COVID related data scams

Phishing emails for the COVID-19 vaccine

Fraudsters are always on the lookout for new ways to steal and monetise your personal data. On 25 January 2021 the BleepingComputer reported that scamsters are sending out a phishing email which pretends to be from the NHS, alerting recipients that they may be legible to receive the COVID-19 vaccine. “There are multiple variants of the phishing emails, but they all claim to be from the NHS at noreply@nhs.gov.uk (the real NHS domain is nhs.uk) and use mail subject similar to “IMPORTANT – Public Health Message| Decide whether if you want to be vaccinated.” Says the BleepingComputer.

“The phishing email asks the recipient if they want to accept or decline the invitation to schedule their COVID-19 vaccination.

“Regardless of the button selected, the recipient will be brought to a fake NHS site stating that they were chosen for the vaccination based on their medical history and genetics.”

“The NHS is performing selections for coronavirus vaccination on the basis of family genetics and medical history. You have been selected to receive a coronavirus vaccination,” the phishing landing page reads.

“The recipient will again be asked to accept or reject the invitation, but regardless of the button entered, they are pushed through a series of pages asking for personal information. This information includes the person’s name, mother’s maiden name, address, mobile number, credit card information, and banking information.

“Once this information is submitted, the phishing page will state that the application is confirmed and that the NHS will contact the person to schedule the appointment.

After a few seconds, the page will redirect the browser to the real NHS site at https://www.nhs.uk/.”

In response the NHS has taken to twitter to confirm that the vaccine is free of charge and that it will never request financial information or copies of identification documents.

In addition, the NHS has created a webpage explaining how people will be contacted to receive the COVID-19 vaccination and how to spot a scam.

It is also important to remember that the NHS’ website is at www.nhs.uk and not in the format of nhs.gov.uk or nhs.org.uk, like other UK government websites.

If you have mistakenly submitted your personal data as part of this phishing scam, you should assume that it will be used for identity theft or other unlawful purposes.

If you think that you may have provided your personal data to fraudsters the Information Commissioner’s Office recommends that you should take the following precautions:

  • Report all lost or stolen documents, such as passports, driving licences, credit cards and cheque books to the organisation that issued them.
  • Inform your bank, building society and credit card company of any unusual transactions on your statement.
  • Request a copy of your credit file to check for any suspicious credit applications.
  • Report the theft of personal documents and suspicious credit applications to the police and ask for a crime reference number.
  • Contact CIFAS (the UK’s Fraud Prevention Service) to apply for protective registration. Once you have registered you should be aware that CIFAS members will carry out extra checks to see when anyone, including you, applies for a financial service, such as a loan, using your address.CIFAS – The UK’s Fraud Prevention Service
    6th Floor
    Lynton House
    7 – 12 Tavistock Square
    London WC1H 9LT

The full BleepingComputer article can be found here.

Giving your details for Test and Trace

Now the lockdown has been lifted in part, the Government wants to keep track of customers and participants in potentially risky indoor environments for spreading the virus.

So you will be asked to give your contact details when you visit restaurants and pubs, hairdressers, tailors, museums and possibly places of worship and community centres.  The date and times of attendance will also be logged.

You will not be asked to provide proof of ID unless it is standard practice (such as age verification in pubs and bars).

Giving these details is entirely voluntary, though you may be encouraged to do so in the public, and your own, interests.  However you are entirely within your rights to refuse.

The processing of the data has to be GDPR compliant, must be kept secure before erasure after 21 days and cannot be used for any other purpose (such as marketing).

The ICO has issued guidance for businesses and organisations on test and trace data.

Should you have concerns about a data breach in connection with test and trace please get in touch

Test, Track and Trace system and Data Breaches

Your personal data: Who will tell, know  or share what and can it be misused?

The UK government ‘test, track and trace‘ scheme has been launched to identify and curb the spread of Covid-19.

Originally the plan was to have a mobile app detector backed up by a manual contact tracing system.

The mobile app was designed to detect data of others with the same app within a limited location so that if a user developed symptoms, vulnerable users in contact could be automatically alerted to self-isolate.

