Data incident

On Monday 23rd March an email was sent out which contained personal information about some of our customers. This page provides information on what happened and the support and guidance we are offering affected customers.


On Monday 23rd March an email was sent out which contained personal information about some of our customers. We apologise unreservedly for this data incident.

We take our responsibilities with customer information extremely seriously. We have clear safeguards in place around the usage and protection of customers’ information, and this incident was the result of human error. 

We have taken a variety of steps to assess the potential impact on those affected, including identifying any safeguarding concerns, and we are writing to all customers affected to provide comprehensive information, guidance and support. 

The Information Commissioner’s Office (ICO) has carried out a review of the incident. Following this, it has issued some recommendations to us to prevent a similar incident happening again but does not consider that any regulatory action should be taken at this stage. We take our obligations towards data protection extremely seriously and will now be working to implement the ICO’s recommendations.

The ‘Frequently Asked Questions’ below include further information and advice, including details of a credit and identity monitoring service that we have put in place for customers impacted by the incident. 


Last updated: 13/07/20 – 15:59

I have received unsolicited calls or marketing from legal firms – what should I do?
Some of our customers have sought advice from us in relation to unsolicited direct marketing calls and messages they received from legal firms or their agents. These customers have reported that such calls and messages were unwanted.
 
We recognise that not all people find direct marketing calls inconvenient, but for those customers that have cause to seek our advice because such contact is unwanted, we have set out below some resources you may find helpful.
 
In relation to unwanted calls, you can find further information from Ofcom (the regulator for communications services) in relation to registering for the Telephone Preference Service to avoid telesales calls:
 
www.ofcom.org.uk/phones-telecoms-and-internet/how-to-report-a-complaint/nuisance-calls-and-messages
 
If your telephone number has already been registered with the Telephone Preference Service for 28 days or more, you can register a complaint via: www.tpsonline.org.uk/complaint
 
In relation to unwanted text messages, emails and internet messages, as well as calls, you can register a complaint with the ICO (the regulator for electronic communications):
 
https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls
 
If you have particular concerns about unwanted and unsolicited marketing by specific legal firms, then you can register a complaint with the Solicitor’s Regulation Authority: www.sra.org.uk/consumers/problems/report-solicitor/
 
What was the incident and how did it happen?
On the evening of Monday 23rd March we sent an email to a number of our customers regarding changes in our services during the current coronavirus pandemic. The email explained the changes, how to find out more information, and how to keep in contact with us. 

Regretfully, as a result of a human error, this email inadvertently attached an internal document that contained the personal data of many of our customers.
How might this affect me?
If you are affected by the incident, we have written to you to provide further information and advice. For those affected, we have set up a free dedicated telephone helpline on 0808 189 5205 – please only call this helpline if you have received a letter, which contains a unique code for you.

The helpline is operated by CyberScout – a leading cybersecurity provider, which can offer support with this matter as well as an ID monitoring service for those affected. They will also be able to confirm which categories of your personal information were included in the document. Please note that no financial information was included in the email.
 
The helpline is available 9am–5pm daily, Monday–Friday.
What is Watford Community Housing doing about this?
  • We sent a follow-up email the same evening, apologising and requesting that all recipients promptly delete the email.
  • We emailed all affected customers to keep them updated about what we are doing.
  • We took appropriate advice and informed the Information Commissioner’s Office, the Regulator of Social Housing and all of our stakeholders about what happened, and how we can support and protect those affected.
  • We wrote to customers affected by the breach, to offer additional support, guidance and reassurance.
  • We dealt directly with anyone who feels they have safeguarding concerns or is at physical risk as a priority. If you have any of these concerns and you have not already contacted us, please contact us immediately – email CustomerRelationsTeam@wcht.org.uk
  • We established a free dedicated telephone helpline on 0808 189 5205 which individuals can call – you will need the unique code in the letter we sent you. We also set up free identity and credit monitoring services for any individual affected by the incident. Details of how to access these services are set out in these FAQs.
  • While the incident was the result of human error and we already have clear safeguards in place around the usage and protection of personal data, including customer information, we also carried out an internal investigation into the incident that encompassed a review of our operating procedures.
Is there anything I need to do to protect myself?
No personal passwords, national insurance numbers or financial information, such as bank details or payment history, were affected. If you have an online account to manage your tenancy through our website, this has not been compromised either. The risk of identity and financial fraud is therefore low.

However, because we know some people may feel concerned, we have partnered with a specialist identity protection and credit monitoring service provider and are offering you free access to their services for 12 months.
 
How do I activate the free identity and credit monitoring service?
We have set up free identity and credit monitoring services (Equifax Protect) for any individual affected by the incident. Details on how to activate this free service are set out below.
 
Equifax Protect can help you to protect your identity in the following ways for the next 12 months:
  • Unlimited access to your Equifax Credit Report allows you to check that the information held on your credit report is correct
  • Regular email or SMS alerts notify you of any significant changes to your Equifax Credit Report – this will help you identify any fraudulent activity early on
  • Equifax WebDetect alerts you if your personal or financial information is identified on websites used by fraudsters. You will need to enter the details you wish to be tracked in order to activate this feature
  • Equifax Social Scan reports on the information you make publicly available by monitoring around 100 of the more popular social media sites
 
If you have any questions about Equifax Protect, you can contact the dedicated helpline on 0808 189 5205. The team is available 9am–5pm daily, Monday–Friday to provide further support.
 
