownership had been transferred.
In most cases the ownership was ‘transferred’ to fictitious characters – and when the Floater’s editor received one of the notifications it recorded the transfer as being to “F*ck You”
Despite complaining to C&RT customer services nearly a week ago we have still not had confirmation by email from C&RT that they have cancelled the transfer. In an online conversation, I was told: “It will take us at least five days to respond to emails as we are so busy.”
The Trust’s press office were able to respond more swiftly and issued a statement saying: “I can confirm that six boats were involved in this scam. None of these had been affected by the data breach. We have identified the email account behind these attempted transfers and are considering our next steps.
“We have a built-in safety check when a transfer of boat licence responsibility is carried out. The boat owner is contacted by email and asked to confirm there has been a sale. We will not transfer boat licence responsibility for 14 days unless we have received confirmation from the existing boat licence holder. We urge every boater to keep us informed if they update their data.
“To be clear, the incident reported is not a case of actual transfer of boat ownership – the Trust does not regulate this. This incident is about accuracy of boat licence responsibility details. The measures already in place have proved effective in identifying these were false requests.”
C&RT insists that none of the six boats affected were involved in the original data breach and it doesn’t think the two incidents were related. “We don’t want to speculate further at this stage,” the PR person added.
First to announce the boat transfer issue was Marianne Reanney, owner of the Lollipop sweet boat (now the ironmongery boat) who said on Facebook: “We received an email informing us that our boat had been sold and transferred to a new owner.
“We have NOT sold our boat! I googled the alleged new owner who apparently was a fictitious character from a TV series.
“After a few emails and phone calls to CRT we have now had our boat transferred back to us.
“This is what they say happened.… Someone who is allegedly using the fictitious name has set up an account with CRT and accessed a boat list and then used this list to claim ownership of a number of boats ours included.
“This is not necessarily connected with the data breach but could possibly be. Therefore I suggest you access your online licensing account and change passwords. As a precaution I have also cancelled automatic licensing for our boat. CRT assure me that bank details have not been breached however i have not checked this yet.
“I am meeting with Richard Parry to discuss this as I have a number of suggestions to put to him to ensure this cannot happen again to ANYONE. CRT have assured me that the bogus account has been taken down and as a precaution they have suspended any new accounts.
“They are currently looking into the matter and trying to find out where this bogus account originated from. I suggest you check your boat details to ensure that you have not been affected.”
Within two weeks Canal & River Trust has suffered one major breach involving personal information – certainly enough to allow unscrupulous individuals to steal boaters’ identities – and the exploitation of a weakness in its boat registration transfer system.
The latter will concern boaters because of the frequency of online boat sale scams, involving individuals pretending to own a boat and offering it for sale on various online outlets.
It seems inevitable – although Canal & River Trust has yet to confirm it – that one and possibly both incidents will be reported to the Information Commissioners Office (ICO) given the recent tightening of the obligations of companies and charities in relation to personal data.
There are certainly many boaters who are concerned and looking for ways to minimise their exposure to C&RT’s vulnerable computer systems. If any number begin to reject the Trust’s online systems it will make it increasingly difficult for the organisation to use online system to streamline its work and save costs.
Photos: (1st) An erroneous ownership transferral confirmation, (2nd) Jon Horsfall's response to those affected by the large scale data breach.