Scammers target Battle of Flowers attendees

Thursday 14 March 2019

Scammers are targeting Battle of Flowers attendees through fake emails demanding payment for tickets.

The emails, which some islanders said have been circulating for some months now, led some to believe that the organisation had been hacked.

But organisers reassured islanders yesterday that their account wasn't being used by a malicious third party - the scammers had simply been using an email address made to look like their own - and that previous attendees' financial details were safe.

Pictured: Islanders' financial details have not been compromised, Battle of Flowers organisers said.

Police and the Office of the Information Commissioner (JOIC) are now investigating.

The organisers said they had been aware of the problem since September, and had since contacted three independent IT specialists who told them that, "unfortunately", there was nothing they could do to stop the hacker from posing as them.

"Once a hacker has someone’s email address they can continue to target them," they wrote on Facebook.

Despite this, the Battle of Flowers team said it hoped there would be sufficient red flags in the messages to ensure islanders aren't tricked, urging customers to move any suspicious emails to their spam box and to not open any attachments. 

"In most instances we hope that these emails have been stopped by individuals own spam management programmes or concerned individuals have contacted us for advice. The email gives a USA phone number so this should raise an early alarm bell to most people."

They explained that they do not "mailshot" anyone and only use social media "as a means of communicating with our followers".

"Those who have booked tickets online with us will only receive an email advice from Jersey Battle of Flowers as a booked ticket confirmation. This notice is sent from our legitimate email address," they explained.

It remains unclear at this stage whether the Battle of Flowers' address book was fraudulently obtained, but Jackie Donald, the event director, confirmed to Express that financial information like credit card details had not been accessed as they are stored on a separate server. 

Pictured: Battle of Flowers organisers said that islanders' financial details were safe.

Concerns about the spam emails came to light following a post on the 11,000-strong 'Jersey Ask! Advise! Advertise!' Facebook group when an islander alleged that the organisation had encountered a data breach of which others hadn't been informed.

But organisers were firm that they had not tried to "brush the matter under the carpet" and had taken the matter "very seriously", adding that anyone affected would be offered "every assistance available".

Mrs Donald said the organisation has done all it can since becoming aware of the emails to prevent any other incident. She noted that the Police and Jersey's Data Protection Team have also been contacted.

JOIC said they were unable to comment on individual cases, but explained the process of breach reporting and their investigations.

Pictured: Paul Vane, the Deputy Information Commissioner at JOIC.

Deputy Information Commissioner Paul Vane said the JOIC should be notified by any entity with access to other people's data about potential security breaches that might cause others harm. He said the JOIC will then work with them to decide what actions should be taken to reduce the risk of further incidents.

He said punitive action would only be taken if the breach was the result of "non-compliant activity that is deliberate, wilful, negligent, repeated or particularly harmful".

"Failure to report a breach that comes to our attention later will also carry with it the risk of formal sanction. We have been encouraged by the positive approach taken by the majority of Jersey organisations in light of a breach. We encourage any businesses or members of the public concerned to contact our office.”

"It is also worth noting that a data breach will inevitably happen in a business at some point and that while the scale and severity of the breach may vary, the reporting process for each case is the same," Mr Vane added. "We urge controllers to defend against breaches, implement processes to help detect a breach and respond quickly to a breach."