Help and advice on Aerial Direct’s data incident

We recently became aware that some of our customers’ personal information stored on one of our databases has been accessed without permission.  To reassure you, the database did not include any passwords or financial details, such as bank account number or credit card information.

We take our responsibility to protect customers’ personal information extremely seriously.  As soon as we became aware we immediately shut down access to the database and launched a full investigation. We have also informed the Information Commissioner’s Office.

What do I need to do?

We understand that you will be worried about this incident. We wanted to share some guidance and links to more helpful resources online.

What type of information was obtained?

The information was used to manage information about our customers. This included contact details (such as name, home and email address, date of birth and phone numbers), technical and product information. Please note that whilst this is all of the types of information contained in the database, not all of this information may have related to every customer.

I’m worried someone might have stolen my personal information and is using it without my permission.

No financial details or passwords were included in the database which was accessed.

 

Identity theft is when someone uses someone else’s personal information to obtain goods, services or money without permission. Examples of identity theft include taking out a credit card or ordering products in someone else’s name. In this case, no financial details or passwords were included in the database which was accessed.

 

However there are steps you should take if you think you have been the victim of identity theft:

  • Immediately inform your bank, building society and credit card company of any unusual transactions you see on your statement, or any information you receive about applications made in your name.
  • Contact Action Fraud if you think that a fraud has been committed at https://www.actionfraud.police.uk/

I’m worried other people will know my password now.

No passwords were stored in the database which was accessed, however passwords should always be strong and not easy to guess. For tips on how to do this, head to our article on how to set a strong password.

I’m concerned that people might try to email or phone me to steal my personal information.

This is called phishing, which is when people try to persuade people to tell them their personal information, often through an email or phone call. Please remember:

  • If you ever receive a call, claiming to be from Aerial Direct and asking for your bank details, please report it to us straight away
  • If you receive an email that you are concerned about, don’t click on any links, open any documents or reply to it. You can get some more advice here: getsafeonline.org/protecting-yourself/spam-and-scam-email/

I’ve received marketing emails or calls that I don’t want.

The ICO has advice on how to avoid or report nuisance marketing calls, emails and texts, either online at ico.org.uk or via its helpline on 0303 123 1113. You can also find further information on the Telephone Preference Service website where you can opt out of unwanted sales or marketing calls.

If having read this information and you still have questions, you can contact us on 01329 750 630, but please aware our customer service advisors do not have any further information at this stage.

Once again, we sincerely apologise for what has happened.

How do I create a strong and secure password?

To improve the security of your online accounts you can follow a few key steps when creating passwords for anything you access online.

 

We recommend you choose a password that is a minimum of 8 characters, and consists of uppercase and lowercase letters, as well as numbers. We also don’t recommend you use full words. All of these steps make it very difficult for automated programs and hackers to guess your password.

 

The longer the password is, the less likely it is that someone else will be able to guess it or otherwise find out what it is.

Top Password Security tips

Do not reuse passwords between websites

It’s very tempting to use the same password you use for one online account with another website, but it is absolutely critical in this day and age that you do not fall into this habit.

Hackers know that a great deal of people use the same (or similar) passwords for most of the accounts they use online, so when they get hold of a password for one account, they will often use an automated process to try and login to as many online services as they can with that password.

In that scenario, if your email account is compromised and you use the same password for an online shopping website, as well as your social network profile and your online bank – the hacker will be able to login to all of those services.

The problem with ensuring that you do not reuse passwords across different websites is of course that you may find it difficult to remember all your passwords. We recommend using a secure reputable password manager to hold your passwords for you – see ‘Use a password manager’ below to learn more.

 

Use strong passwords

Strong passwords use a combination of uppercase and lowercase letters, numbers and if possible special characters. This makes it very difficult for automated programs and hackers to guess your password. Check out the ‘Understand how accounts become compromised’ section to understand how account passwords are often guessed.

Do not use real words in your password. Hackers will often use an automated system to attempt to use dictionary words as your password, so if your password consists of a dictionary word – there’s a good chance they’d be able to login and compromise your account.

