Reply to: Qdos data breach

Unrelated I'm sure...I got letter through today saying my JD Williams credit account was set-up and ready to go! I didn't request such an account Signed-up for the free year of identity monitoring.

Oh good, have needed another year of access to that since the one from the Parasol/Nixon Williams data leak ran out...

We can confirm that the emails from Qdos regarding a recent security incident – including the links within them - are legitimate. Given the importance of this communication, we engaged third-party experts, Experian, to support us with issuing notifications. To facilitate this, the emails were distributed using Mailjet, a commonly used email delivery platform. All links within these emails use the domain format .mjt.lu and are uniquely generated for each recipient to allow for secure and appropriate tracking.

We remain committed to supporting and assisting our customers during this time. If you have any further queries or concerns please contact our dedicated call centre on 0116 497 1281

I haven't received an e-mail and I last renewed a policy in 2021 (i.e. haven't been a customer since 2022). I was hoping that meant they had pruned my data. Now I'm not so sure.

.lu is the country code for Luxembourg.

mjt.lu is apparently Mailjet. So, I assume that this is similar to Mailchimp etc., and that website will redirect you to the real website. Presumably it has a unique ID embedded in the link which they can cross-reference against the recipient (to know who's clicking the link). That might be justifiable if it was an advertising campaign, but I'd agree with your initial reaction that it seems pretty dodgy when they're confessing to a data breach.

Received this also and not used their services for years. Maybe some DB pruning is required. Shouldn't really be holding any information of old customers for so long. Data protection breach.

I wonder if any of the data will end up in the hands of HMRC.

Hi, DSC, we can confirm that this is a legitimate email from Qdos regarding a recent security incident. We have set-up a dedicated call centre to handle any questions or queries in relation to the incident - the team can be reached on 0116 497 1281. They can also answer any questions you may have regarding the monitoring service provided by Experian, which we are offering to all affected customers free of charge for additional peace of mind. We’re committed to providing customers with any support and assistance we can.

Yes.

I called QDOS and unfortunately it is legit, so it looks like they have had a data breach. I mentioned the dodgy-looking links in the email and they said they'll look into it; they have quite a few calls today !

I'll quote from the email:

How has my data been impacted?

Please note that Qdos does not collect or store credit card information or other identification documents such as passports or drivers’ licences for customers. Any information provided with respect to claims against insurance policies has also not been impacted.

We can’t confirm exactly what data or documents were accessed or downloaded for customers individually, but it is possible that the following data relating to you may have been impacted:

• Documents relating to insurance policies, e.g. policy schedules;
• Documents relating to IR35 services, e.g. contracts, contract reviews or IR35 calculations;
• Documents relating to purchases e.g. invoices and credit notes; and
• Personal data from your customer account, e.g. name, correspondence address (or registered business address), email address and contact number.

Yes, I just came here to post the same. The links in the email are all to a 9rr8.mjt.lu domain, which looks dodgy but there's very little online to verify them. I'm inclined to think it's a scam, but a targeted one?
But if it isn't a scam, then my major worry is it looks like any business contracts that were sent to QDOS have potentially been stolen, meaning we may have to notify our affected clients as this is confidential information...
I'll probably contact QDOS about this by phone.