back to article Delicious irony: Credit rating builder Loqbox lets customer details and card numbers slip after 'sophisticated attack'

Fintech startup Loqbox has fessed up to suffering an "attack" which potentially revealed its customers' names, postal addresses, dates of birth, email addresses and phone numbers. The company, which aims to help consumers improve their credit ratings, told customers that an external attack had compromised the two digits of …

  1. BebopWeBop Silver badge
    Headmaster

    The fines they are 'acomin'.

  2. ComputerSays_noAbsolutelyNo
    WTF?

    Why?

    If even the tech-industry can't figure out security, the companies that invented the computer, the internet, why in Cthulhus name should we trust banks to figure out computer/internet security?

    1. ThatOne Silver badge
      Devil

      Re: Why?

      > why in Cthulhus name should we trust banks

      Because they want so, and have enough influence to make their wishes come true.

  3. Scott Broukell

    Dear customer, we are really, really, sorry about this sort of a thing happening. Doh! there it all goes again! You do know that all these billions of bits of data that you gave us are flying around all over the place really, really, quickly, inside some very, very, expensive computers (that you are ultimately paying for), and that it's dammed difficult to keep hold of it all terribly securely.

    But don't worry too much, there's probably a clause, somewhere, that you implicitly agreed to when you signed up to our service and we feel sure that that will be enough to exonerate us from any responsibility. Meanwhile may we suggest that you change your name by deed pole, move house, change all your phone numbers, change ISP, change all your social media account passwords, change all of your other passwords and switch your bank account to another bank, simple!!

    We look forward to going forward with you on a forward looking customer focused data journey in the lovely fintech future and feel sure that we will be able to manage your personal data more securely in that shiny, shiny, future by, maybe, stuffing it all in some old manilla envelopes down the back of the filling cabinet, or something.

    Go forward together with us to a brighter digital financial future (cos we don't like to look back too much at all the damage and chaos that we have left in our wake), or take any 'credit' for it.

    -----------------

    Oh! bright, bright, shiny SECURE! digital future wherefore art thou?! (cos a lot of people would like to know)

    1. CrazyOldCatMan Silver badge

      digital future wherefore art thou

      Behind the triple-locked door marked "too expensive to open".

    2. EnviableOne Silver badge

      at least its better than "we take the security of our customers data seriously"

      IMHO, they have done the right thing:

      Admitted it happened

      Got in some experts

      Told everyone (including customers and regulators)

      and made changes to stop it happening in the future

      1. Alan Brown Silver badge

        "IMHO, they have done the right thing:"

        I'm pretty sure they were handed a warning attached to a deadman switch.

        IE: "If you don't disclose this, it will go public on XYZ date via a third party in another country you can't stop, along with the fact that you were given the warnings - and and by the way there's a copy in registered surface mail making its way to US financial regulators at the moment, so you'd better act before they do"

  4. ThatOne Silver badge
    Devil

    Deja vu

    Some company playing fast and loose with peoples' private and financial information, getting eventually hacked (it's a question of "when", not "if"), and then emitting a vague "we take our customers' well-being very serious, now get off our case already" type statement. Where have I heard this before?... Oh no, it wasn't some over-the-top Hollywood disaster film, no, it was the news...

    21st century, the century where your financial and social well-being is never safe.

  5. 0laf Silver badge

    Compromise bingo

    "sophisticated attack" - CHECK

    "cutomer data secured" - CHECK

    I'm looking for "Our customer's data is our top priority" for a full house.

    1. Anonymous Coward
      Anonymous Coward

      Re: Compromise bingo

      Damn. I was waiting for "Our customer's security is very important to us"

    2. Korev Silver badge
      Windows

      Re: Compromise bingo

      "sophisticated attack" - CHECK

      You mean aws s3 sync s3://lovely-public-bucket . ?

  6. find users who cut cat tail

    The biggest loss is not the customer details. The biggest loss for society is that ‘credit rating builder’ is a valid (and possibly necessary) service.

    1. Claptrap314 Silver badge

      Some thought experiments should demonstrate why such a service is a good thing. Credit ratings allow businessmen to extend themselves in otherwise risky transactions with people they do not know with reasonable expectations of not being wiped out. Consumers that perhaps have not had the opportunity to build credit engage in a low-risk transaction to demonstrate that they can be trusted to make payments.

      In 1988, I was enlisted in the US Air Force. The airline MUCH preferred I use a credit card. After some serious back-and-forth, I was able to get a card--$1500 limit, I think, with a $60/year annual fee. That was a MUCH more difficult and expensive service than this appears to be.

  7. Midnight

    > "This was a sophisticated cyber-attack on our company which we are still investigating."

    Ah, so the database was stored in an unsecured Amazon bucket then. Got it.

  8. TheFurryCircle

    I forwarded my copy of the email to El Reg on Saturday after receiving it. Mostly due to this closing line, which irrated the crap out of me:

    "We want to thank you for your goodwill and support as our team works around the clock to help those impacted"

    No Loqbox, you are not the victim or saviour here, and the 'goodwill and support' is downright cheeky... The remainder of the email is the usual weasily nonsense that you've all seen many times.

  9. fidodogbreath Silver badge

    This is why I avoid financial aggregators like Mint, Yodlee, etc. It's bad enough that each individual bank, brokerage, etc. seems to struggle with data security. But with aggregators, an attacker can get all of their customers' data for all accounts in one breach. That's way too big a risk -- especially since these companies don't do anything that you can't do for yourself with a spreadsheet.

    1. IGotOut Silver badge

      Don't want to alarm you, but your data is already aggregated by multiple companies. Otherwise you wouldn't have a bank account.

  10. IGotOut Silver badge
    Facepalm

    Oh the irony...

    Twitter users complaining about loss of personal information.

  11. Mike 137 Silver badge

    ""This was a sophisticated cyber-attack on our company ..."

    It's always "sophisticated" until the investigation shows it was a complete push over.

  12. Alan Brown Silver badge

    > It's always "sophisticated" until the investigation shows it was a complete push over.

    Hopefully someone will disclose how thin the tissue of lies actually was.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021