The manual system relied on people testing positive for the virus  giving contact details of people they had been in close contact with so that they could be contacted by text, email or phone and advised to self-isolate.

The app was subject to a trial on the Isle of Wight in May and was supposed to be rolled out nationally with thousands of people already having downloaded it.

But the trial indicated it was unreliable in operation.  So now it has been ditched in favour of a system being developed by Apple and Google that is yet to come into operation.

Both the manual and the app systems have raised data protection concerns.  The centralised ‘anonymised’ data collection model developed by NHSX was criticised because it could have led to data protection breaches, particularly if the ‘anonymised’ data collection was compromised.

In the event it seems the app had a low rate of close contact detection, particularly with Apple mobiles, and was subject to mis-contacts, operational bugs and a drain on battery life. In short it appears to have been a nightmare on all fronts, defeating purpose.

The manual system relies on people giving out reliable details of close contacts who might be vulnerable within a given period.  Clearly that only includes people who can be identified, though this could include a large group in certain circumstances.  These contacts are then personally contacted by text, email or phone and advised to self-isolate.

There are strict protocols as to what information may be given out and asked in line with Data Protection laws.  Unsurprisingly, anecdotal reports suggest that many people contacted avoid  responding or giving out any information.

The whole process is conducted on the basis of consent. Although Covid 19 is a notifiable disease which permits personal intrusion in the public interest, there is no legal obligation to provide personal details or to abide by the advice.

However, there is clearly a public health imperative to limit the spread of the disease, particularly with regard to vulnerable people who might be at risk of severe illness, or even death.

In addition, limiting the spread of the disease should create confidence in lifting the lockdown and allowing the country and the economy to resume productive and happy life in a safe environment.

But the contact tracing system is open to abuse.  There are reports of ‘phishing’ emails and phone calls with fraudsters ‘spoofing’ official names, emails and websites, or else providing ‘links’ that steal personal information such as passwords.

The object of fraudsters is generally to trick people into disclosing confidential information for financial gain – such as bank account details or trick them into making premium rate phone calls.

The Government has issued detailed guidance on how the system works, and avoiding fraud.

But many people may be surprised by the nature and extent of the personal data collection which may be asked from relatives and employers in certain instances.  This data may be shared within permitted parameters, which include contacting you about test results, and your GP, if positive, but also a national Public Health England database and shared for other planning and research purposes.

The system is Data Protection 2018 compliant, which means any breaches that occur, either through the data collection/sharing system or individual operators, are potentially liabilities re compensation claims.  Already complaints have been raised about the failure to undertake a Data Protection Act risk assessment prior to rollout.

Should you have reasons to believe your data rights have been compromised in the test and trace system you can find the details of the data controllers and processors here  together with your rights under the Data Protection Act 2018 and GDPR  in relation to the programme and how to complain.

We all hope that the system will be a success in helping combat COVID 19 and it is to be expected that some mistakes will happen when a complex data collection and tracing system is rolled out in emergency circumstances.

How the current system performs may not only help with the current pandemic, but in addressing future emergencies with preventive measures less damaging than a ‘lockdown’.

Reporting and acting on data breaches is therefore not only a personal privacy and data protection right protected by law, but a means of correcting and improving the system for the public good.

If you have suffered a data breach through the testing, tracing and contact programme please contact our team who will advise on your rights and entitlement to compensation.

Coronavirus measures and data protection rights

The emergency measures introduced to fight the Coronavirus pandemic have wide-ranging implications for our freedom and individual rights.

As this is a public health crisis, restrictions are justified in the interests of health and safety beyond what we would normally expect or tolerate.

This includes the indefinite ‘lockdown’ and changes in working practices.

The massive changes necessary to keep people safe and conquer the virus while keeping the economic and welfare systems up and running have inevitable effects and risks in relation to data protection security.

So how will this affect your rights under the GDPR and the Data Protection law?

The fact is the law as to data protection remains in force.

There is no concession on unlawful sharing of health, financial and other personal data.

But it does mean that the certain forms of data sharing will be permitted under the law if it’s justified by the exceptional circumstances in the public interest.

What does this mean?