Register for Equifax Protect
To access Equifax Protect follow the instructions below within the next 30 days:
  • Visit www.equifax.co.uk/protect and enter the registration information requested
  • Apply your Equifax promotion code – this can be found in the letter we sent you.
During the registration process, Equifax will ask you some questions to verify your identity. It would be helpful if you had six years’ address history and financial information to hand (e.g. details of any overdrafts, credit cards, loans or mortgages).
 
What other support is available?
We have engaged with CyberScout, who will be able to provide support and assistance around credit monitoring activation and any support or remediation you require. Representatives will be available Monday to Friday from 9am to 5pm on 0808 189 5205.

Please supply the CyberScout fraud specialist with the unique code included in our letter to you.

Proactive fraud assistance: Will assist with any proactive steps to protect your personal information and identity. For instance, if you lose your purse/wallet or have any documents stolen, CyberScout can make recommendations to protect your identity and help you replace lost documents. CyberScout can also provide identity-related advice on different topics, such as travelling and social media.

Resolution services: In the event that you have fraud or identity theft issues, such as unauthorised charges on your credit card or a new account opened using your personal information, CyberScout will work with you to assess your risk, make recommendations, call creditors or agencies, prepare letters or documents and stay with you throughout the entire resolution process.

Fraud resolution insurance reimbursement: In the event that you have fraud or identity theft issues, you have access to a £1 million insurance reimbursement policy for certain out-of-pocket expenses that you may incur. This can include postage, travel costs, lost wages, replacement documents and notary.
 
What else can I do?
We continue to take this incident very seriously and we want to ensure that all measures to protect you have been taken. We would therefore recommend that you heighten your awareness to any suspicious activity, and adopt the following security best practice:
 
  • If you have received the email with the attached file, you must delete the information immediately and you must not share it with anyone else, whether they originally received the email or not. Please ensure that it is also deleted from your ‘Deleted items’. If you do share the information, this may itself be unlawful and you may be personally liable. If you have shared the information with others, please ask them to delete the information too.  
     
  • As a precaution, you might want to consider changing the password for your email account – and for any other accounts that use this email address. Your password has not been compromised following this incident, but changing it to something more secure can help to keep your account safe from potential hackers. There is lots of good advice online about how to create a strong password if you aren’t sure.
     
  • You may wish to monitor your bank account and credit cards for any unusual activity. Again, no financial information has been disclosed, but it might be worth keeping an eye on things just for peace of mind. If you see anything that doesn’t look right, report it to your bank.
     
  • If you have specific concerns about your telephone number, you may wish to consider changing your number, and remove your name from direct marketing lists by signing up with the Mail Preference Service (www.mpsonline.org.uk/) and the Telephone Preference Service (www.tpsonline.org.uk) to reduce the number of marketing offers you receive.
     
  • Be aware of phishing emails and texts. Be wary of communications from unknown or untrusted senders, and never send money to someone you don’t know via email or text. Do not open any attachments or click on links from unknown senders. Double check email addresses from senders that present themselves as a bank or other recognised institution. If in doubt, always delete the email.
     
  • Scammers are always looking for the opportunity to exploit situations such as the coronavirus outbreak, so please be cautious. Watford Community Housing will not be sending anyone to your home unannounced – we are conducting limited home visits at present and any genuine appointments with us will be arranged in advance and confirmed in writing.
 
Further advice on protecting yourself from fraud can be found on the Action Fraud website (https://actionfraud.police.uk/support-and-prevention/protect-yourself-from-fraud).
I have already paid for and activated the CIFAS service – what should I do?
We appreciate that some customers may have activated the CIFAS service following our initial communications. If you have already done so, please forward us a copy of your acknowledgment and receipt from CIFAS so that we can arrange a reimbursement (a screenshot will be acceptable). Please send this to CustomerRelationsTeam@wcht.org.uk.

If you have activated the CIFAS service, you are welcome to also activate the additional identify and credit monitoring services above.

If you have not activated the CIFAS service, please do not do so, as you should proceed with the identity and credit monitoring service now offered. If you pay for and activate the CIFAS services 6th April 2020, we may not reimburse you for the additional cost.
 
I am worried this might affect me personally – what should I do?
You can email CustomerRelationsTeam@wcht.org.uk if you feel you are vulnerable due to anti-social behaviour, domestic abuse, harassment, hate crime, disability or for another reason. We are working on a case-by-case basis with these groups, along with the police, to provide additional support as necessary.
 
If you feel in immediate danger, please always call the police.
 
Why does Watford Community Housing collect personal information about my religion, ethnicity and sexual orientation etc. in the first place?
We collect information about our customers and partners, with their consent, to tailor our services and comply with our regulatory duties around tenant involvement and empowerment.

Further information about how we process your personal data, including how you can contact us to access your rights as a data subject, can be found in our privacy policy: www.wcht.org.uk/page/privacy-policy/.
How can I make a complaint about what’s happened?
We have a specific Data Protection Complaints Policy, which you can use to raise concerns about this incident. You can find this at www.wcht.org.uk/data-complaint.

If, after reading our letter to you and accessing the identity protection and credit monitoring service, you feel your needs have not been met then please refer to the Data Protection Complaints Policy and we will consider your situation further.
 
How will you prevent this from happening again?
A full internal review into how this error occurred has begun and, as mentioned above, we’re liaising with the Information Commissioner’s Office as well as the Regulator of Social Housing about this issue. Once again, we are extremely sorry that this has happened and we will do everything we can to put things right and prevent this from happening in the future. We take the security of personal data extremely seriously and will be reassessing our systems and procedures to guard against this error happening again.