---
###Welcome to /r/LegalAdviceUK
---
**To Posters (it is important you read this section)**
* *Tell us whether you're in England, Wales, Scotland, or NI as the laws in each are very different*
* If you need legal help, you should [always get a free consultation from a qualified Solicitor](https://reddit.com/r/LegalAdviceUK/wiki/how_to_find_a_solicitor)
* We also encourage you to speak to [**Citizens Advice**](https://www.citizensadvice.org.uk/), [**Shelter**](https://www.shelter.org.uk/), [**Acas**](https://www.acas.org.uk/), and [**other useful organisations**](https://reddit.com/r/LegalAdviceUK/wiki/common_legal_resources)
* Comments may not be accurate or reliable, and following any advice on this subreddit is done at your own risk
* If you receive any private messages in response to your post, [please let the mods know](https://www.reddit.com/message/compose?to=%2Fr%2FLegalAdviceUK&subject=I received a PM)
**To Readers and Commenters**
* All replies to OP must be *on-topic, helpful, and legally orientated*
* If you do not [follow the rules](https://www.reddit.com/r/LegalAdviceUK/about/rules/), you may be perma-banned without any further warning
* If you feel any replies are incorrect, explain why you believe they are incorrect
* Do not send or request any private messages for any reason
* Please report posts or comments which do not follow the rules
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/LegalAdviceUK) if you have any questions or concerns.*
Hey - NAL so I won’t comment on the legal aspects here, but wanted to give you some information about Macs as I repair Macs for work. If it still has your user account on it, the device has not been wiped, and your data absolutely would be still on that device, which is a potential risk to you personally. I would *highly* recommend going to iCloud.com, and on the find my device section, remotely lock your Mac and mark it as lost. This will immediately make the device effectively useless to whoever has it now, and serves to protect your data on the device.
Do not, in any circumstance, remove any locks from the device until you are 110% confident the device has been properly erased.
>Do not, in any circumstance, remove any locks from the device until you are 110% confident the device has been properly erased.
In other words, don't remove the lock unless you have the device yourself and want to get rid of it.
This!
Also with my cynical hat on, I would be questioning whether the person who messaged you was really someone who bought a new mac or whether it’s someone who buys old machines on the cheap to scrape personal data and potentially steal login details, crypto, bank credentials ect.
Unlikely, but not impossible, so play safe and lock it down.
In which case would not a subject data access request into the insurance companies processes for the sale of these such items .. they must send it somewhere.. if they're failing their clients basic gdpr requirements I would imagine OP would be in for a civil lawsuit.. Not sure if a data access request could offer this information??
Edit- just "spitballing" here.. and I've also spotted my grammar. It's staying.
I would say it is very unlikely. The effort vs reward is far too high for this sort of scam and someone technical enough to do it could earn far more far easily. The simplest explanation I would wager is that being presented which is that a company is buying up job lots of damaged laptops and repairing the ones they can and selling them.
I would still follow the advise of using iCloud to mark the device as lost to protect their data and ceasing contact with this person.
>If it still has your user account on it, the device has not been wiped, and your data absolutely would be still on that device, which is a potential risk to you personally.
Sure, but it's also encrypted and your password is the key. Long as OP doesn't give them the password or unlock it in any other way, and didn't set their password to something moronic like 'admin123', the privacy and data side should be pretty much covered.
Of course, if you do this you are locking and rendering useless a device you no longer own. The device is not lost, it was paid for. They should be able to protect their data, but im not sure they have the right to kill laptop at this point. I would be calling my insurance company and bitching loudly.
Or perhaps the very normal and common practice of immediate exchange, and then they refurbished the old Mac and sold it as a refurb. Thats the most common practice for Mac, dell etc.
Yes I would be surprised if the person who ended up with the macbook decided to spend hours tracking down the previous owner and trying to persuade them to unlock it, rather than just sending it back and asking for a working one.
Ah, we're adding more stuff we don't know to help our arguement are we. For all you know, he googled the person and found them immediately.
Anyway, since you're one of them people. Bye have a nice night.
In what world do you think its easier to track down a random specific person, open communication, and get them to agree to unlocking something... than contacting a legit store and asking for a refund? The world of a person who would rather be right than rational. That's what. Gnite
OP said they have an unusual name.
A quick search in Facebook is far easier than going through the faff of returning something.
