One clumsy keystroke could send your private information to a stranger's inbox. Photo / 123RF
One clumsy keystroke could send your private information to a stranger's inbox. Photo / 123RF
COMMENT:
Last Saturday, I fired up Gmail and watched with a sinking feeling as several emails from Finnish banks and finance companies arrived. The messages were about loan applications, some of which had been approved and others that were still being processed.
I had never heard of any of themoney lenders before. Fearing the worst, I thought "not good, someone's applied for loans in my name - and in Finland too".
The loans were a few hundred to a couple of thousand euro in size, and oddly precise amounts like €1045 but with usurious annual interest like 41.7 per cent.
Expecting a painful process ahead to convince at least seven financial institutions on the other side of the world that I had not applied for loans, I began reading the messages to work out what to do.
They revealed that someone had indeed applied for loans, using my email address with a dot (.) between the first and last name. Gmail ignored the dot and sent the messages to my account.
It's not the first time this has happened. My name is fairly common in Finland and I receive a good amount of emails intended for other Juha Saarinens. I've had bills for expensive house renovations, a gigantic email with family photos, and been told to show up for training at a Helsinki football club or get booted out of the team.
The banks behind some of these mails didn’t seem bothered they’d mailed a client’s information to the wrong recipient. Photo / Supplied
Confidential business documents have arrived too, ditto social media account signup and password reset notifications. One Juha was rather active on Finnish Tinder for a while, judging by the emails about matches that landed in my inbox.
Out of courtesy, I notify whoever sent the messages to the wrong Juha (that's me!) if possible. Often it's not however and I figure people will notice their mistakes eventually. These loan message were different though. They were not addressed to a Juha but to a woman with a Swedish name. Why would she use an email address with a Finnish name that's completely different from her one? Was she real, fictitious or had someone hi-jacked her identity?
A quick few internet searches established that there is indeed a person with the woman's full name who appears to live in the Swedish-speaking parts of south-western Finland. A social media account associated with the name on the loan applications suggested that the woman has a boyfriend called… yes, you guessed right: Juha Saarinen. Was she using his email address? Why?
Whether or not she had applied for the loans, I can't tell. There was no response to a text sent to a phone number in one of the emails sent to me. It seems strange that she approached so many lenders and for different amounts in each case.' Having gone this far down the rabbit hole I sent a group email the lenders with a cc: to the Finnish financial markets regulator.
With my journalist hat on, I asked why they didn't check that the email on the applications was correct before sending out sensitive information such as detailed loan documents and direct access links to online accounts (with pass codes) to some unknown in New Zealand?
Was this not a privacy breach? Finland is part of the European Union which has really tightened up privacy protections with hefty penalties for data breaches like these.
I received two responses. One lender jauntily said not to worry, my name isn't on the application and they'll just delete the incorrect email. Another asked me to call a toll-free local number if I had some more information. No answer to my questions, and no comment from the financial markets watchdog.
We'll see if anything else happens, but at least the stream of messages about loan applications has dried up.
The main takeaway here is to be very careful about what you put in emails and double check where they go; it's easy to make a mistake and your private information could end up in the wrong person's account. If it happens, it'll be impossible to undo and nobody really cares about your privacy anyway.
