Foxtons ‘knew that financial details had been published on dark web’

Estate agent Foxtons knew that thousands of financial details had been leaked to the dark web by hackers but did not tell their customers, reports claim.

The Group, which was the victim of a malware attack last October, was allegedly informed in January that financial and personal information had become accessible online.

Despite this, the i claims Foxtons Group did not take any action to inform any potential victims of the breach. 

However, the company has claimed that only Alexander Hall, its mortgage broking business, was impacted and that no ‘sensitive data’ was stolen. 

A spokesman added that ‘all necessary disclosures’ were made, claiming: ‘We have forensically been through all the stolen data and confirm it is both old and incomplete therefore not useable by a third party and not possible for it to cause financial loss or harm to those affected customers.’

The i claims an investigation found some 16,000 card details, addresses and private correspondences were first published online more than three months ago. 

It is alleged that the files have since been viewed more than 15,073 times. 

The data was discovered by a customer two days after the information was stolen on October 10. Foxtons Group was then informed about the leak three weeks ago.

It was said the leak impacts only customers from before 2010, though it has been suggested that the data currently online is only a fraction of that which has been stolen. 

Ray Walsh, Digital Privacy Expert at ProPrivacy. said he wasn’t surprised to see that data stolen from Foxtons Group is ‘floating around the dark web’, adding: ‘This is after all the point of these type of hacks.’

He said: ‘Analysis of the card details that have so far appeared online reveals that around 20 per cent of the cards are still active, meaning that those consumers need to be informed now so that they can cancel their cards, and check back through their statements for any irregularity.

‘If Foxtons knew the full scale of this breach two days after the attack – and did nothing to warn consumers – it would be an astonishing dereliction of duty, but we must now wait for the ICO investigation to assess what happened and what kind of fines Foxton should face.

‘As it now appears that the stolen card details, addresses and even private correspondence information have been accessed via the dark web over 15,000 times – a fact that will unnerve everyone who has ever had any dealing with the firm, it is likely a fine will be imminent.

‘Some of the data that has been unearthed on the dark web predates 2010, and the hacker has suggested that the older information is being used to advertise the hack while selling more up-to-date records in secret. 

‘If this is true the risk to consumers is even bigger and it is vital that Foxtons immediately contact all customers potentially caught up in this mess.’

A spokesman for Foxtons told MailOnline: ‘Alexander Hall, Foxtons’ mortgage broking business, was subject to a malware attack in October 2020 that affected a number of other organisations. 

‘Some IT systems were affected for several days but were restored without significant disruption to customers.

‘We have forensically been through all the stolen data and confirm it is both old and incomplete therefore not useable by a third party and not possible for it to cause financial loss or harm to those affected customers

‘All necessary disclosures have been made and full details of the attack were provided to the FCA and ICO at the time. 

‘We are satisfied that the attack did not result in the loss of any data that could be damaging to customers and believe that the FCA and ICO are satisfied with our response.’