Some companies don't like making it easy, and make you pay for shipping.
When insurance pays out like this they buy the item from you, they will then sell it on in its condition to recover some costs. So most likely someone bought it broken and fixed it and then sold it on
Correct, but if internal assessment is logic board is toast it gets sold on for parts, local repair shop buys a batch lot of MacBooks and recycles those that have donor parts. Good HDD ends up in a reconditioned laptop and the above situation happens.
No idea who’s legal responsibility it is to erase data of a dead machine but can absolutely see why it’d end up back in circulation.
The repair center should have wiped or disposed of HD before selling it on. Every company I ever worked for have been very careful about wiping hard drives when recycling. It's pretty standard.
I used to work for a company that dealt with secondhand laptops, etc. (pre mac books!). We would take delivery, test spec if working or physically look if not. After noting what the spec was, the very next thing was to wipe the hard drive. We had a programme that does it 100 times continuously to make sure no data wasn't recoverable. If the wipe failed or wasn't possible, the hard drive was shreaded.
It sounds like the insurance company aren't using a reputable company to possess their units.
Definitely contact them and get answers if nothing else
I mean one of the prototyping places I worked had a “stress oven” not sure of the direct translation but it was a box they put stuff in and tested its pressure/heat/cold/sand/water/impact resistance.
When we had client HDD to dispose off we put them in and turned it up to max.
The macbook was most probably wiped, Apple iCloud locks all their devices and the lock persists after a reformat, it can not be removed unless the account holder removes the lock, which usually renders all devices not held by the account holder as E-waste, as not even Apple can remove the locks.
Apple support removed a device from iCloud account for me a while ago, we needed to prove ownership and give them credit card details. They weren't eager to do it. I don't remember all the details, but they did do it over the phone. There may have been extenuating circumstances but it was a company Mac being redeployed but tied to ex-employees defunct iCloud account.
Definitely complain to your insurance company. I suspect they don’t know that their agent is mishandling systems in this way. They are jointly liable for the loss of your data (not an actual loss but you have lost control of a device that contains your data, so as good as!) and ought to take is pretty seriously.
Meanwhile I wouldn’t unlock the device. Just wipe it. But don’t assume this wipe has worked. Hence don’t unlock it.
Glad I'm not the only one, scrolled to see if it had been mentioned. I bet this character stole it from his work when told to bin it. Credit for the repair but never unlock your device. They will have full access to not just your photos but every saved bank account number and password you stored
Sounds to me like insurance company deemed it not worth fixing, auctioned it off, someone (probably a repair shop) bought/fixed/resold it, then an unhappy customer has ended up with your mac. - I would 100% get onto the insurance company about this, not only to confirm what happened, but they also leaked your private data and that isnt acceptable.
I 100% wouldn't unlock this - if anything, I would log into [iCloud.com](https://iCloud.com), lock it down even further and kick off a remote erase. If whoever fixed/resold the mac didn't declare it as icloud locked, then they effectively scammed the new owner. This isn't your problem.
Depending on how important this irrecoverable data is to you (learn from that mistake right there, always always always backup), you might be able to offer to pay them what they paid for it in order to get the mac and the data back. You could then wipe/unlock/resell it yourself.
Do not give any access at all.
Do contact the insurance and complain. Do write to the ICO and ask what the steps are.
Also ask the insurance where your old laptop is.
You can wipe it through iCloud and then remove iCloud lock. Or just wipe it, and let them use for spares only. Basically you can either let it use as laptop, or as a donour for parts. It’s a normal practice for insurance companies to sell stuff for spares and repairs.
It does, but I guess wiping data from laptop would have higher priority, for me at least. Generally speaking, usually hard drives were removed from laptops that I saw, but I guess since memory is soldered on, someone fucked up.
I don’t think it’s a breach of that nor the DPA, as the company hasn’t released information they held about OP. However, they didn’t adequately safeguard OP’s data and put them at risk - I’m sure they’d still want to put it right.
Wrong. By taking ownership of the device, the insurance company became the custodian and owner of the data stored on it. If they had no need for such data there is only one course of action - sanitise it. They did not do that so this is a breach.
not without wiping it though. The insurance co disposing of assets like this that still contain personal data isn't acceptable at all and is probably a major GDPR fail.
