Online pharmacy. Image courtesy of Shutterstock.
Naked Security Naked Security

Online pharmacy fined for selling user data to lottery company and others

The ICO has fined an online pharmacy company that not only sold on user data without proper consent, it also made some astonishingly crass choices of customers to sell it to, including a lottery company.

Online pharmacy. Image courtesy of Shutterstock.

The Information Commissioner’s Office (ICO) in the UK is a public service body set up with excellent aims.

As the organisation’s website explains, its remit is:

To uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

It’s not an irony that openness and privacy go together: if someone collects your personal data, they jolly well ought to be clear about what they plan to do with it.

Most importantly, they should make it obvious if they intend to share your data with third parties, and get your informed consent to do so.

Of course, even if they do tell you, and you agree to allow a someone to sell on your data – though why you would agree to let your medical records be commercialised is not clear to us – then you have a right to expect that they’ll choose their customers wisely.

After all, crooks can save themselves an awful lot of hacking effort by just buying up personally identifiable information (PII) instead of hacking or cracking their way into it.

And, sadly, technology such as firewalls, intrusion prevention and encryption are no use at protecting your data if the company that holds it quite deliberately and knowingly packages it up and sends it out to some third, fourth or fifth party.

With this in mind, we’re delighted to hear that the ICO has just issued a penalty against UK medicines provider Pharmacy2U.

Turns out that Pharmacy2U might better have been named URdata2Others.

According to the ICO, the company not only sold on user data without proper consent, it made some astonishingly crass choices of customers to sell it to, including a lottery company registered in Australia’s Northern Territory.

It wasn’t as though Pharmacy2U was unaware of where the data was going, either, with the ICO’s Penalty Notice stating that the lottery company submitted its proposed customer mail with the order for user records:

The mailer was headed "Declaration of Executive Order" and went on to say that the recipient had been "specially selected" to "win millions of dollars". The mailer contained a form which recipients were asked to complete and return within seven days along with payment of an unspecified sum of money by cash, postal order, cheque or credit card. The form also requested date of birth, email address, telephone number and mobile number.

You may have received this sort of snail-mail from “lottery” companies before, perhaps even wondered where they got your details from.

You’d probably have been gobsmacked (to use the medical term) if you realised that the pharmacy you used to fill prescriptions from your GP might have been responsible.

The ICO report continues:

Pharmacy2U approved the order with the words "OK but let’s use the less spammy creative please, and if we get any complaints I would like to stop this immediately". The data was sent to Australia.

Accordingly, Pharmacy2U has been ordered to pay £130,000. (20% off for not appealing and making early payment – if Pharmacy2U coughs up by 13 November 2015, it’ll be just £104,000.)

The silver lining in all of this is that reporting data abuse can make a difference!

It’s currently Cybersecurity Awareness Month (CSAM), and a lot of the advice going around about how to be #CyberAware is, understandably, about how to protect yourself and your devices, given that prevention is a lot better than cure.

But sometimes you may end up compromised through no fault of your own – you could end up as the victim of someone else’s venality, incompetence or even just plain bad luck.

So, keep the ICO’s Report a Concern web page up your sleeve.

If someone calls you or contacts you, and you think they ought not to have your data at all, let alone be trying to sell you something you don’t really want, you can do something about it.

You don’t have to tell the caller or the emailer that you plan to dob them in (after all, if you are aggrieved enough to want to report them in the first place, you probably don’t consider them trustworthy).

But when you report that someone has misused your data, you help to get something done about it.

Here are the things that the ICO cares about, and over which it is prepared to go into bat for you:

Image of online pharmacy courtesy of Shutterstock.

Leave a Reply

Your email address will not be published. Required fields are marked *