It’s vital for the medical, research and public health authorities to have access to medical data to identify and treat patients as well as developing treatments and vaccines.  We have to learn how to protect people from the virus, build up immunity and best treat people who may have a variety of underlying conditions. Everyone is pulling together in this fight.  But it means data will be shared with a variety of public and private organisations who are key in combatting the pandemic.

Employment changes and data protection

With everyone being advised to stay at and work from home where possible, a large number of ad hoc innovations have been implemented affecting working practices and access to goods and services.

Video-conferencing has usurped face to face meetings, while databases have been extended from the office to home electronic access.

The same security measures protecting data in the workplaces – encryption, passwords, data sharing rules – should be in place at home. You and your employer have an obligation to ensure data protection security measures are in place.

But obviously there are increased risks.  The changes at short notice make for a greater likelihood of human error – the most prevalent cause of data protection breaches.

Obviously we all have to juggle very many things, and the Information Commissioner’s Office responsible for policing and enforcing data protection law, has issued advice on data protection in the age of coronavirus  which includes:

  • Individual’s concerns about use of data
  • Advice for community groups, businesses and organisations using personal data
  • Advice for health professional
  • Use of mobile phone tracking

The ICO provides the most accessible and comprehensive information on data protection law and how to keep yourself and others safe and is regularly updated to reflect the evolving situation during the pandemic.

So where is the data protection?

Despite the current crisis and any legal relaxations, unauthorised use of personal data is still illegal and a breach of personal rights.  A drug company or health operative for instance could not lawfully use data to target you as a potential customer using personal data supplied for the purposes of Covid-19 research.

But it should go further than that.  Data shared for statistical and research purposes  should be ‘anonymised’  – that is it should not identify the subject, only the relevant data necessary.

There have been press reports about ‘anonymised’ data from medical records sharing with drug companies presenting a security risk.  It is pointed out that ‘anonymised’ is not the same as ‘anonymous’ in that the data subject source is known at some point in the chain, and that it may be possible to identify some people individually, even under the cloak of ‘anonymisation’.

Whether or not this will become a serious issue for individual security is not well-established; but understandably, at a time of national and international crisis, some of these legal niceties will inevitably be put on the back burner until the pandemic resolves.

Data tracking

In general, people share personal data with consent through social media apps in their own interests. Mobile phone location tracking is an example of this.  We’re happy to sacrifice our privacy (within defined limits) in order to access local  maps, transport, shops and restaurants.  This data is under strict rules as to sharing and deletion within the data protection framework.

But of course this may also mean the data – even anonymised – can point to your identification through individual movement analysis.

Because of the Covid-19 pandemic, anonymised local tracking data has been authorised within the GDPR  guidelines to be shared – both nationally and internationally across Europe. This is in the interests of tackling the Covid-19 pandemic.

This ‘big brother’ incursion has a legitimate purpose – in the immediate crisis.  But not without risk to personal data security and misuse.

And beyond the pandemic will governments ‘legitimise’ this measure in the interests of  general ‘public safety’ – the detection and prevention of crime, for instance – as general rule?

So are we all being ‘tagged’ now?

It’s important not to exaggerate fears of cybersnooping.  There are already laws governing access to telecom, email and unencrypted social media data: in many instances we surrender our own privacy voluntarily by posting private data on Facebook, Twitter and Instagram etc not just to our friends, but potentially the whole world!  Usually the data trawling and sifting is based on electronic algorhythms rather than human beings, and too much information can be as useless at targeting risks – for instance suspected terrorists – as too little.

Civil liberties are important and proportionate use of personal data is matter of ‘legitimate interest’ to us all in the legal and political arena.

But while everyone should keep themselves and others safe in terms of data protection, and hold public authorities and businesses to account for keeping our personal data secure, we should also recognise the advantages technological advances have granted us. Too much anxiety can be as debilitating as too little care.

Keep safe.

Keep calm.

We are here to help.

If you have concerns about your personal data being stolen, misused, or lost you may have a remedy and be entitled to compensation.

Contact DRM for confidential advice – we will listen and advise on an individual case by case basis because your Data Rights Matter.