A good way of securing your password is to substitute some of the letters in your password for numbers. For example, instead of writing the letter ‘S’, you could use the number 5, which looks very similar. The same applies for other letter and number combinations

 

Never share your passwords with anyone

It may sound like a basic point, but it’s one of the most important. Never share your password with anyone. You may inherently trust that person, but you have no guarantee that they follow adequate security precautions and you can therefore not be certain of the security of the password that you have shared.

For example, if you provide your password to someone who enters it into a computer that is infected with malware, or they write it into a book of passwords that they keep – your defences to online fraud are instantly weakened.

This includes speaking to professionals like Technical Support Agents, or your computer engineer.

 

Change your passwords regularly

It is good practice to regularly change the passwords you use online, even if you use strong, unique passwords and don’t have any reason to believe your account is compromised.

Online accounts can be compromised (sometimes through no fault of your own) and hackers may just monitor your online accounts – such as your email address, waiting for something valuable to appear, such as a password reset email for your online bank.

There may be no visible symptoms that your account has been compromised, so changing your password regularly is a good way of minimising the risk of this happening.

It’s up to you how often you change your passwords, but it’s generally a good idea to change them every few months.

Use a password manager

Password managers are software applications that store your login information for all the websites you use and help you log into them automatically. They encrypt your password database with a master password – the master password is the only one you have to remember.

This allows you to have strong, unique passwords for all your online accounts – meaning you don’t have to remember them.

When using a password manager, it is vital that you use a completely unique and very complex master password, and use two-factor authentication where possible. If your password manager’s master password is obtained by a third party, they could then gain access to all of your online accounts from there.

Be sure to use a reputable password manager by researching and reading user reviews before downloading/installing.

Review your password recovery questions

Most online services have password recovery options that can be used to regain access to your account if you forget the password for it. These questions normally ask for things like your favourite football team or your mother’s maiden name.

Ensure that you make these questions and answers as hard as possible to guess and if possible, select questions that only you will be able to answer.

How to watch out for cyber attacks?

All too often, cyber-criminals use the names and contact information stolen in a data protection act breach to try and extract additional information from you (such as your banking details). As such, please be extra vigilant following this matter.

Always question uninvited approaches in case it’s a scam and don’t assume an email or phone call is authentic. Just because someone knows your details (such as your name and address or even your mother’s maiden name), it doesn’t mean they are genuine. Crucially, a legitimate bank or other financial organisation will never contact you ask for your PIN or full password, or ask you to move money to another account for fraud reasons.

How to protect your finances?

While no financial information or payment details were contained on this database, if you spot any unfamiliar transactions or suspicious activity on your bank accounts contact your bank or credit card provider immediately. It’s also worth keeping an eye on your credit score for any unexpected dips and contacting all the major credit reference agencies to ensure credit isn’t taken out in your name.

What are the steps I should take if my data is at risk?

If you are concerned that your data might be at risk, there are some steps you can take to stop the threat from escalating. For example, you could register with the Cifas protective registration service. You should also change your passwords and make sure your devices are protected by up-to-date internet security software.

Was data stolen? How?

Our investigation has revealed that some data was taken – we are investigating this further. As soon as we became aware of this unauthorised access we shut down all permissions to the database to contain the incident.

Where was the data?

The data was contained in an external back-up database, a part of which was accessed by an unauthorised third-party attacker, who downloaded some of the information contained on that database, which was confined to non-financial information.

Due to the nature of the information involved we understand that you will be concerned so to provide reassurance, guidance and support we are also recommending some advice on how to stay safe online.

Was this a targeted attack?

In line with our privacy policy, Aerial Direct keep data of expired customers for the purpose of accounting, auditing, compliance and legal. ​This is an expected business practice for all UK Ltd companies.

What might the attacker do with my data?

We’re yet to find out who is responsible or what they have done with the data they accessed. This makes it very difficult to predict their intentions. We’re hoping our investigation can uncover some answers. As all information regarding this issue is sensitive, we recommend emailing your concerns and questions directly to the team handling the investigation at DPO@aerial-direct.co.uk 

Why did you have my data stored if I’m no longer a customer?

In line with our privacy policy, Aerial Direct keep data of expired customers for a maximum of 6 years, for the purpose of accounting, auditing, compliance and legal. ​This is an expected business practice for all UK Ltd companies.

If you have any additional questions that haven’t been addressed above please e-mail dpo@aerial-direct.co.uk