EE failures show how data breaches damage lives

Safeguarding personal data and protecting those to whom the data belongs are often referred to in relation to modern data legislation, but less coverage is given to the real ways a data breach can impact upon a victim’s life.

A recent BBC report reveals the harrowing events that can take place when data security practice is not up to standard, and private information falls into the wrong hands.

EE customer, Francesca Bonafede, had her personal data accessed without her permission by an ex-partner who worked at the telecommunications firm. She found her number had been switched to a new handset, while her address and bank information was accessed.

Ms Bonafede claimed EE did not take the data breach seriously, so she had to call in the police. The company “sincerely apologised” to Ms Bonafede and stated that the employee who had dealt with her situation was no longer working for the company.

Ms Bonafede first alerted EE about the suspicious activity when her phone stopped working in February of last year. Following five days without signal, she went to an EE shop to arrange a new Sim card and switched her account to a new handset.

Speaking to a call centre agent, Ms Bonafede was told her new address registered with EE, which she suddenly recognised as that of her ex-partner who had worked at an EE store. All texts and calls going to her old number during her period without phone signal would have gone to him.

No action from EE

She flagged the issue up with the agent on the phone, but they showed now concern.

“I kept asking to speak to a manager who could give me more concrete information, and I was always told no-one was available.”

Ms Bonafede says she does not know why her ex-partner wanted her private details, but suspects it could be linked to his application for official documentation. He texted her endlessly to try to get her to withdraw her complaints, and turned up uninvited on multiple occasions at her new address with his friends.

“It was really distressing and I had to go to the police and tell them what was happening,” Ms Bonafede said.

“They asked me repeatedly what EE was doing about all this and I just had to say, ‘actually, I don’t have a clue because they don’t keep me updated’. The only way he could have known about my new address was through the data breach, because we broke up quite a long time before that.”

The man was eventually arrested and given a harassment warning by police, which put an end to the contact. But it took tweeting publically about the ongoing incident and involving the police for EE to start taking the data breach seriously.

“I spent countless hours at the police station and missed days at work. He had access to everything: my sort code, my account number, a photocopy of my driver’s licence.

“It did put me at risk and I feel all customers should know how poorly something like this will be handled if there is a data breach on their account.

“It was a complete breach of trust. I don’t trust the way they handled my data at all.”
Internal policies ‘not followed’.

A spokesperson for EE stated that internal policies were not adhered to in the case of Ms Bonafede.

“This matter has been dealt with internally and the employee involved no longer works for us. While we worked quickly to protect Francesca, we apologise for not keeping her informed of the actions that we took during this time.”

Under the Data Protection Act 2018 and the GDPR, “it is illegal for individuals to access personal data without authorisation,” the Information Commissioner’s Office said, before highlighting the obligation firms are under to manage data securely to protect “against unauthorised or unlawful processing and against accidental loss, destruction or damage”.

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.