In reply to andrewmc:
Thanks for bringing this to our attention. We take this matter very seriously. Prior to GDPR legislation of 2018, we had a user report something similar. As a result, we had IT professionals investigate. No evidence was found of any data theft or breach. We then had IT professional look to see if there were any improvements that could be made in security. All recommendations were implemented to increase the level of security in line with industry standards and we continue to evolve security, as necessary. All passwords stored are encrypted. As another backstop we also set up an email address and password unique to the Cordee website which is monitored.
We contacted the ICO as a matter of course and to seek advice. They deemed it not to be a notifiable breach. Measures such as forced password resets were discussed, but we were advised that this wasn’t necessary.
Be assured that no financial data such as card details are stored or seen by Cordee (we use World Pay to handle payment transactions) Personal data is only stored as long as we are obliged to by law, after which it is made unusable.
As a result of you bringing this to our attention, and as a further precaution, we will now force a password reset for all users who signed up to the site prior to the most recent update and will delete all inactive accounts.
Any queries from yourself or indeed any other users who are concerned should be emailed to info@cordee.co.uk where they will be dealt with as a matter of urgency.
We apologise for any inconvenience caused.