Man fears being target of identity theft after personal details stolen in cyber attack
by Phil Pennington · RNZA major audiology chain of clinics kept an Auckland man's personal details for over six years, then lost them to criminal hackers.
The man - Russell - says he is "flabbergasted", and worried he will be a target of scams and identity theft.
On top of that, Bloom Hearing Specialists told Russell there was too much data stolen to be able to tell him just what of his had been nicked.
Russell is one of thousands of customers that Bloom has warned of the ransomware attack.
In a letter, it said it might have lost insurance, banking, health, social welfare and the Ministry of Social Development client details - and it understood this was bound for the dark web.
The large company was attacked in July, ascertained in late August masses of data was stolen, and has since alerted thousands of patients.
"We understand your name and address was included in the data which has been stolen by the threat actor," Bloom wrote to Russell.
"It is likely that your date of birth and contact details and/or gender was also included."
But "due to the volume and complexity of the datasets stolen, it is not practicable for us to confirm if, or the extent to which, any additional types of data/personal information stolen by the threat actor relate to you".
Russell told RNZ he only tried out a Bloom hearing aid for a week after his hearing loss due to industrial exposure was identified, and ACC accepted the claim.
He went with another company's aid in the end and gave Bloom's back.
"I've never really been a customer," he said on Thursday.
"Since I haven't been with them for six-and-a-half years, they should have deleted my data."
He now felt vulnerable to scammers himself, he said.
"I can't recall how much information they got from me," Russell said of Bloom.
"They may have requested my bank account number as security, or credit card details as security ... and also whether they had all my ACC details."
Hacks and cyber attacks were par for the course, but this was different.
"People can have data breaches ... it's nasty out there," he said.
"These things can happen. But Bloom should have never had my data for such a long period of time."
He expected there would be large numbers of people like him, since so much data from past patients' had been kept.
It was a breach of privacy law as he understood it.
"I believe that Bloom can only keep my data for as long as it's necessary for their business."
Principle 9 of the Privacy Act states an organisation should not keep personal information for longer than it is required for the purpose it may lawfully be used.
Russell said he would consider complaining to the Privacy Commissioner.