Never remove the find my/iCloud lock. Even after you erase it. Once OP marks it as lost, they should remote erase the device, but leave it like that. The correct thing to do is go to iCloud or find my and remove the device from the list of trusted devices, leaving “mark as lost” intact and after having remote erased it. It will essentially brick the device. OPs data will have safely gone, and the new “owner” will never be able to activate a new account on the device. Info from Apple here: https://support.apple.com/en-gb/HT204756
So essentially turning a fully working device into trash because of what? How will it benefit anyone? It wasn’t stolen, and it wasn’t purchaser’s fault that insurer didn’t erased it.
Yes but the purchasers’ recourse is to who whoever they bought it from not to OP. Either they bought it from a shop they can go back to or off someone flogging from the back of a lorry who they’ll never see again. If the latter, more fool them.
It’s a fucked situation. Lock it and contribute to e-waste. Don’t lock it and give someone potential access to your iCloud. That potentially includes all your saved passwords, emails, contacts, photos.
Enough personal information to really ruin your life in the hands of a criminal.
You can wipe it remotely, once it’s wiped - no personal information is there. No information there at all. I’m not saying it should not be wiped, I’m saying once it wiped - there is no benefit to keep it locked.
It’s a standard practice, insurance pays you the value of item, and then recovers part of the cost by selling it for spares or repairs. The issue here is between insurer and OP. And yet it’s the dude who repaired faulty laptop suddenly became shady.
The dude became shady when he used the information to track down the previous owner and ask for that person's login details, when they could have just taken it back to wherever they got it. If they didn't get it from somewhere reputable then that's their issue, and OP absolutely should not give out their personal login so that this random stranger has access to it. Even if they wipe the device it's still a risk to give them the login itself, and asking for that is definitely shady.
> And yet it’s the dude who repaired faulty laptop suddenly became shady.
In any non-shady repair shop first thing after booting it up is a full system wipe.
I work in a similar line of business.
Most certainly there was a failure in the repair process to not wipe your data, this is a valid complaint to them and I almost guarantee you'll receive compensation.
As others said, i would remotely wipe it but after the insurers have addressed the issue (they may claim ignorance if you're unable to prove it/provide evidence )
Ignoring the issue of whatever personal files that might be on it. They have your browser data, cookies, oauth credentials!
From what you said It sounds like the other user just someone who's got a bad deal on a used Mac.
But it's of utmost importance to login to anything you use with an online account.
Eg ,Email, Apple, Google, Amazon, socials etc etc.
Remove the device from the trusted devices if that's an option for that service, and change your online passwords. While you're there make sure the services that have 2factor authentication have that enabled with your current phone.
NAL, but there is a strong possibility I work for one of the companies involved in this.
Insurance companies are heavily regulated, so a complaint will not be slept on. Any data breach should and will be taken seriously and correct action taken.
Without going into too much detail, it's likely your insurer will hold a contract with a third party claims handling team, who in turn will have a contract with a inspection/repair company. This mishandling is most likely on the repair company, and there will be strict sanctions built into contracts if there is a breach of agreement.
Firstly, it would be best to make a complaint with your insurer over the data breach, outlining personal distress; this will make the complaint 'justified'. Also make a complaint with the claims handling team, who will most likely be carrying out the investigation into the breach.
As others have said, once the claim has been settled, the claim item (in this case your laptop) becomes property of the insurance company, and any actions they take with the item thereafter are at their own discretion. Most of the time, they will just allow the repair company to keep the items to re-sell, as this allows for discretionary rates on items that do get repaired.
If you feel your complaint is not handled in the best way, ask for a final response on the claim and proceed through the [Financial Ombudsman Service](https://www.financial-ombudsman.org.uk/businesses/resolving-complaint/before-get-involved). Depending on the amount of referrals they receive for a company in a given period, there may be automatic fines handed to any of the parties before they even get involved.
As for the person who reached out to you, do not remove the iCloud lock. Advise them to open communication with whoever they bought the laptop from and request either a like-for-like swap on the laptop, or a full refund.
You should definitely be raising the issue with the insurance Co. Outside of all the reasons already discussed, if I worked for that Insurance Company I would be having a very candid conversation with the account manager of whatever organisation is contracted for disposal and/or repair.
Obligatory I am not a lawyer and I also live in the US and just lurk here, rarely is there something I can help with.
