The company is used by thousands of organisations to recruit and vet staff, manage IT systems
Err:
The attack by Russian cybercriminals on one of the UK’s biggest outsourcing companies, Capita, appears far more serious than the company has admitted. Personal bank account details, addresses and passport photos are now being leaked online, having apparently been stolen by the hacking group Black Basta.
The people who admin IT have been hacked. That’s going to be good for business, no?
Why exactly do they keep passport photos? Your database needs a checkbox, “has this person’s passport been verified?”; nothing more. If you need to keep a copy for regulatory or legal reasons, you keep it offline in a basement guarded by dogs.
You can now renew your driver’s licence card part by using the passport photo already in the system. So I’m told at least…..
Oh no, not Crapita!
I think it’s the entire passport photo page, with passport number, expiry date, town of birth, etc.
Reading between the lines, what Capita has stored is all the documents that you submit when applying for a job. That means passport photo page; proof of entitlement to work if foreign; proof of address; bank statement to prove you’re not engaging in funny-money; and a utility bill. Everything you’d need for identity theft.
But once you’ve verified that the passport photo matches the person in front of you, and you’ve run a credit check on the address, you can throw it all out (or bury it in the offline archives if legal insist on keeping a copy). It doesn’t need to be internet-accessible.
It won’t stop the Simple Shopper using them. Can’t think why, in our famously corruption free country…
You can now renew your driver’s licence card part by using the passport photo already in the system. So I’m told at least…..
That’s how I renewed mine a couple of years ago and it worked well.
Something really pisses me off is the amount of people want to take photocopies of identity documents. I can remember a UK bank trying it. Gave the counter clerk the ID & they headed towards the copier. No permission requested, nothing. They got a very loud “Oi!” And told that they had my permission to look at the document, but not copy it. That satisfies identifying me as being the person I claim to be. “Now return it, pronto. You don’t like that, I’ll abort the transaction” Didn’t bother me. The transaction was to the bank’s benefit not mine. I couldn’t give a toss whether it happened or not.
That’s going to be good for business, no?
In a sane world, yes. However I doubt this will reduce by one penny the value of contracts that Crapita get from both real and pseudo government.
Let’s hope there’s a huuuuuuge fine headed their way for breaching GDPR…
…except of course they’ll just inflate their next bill to HM Government to cover it, no doubt.
. . . and it worked well.
Up until the point Russian gangsters got your ID.
@bloke in spain
The bank wants a copy of your passport for some future date when they get audited for Anti Money Laundering compliance.
Without it they can’t really demonstrate that they have checked the customers identity. All they can do is say that they checked the passport, which doesn’t impress. With a copy they can present the evidence that they at least went through the process.
“keep it offline in a basement guarded by dogs.” Dogs? What about Lions! And machine-gunners.
A passport and a driving licence, like a birth certificate, is a public document. It is issued by Authority and needs to be produced when demanded, it should not be considered a secure means of identification ( which is why I am against biometrics).
AndyF & BiS,
Banks and cash-intensive businesses (gambling, estate agents, forex shops) have specific AML requirements to securely store identity documents. Banks in particular spend a lot of money on security, because trustworthiness is important to their wider brand. But we’re talking about Capita’s recruitment division; and they don’t care about trust.
My DB pension is administered by Crapita (alongside millions of others, no doubt). I’m slightly reassured by the fact that Crapita have hundreds of separate IT systems, none of which can talk to each other.
@Andrew M
I have zero confidence in identity documents because mostly people see the document rather than the person presenting it. If the document passes inspection, they’re content.
As for the banks’ money laundering problems, I’m all in favour of the cleanest money money can buy. Stuff ’em.
@ dearieme
Quite. Preferably with a notice on the door saying “Beware of the Leopard”
I’m sure that someone can devise a system of dropping enough fresh meat into the basement daily so that the leopard is fed just adequately but perpetually remains slightly hungry.
I was recently asked by an estate agent to provide a photo of my passport, proof of address etc. using a company called Credas. The sale was of a property being conducted by a solicitor for me and the other owner#. I had previously provided said details for the solicitor (which was perfectly reasonable in context). I told the solicitors that I would not provide the details via Credas. They could tell the estate agent that they were satisifed (to the best of their knowledge) that I was who I claimed to be and if the estate agent didn’t trust them then we can use a different agent. I pointed out that unless Credas could guarantee no data breaches or identity theft, ever, for the rest of my life, then I might consider them. In other words, sod off. As an aside I checked Credas reviews – 35% 5 star, 65% 1 star, with some seriously cutting 1 star reviews. A very odd distribution…
@BiS
“I have zero confidence in identity documents because mostly people see the document rather than the person presenting it. If the document passes inspection, they’re content.”
That reminds me of an incident I had maaaany years ago – back when everything was bits of paper.
I was going on a break, back to my old university town, for a week – and knowing how the boys in blue used to “take an interest” in my driving a few years earlier when I was an undergrad, I thought I’d best take my documents (driving licence, insurance, MoT) with me in case they were required. For the next few weeks after I got back, I had that “something isn’t right but I’ve no idea what” kind of niggle in the back of my mind – and took a look at my documents to find … my MoT was 2 months out of date (at which point, I went out and got it tested and passed the same day).
Now a month before this, I’d been pulled over by the local boys in blue as I had a tail light out. So I’d gone into the local nick to present my documents – where someone took forever copying details (including from the wrong insurance document – they were copying from the schedule rather than certificate) at a rate that makes the sloth in the DMV in Zootropolis seem fast.
Still with me ? Then you’ll have realised that I presented an out of date MoT at my local police station, they copied down all the details, and no-one noticed ! So there wasn’t any checking, it was just a mechanical process of “documents presented, tick box”.
And not long ago, my wife and I were sorting out wills. We had someone come to the house, and at the end he gave me a contract to sign. As I sat there reading it (several pages), he commented that not many people read it before signing. But that’s no surprise, and I’m sure many will be familiar with https://arstechnica.com/tech-policy/2016/07/nobody-reads-tos-agreements-even-ones-that-demand-first-born-as-payment/
Some places are still insisting on proof of vaccination for new hires as we are one of the few places that still has a vaccine mandate for healthcare*, though with the vaccination passport not in effect anymore and people not having bothered to keep the QR code** now they don’t need it that must be causing some headaches
*There is constant reports of a shortage of healthcare workers, not helped by firing over a thousand for refusing vaccinations over 18 month ago, funnily enough the legal case lodged by the sacked staff still hasn’t come to court, amazing how some cases get fast tracked over others
**QR code system is still in place of course ‘just in case’ despite assertions from the politicians this was purely temporary and would be scrapped when not needed etc
“As an aside I checked Credas reviews – 35% 5 star, 65% 1 star, with some seriously cutting 1 star reviews. A very odd distribution…”
I generally consider such reviews to have been gamed by the company involved. They can’t stop the one star reviews, but they can get their employees (or some random paid internet shills) to post stellar 5 star reviews to boost the overall average. A half decent company will have mostly 3-5 star reviews with a few 1 and 2 star ones, because you can’t please everyone, some deals will go pear shaped, and some customers are just pains in the arse. No genuine company can provide a service that is both amazing and utter sh*te in equal measure, so I assume the 5 star reviews are fake and the one star ones are the real customer experience.