‘AnyVan’ Says a Hacker Stole Sensitive Customer Data in September 2020

• ‘AnyVan’ finally informed its customers about the unauthorized access of their data by hackers.
• The fact was published about three weeks ago when associated data appeared for sale on the dark web.
• AnyVan hasn’t informed the ICO, as the leaking of full names and email addresses aren’t considered very risky.

‘AnyVan’ is sending notices of a data breach to its customers, informing them about a data breach that occurred almost five months ago. The firm says they discovered the incident on December 31, 2020, and the reason for the delayed notice distribution is the internal investigation launched to evaluate the repercussions.

The delivery, transport, and removal services company has reset all user passwords even though hackers only got to access them in an encrypted/hashed form. This, however, comes only after the attackers had ample time to exploit the users’ data.

That would include full names, email addresses, and hashed passwords. In fact, we saw reports about an unknown security incident against Anyvan.com previously. On December 31, we saw a pack containing 4.1 million user records from the platform being posted for sale on the dark web. This was when the company learned about the data leak, or when they were forced to admit the security incident.

Also, as a company based in London, UK, AnyVan should have informed the ICO (Information Commissioner’s Office) about the security incident, as required by law. The Register reached out to the ICO, and they confirmed that AnyVan hadn’t informed them about anything. They clarified that depending on the likelihood of risking their customer rights and freedoms, companies may choose not to report a breach to them.

Indeed, AnyVan still maintains that hackers “may have accessed” customer data, even though the data has been for sale on the dark web for three weeks now. Additionally, one can argue that full names and email addresses do not constitute a severe compromise for people’s privacy, so AnyVan may legitimately opt-out of informing the ICO.

If you’re an AnyVan customer, do not rely only on the platform’s password reset. Proceed to change your password anywhere else you may be using the same credentials, and be careful with all incoming communication, especially via email. Phishing actors and scammers may use this very security incident to trick you into jumping to cloned login sites.

Finally, AnyVan hasn’t provided any details about what the hackers exploited to gain access to its systems, and neither have they clarified what measures they’ve taken now to prevent such a thing from happening again in the future. Keep that in mind if you want to continue using their services.