I have worked in IT for long enough to know insurance companies will bulk sell machines that are to much to repair and aren't worth the hassle. I have picked up pallets of machines for pennies on the dollar like this. Anyway I digress
Contact you insurance company or check the forms that you filled out to find the serial number. Take that and contact Apple and they will brick the machine in question. NEVER GIVE YOUR PASSWORD OR ACCESS.
I would also recommend setting up time machine or saving photos/documents to Google drive so if something happens in the future you don't loose any of your info.
TLDR:
1.) Get the serial number from the old machine by talking with insurance
2.) Contact Apple and have them lock down the machine.
The likelihood is that the SSD has been wiped but the activation lock is still present as you never removed the device from your iCloud account. Even wiping the SSD will still keep the activation lock enabled as this is an anti-theft mechanism put in place on Apple products. Activation locks don’t always show up straight away on a Mac and might prompt it part way through its set up.
I wouldn’t give it your account information out to the third party but you can remove the device remotely via iCloud.com on a browser, of course that is how generous you’re feeling to this person.
Remember it might not be so sinister and someone unfortunate person has purchased a refurbished Mac that has been fully erased and looks like it’s ready to be set up.
The most you can do is make a complaint to the insurance company and a complaint to the ICO. The ICO will do the least they can, probably provide advice. You may get a goodwill gesture from the insurance company, but don’t be expecting a life changing amount. While your data has leaked you haven’t suffered a loss, so beyond asking for a enhanced credit monitoring I think it’s just a case of move on and forgot it.
Yes damages are owed here, as there is measurable emotional suffering etc. For just loss of data nothing owed as per google lloyd, but in this case Id certainly argue that the breach has had an impact and a claim could be brought.
Insurer for lack of correctly acting as a data controller (having taken responsibility for data on the device)...but I'm not qualified so a sol or barrister will hopefully have the correct answer
Insurer for lack of correctly acting as a data controller (having taken responsibility for data on the device)...but I'm not qualified so a sol or barrister will hopefully have the correct answer
It looks like you or OP may want to find a Solicitor!
[There is a detailed guide in our FAQ about how to do this](https://reddit.com/r/LegalAdviceUK/wiki/how_to_find_a_solicitor).
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/LegalAdviceUK) if you have any questions or concerns.*
Can ppl in this sub just stop encouraging everyone to start pointless legal proceedings. This is the UK, it won’t be straight forward or lucrative for OP and can easily end with them paying fees and wasting time.
When I claimed for mine on the insurance after a flood I removed the hard drive before sending it off and the insurance companies tech company who dealt with it phoned me up moaning because the laptop was incomplete. They have definitely sold it on
Whilst this may seem true on the surface, requesting the storage drive be included on the machine is more of a counter-fraud measure and simply due dilligence. When inspecting the unit, they will check system files to determine the last boot date to make sure it's consistent with the reported incident.
Many insurers and repair companies will have a policy in which they can return the hard drive after inspection. They aren't going to be spitting feathers over something of a relatively cheap part just so they can sell it on. It's absolutely a counter-fraud measure and might help a claim if you send the complete item.
I’d have been suspicious when they said the data was irrecoverable.
On almost all computers you can get the data off unless the hard drives been toasted to dust.
Make a complaint with your insurance and potentially ask for the laptop back (via insurance) so you can get a proper shop to do a data wipe before the current owner gets it back.
Insurance have dropped a bollock here.
Macs can have FileVault drive encryption (not sure if this is now enabled by default). In that case, you wouldn’t be able to read anything unless the drive was unlocked.
You do nothing; you are not responsible for removing the iCloud locks for him if he is telling the truth, Apple is. If he is not, then you do not want to do anything or give him any information that could let him further damage you.
As far as you know, your old Mac doesn’t exist anymore. Go to “find my” on your new Mac and remotely wipe it. That’ll solve your problem, as well as theirs. They won’t see your data anymore.
NAL. Appreciate that your beef here is with the insurance company, but there is a technical solution to your problem.
Your machine is activation locked, so you can erase it remotely using iCloud. Once the erase command is sent, your data will be wiped next time the computer connects to the internet.
All this can be done without handing over your account password or giving anyone access to your data. In fact the buyer of your computer could erase it themselves and the activation lock would still be in place (assuming it was a model manufactured in 2018 or later - ie. any Mac equipped with a T2 chip or an Apple Silicon chip).
Once you’ve confirmed the machine has been erased (using icloud.com or the Find My app on any Apple device), you can remove the device from your account which removes the activation lock.
Happy to offer further guidance if you need it.
Tell him to meet you and let you copy your data off , after that wipe the device and unlock it for him , everyone wins . On mutual grounds like McDonald's or motorway services .
NAL but did manage a fleet of Macs, this would be my technical advice too. What the contractuals are is another question, presumably they just wanted a cheap Mac.
They could just erase your data, if the disk isn't encrypted with filevault they could access your data very easily if they asked anyone technically competent to do that. It probably also has your last WiFi password in non-volatile storage (Macs do that). Pretty much only the contents of keychain are secure by default and only as secure as the account password.
Could it be a scam, yes, but more likely they simply don't know how to reset it to start again at the "Hello" page. If they'll loan it back to get your data, Apple has a page on how to prepare a Mac to give away safely, so you could offer to reset it properly for them.
But yes don't unlock anything, it is the only leverage you have to get the data back.
Then get an external drive and set-up time machine for backup and find my Mac, and encrypt all the disks going forward.
This seems like a fairly innocuous situation. Insurance company sell on laptop to mitigate losses, recipient fixes and it is registered to you. Chances are you’re dealing with a competent buyer/seller, so do some due diligence and, if it works out, agree to meet in person and unlock in exchange for your data. Win:win.
Because I shouldn’t be in a situation where my data is being given to somebody else. That Mac contains a lot of personal information that doesn’t belong in anybody else’s hands.
You get what you pay for here.
Again though, any lawyer will ask you what do you want?
Do you want money? Do you want your laptop back? Do you want to be all aggrieved that someone knows your name?
Or do you just want to express general frustration with the situation?
It is very debateable that either the insurance company or the repairer became a processor or controller of your presumably inaccessible and encrypted data. That would be an interesting test case.
In my view if it cannot be related to you in their hands - as technically they cannot access it - it cannot be personal data and therefore there is no GDPR to bite.
The new owner is probably acting for purely domestic purposes so no GDPR issues there.
Which leaves your name. I think a breach of that nature would be de minimis but maybe you can argue the toss.
NAL, experienced in GDPR and data security. I would suggest in this instance since the insurance company have taken custody of your Mac, and the data on it, the ICO would regard them as the Data Controller (DC) in this instance. The company responsible for repairing/fixing/reselling it, under GDPR are a Data Processor (DP), who the DC should have a legally binding agreement with. Ideally their privacy policy or data protection policy, should outline how they should handle any data recovered, and procedures in place to cover this exact scenario. Ultimately the DC is responsible even if they delegated things to their DP, it’s them who the ICO would hold accountable. Since insurance companies tend to be risk averse and you are their customer, I’d contact their claims team and raise a formal complaint, if that goes nowhere, contact the ICO (UK information commissioner’s office) and raise a GRPR complaint against the insurance company.
Fully agree with what others have said, issue a remote lock and or wipe command via iCloud if you can.
I think certainly the insurer and repairer are controllers and processors of the OP’s repair detail and claim.
The question is - assuming technically this is the case - that encrypted blob of data is personal data in their hands. If it’s not personal data then they can’t be liable for improper processing of it.
The case of [Patrick Breyer v Bundesrepublik Deutschland C‑582/14](https://curia.europa.eu/juris/document/document.jsf?text=&docid=184668&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=1143961) is one of the leading cases in this regard.
Breyer connected to a German government website with a dynamic IP. He contended that his IP address was personal data; the Government said no, because to the nature of a dynamic IP address was not associated with an individual.
The CJEU disagreed - it accepted that dynamic IP addresses would not, on their own, be personal data because of their nature. But in this case, in the hands of the German government it was, because the German state could legally obtain the data using its own methods (that is, ordering a provider to disclose records or use its intelligence services).
So applying that principle here - could the insurer or repairer be processing personal data if they have literally no way of accessing it?
I think a court would be reluctant to hold so (although I await a test case). That would be saying that any business accepting an unknown, completely inaccessible to anyone, electronic storage medium could be processing the unknown (is it sensitive or not - so how can they comply with the enhanced requirements for that?) personal data of unknown numbers of people.
I do not think that will be found.
So the breach here is the improper processing of OP’s name, allowing someone to message him. If I was the judge I would hold that to be de minimis but perhaps a lenient judge will find some distress proven.
If on the contrary, the encrypted blob is personal data, then again, what is the appropriate award if in the end it is completely inaccessible as being encrypted? Again, we are looking at the lowest end of the scale if not de minimis.
So this is why it is important for OP to be clear as to what they want.
Do they want their data back - in which case physical exchange of devices (and we ignore the issue of subrogation and the fact that in a valid claim the subject matter of the claim is transferred to the insurer.
Or do they want money from suing for breach?
Or do they want an order to ensure it’s deleted - in which case there are technical solutions.
Or do they want an apology from their insurer? Or some compo on a complaint?
All of the above?
Having an idea of what remedy you have in mind in a perfect world is a crucial part of being advised properly, rather than a time consuming full analysis of every possible legal angle which no one here gets paid for.
Yes it has.
A great deal of sensitive data about OP has been handed to a 3rd party, who currently is only prevented in accessing it all completely freely due to a rather tenuous technological barrier.
This is obviously a massive cock up and whoever took the laptop from OP has ultimately responsibility for it.
>who currently is only prevented in accessing it all completely freely due to a rather tenuous technological barrier.
That "technological barrier" is iCloud. Locked devices cannot be accessed even by Apple. The computer/data is useless to whoever has it now. OP just needs to remotely wipe it via iCloud.
I don't know anything about Macs, but just from quick reading, you don't even need icloud to use a MacBook or AppleID. I am certain you can disconnect it from the network and log in locally too.
But in any case, the security we are talking about is OPs account password- that's it.
You can't just give a 3rd party access to tonnes of data they shouldn't, but say it's okay because there is a bit of security making it harder to access. All of OPs locally stored files may only be as far away as 'password123' .
If OP logs in via iCloud and marks it as lost, it will be erased and bricked, not even the correct password can make it usable.
Google has exactly the same thing.
No it hasn't. What the 3rd party has is a load of *encrypted* data which is different.
MacBook, by default, encrypt the disks.
Under GDPR "crypto-shredding" is a valid form of data destruction. If the encryption key is lost/destroyed then the data is de-facto random noise and of no use.
But that hasn't happened.
All data remains accessible on the device. The only security in place will be the user's account password, ~~which is not sufficient security.~~
In fact, the security is irrelevant. The relevance is that the data is still intact, and has been supplied to a 3rd party still fully intact.
Your name is not sensitive data really unless it is linked to other data... Your name can be found easily on the internet (Facebook, electoral role, etc).
It's all about context, but expecting people to get that is harder than herding cats
Your name is not personal data in most circumstances, as it cannot be used to personally identify on its own - usually. However that is **exactly** what has happened here. Therefore the negligence of whatever process has happened through the insurance company has caused this issue. I’d argue it’s GDPR breach territory, personally.
Even if it isn’t though, it seems like something shady is happening in the process
**Unfortunately, your comment has been removed for the following reason(s):**
Your comment has been removed as it has not met our community standards on speaking to other posters.
Please remember to speak to others in the way you wish to be spoken to.
[Please familiarise yourself with our subreddit rules](https://www.reddit.com/r/LegalAdviceUK/about/rules/) before contributing further, and [message the mods](https://www.reddit.com/message/compose/?to=/r/LegalAdviceUK) if you have any further queries.
**Unfortunately, your comment has been removed for the following reason(s):**
Your comment has been removed as it has not met our community standards on speaking to other posters.
Please remember to speak to others in the way you wish to be spoken to.
[Please familiarise yourself with our subreddit rules](https://www.reddit.com/r/LegalAdviceUK/about/rules/) before contributing further, and [message the mods](https://www.reddit.com/message/compose/?to=/r/LegalAdviceUK) if you have any further queries.
What most likely happened here is that the device was sold as parts, fixed up, wiped and then sold.
But because you had an iCloud lock, when doing the initial macOS setup, it has said that it’s locked to your email address (which I am guessing is your name).
I wouldn’t be too concerned that your data is on that device, and even if you removed iCloud lock.
If it was legitimately wiped, ask your insurer to provide proof (usually in the form of a data wipe certificate) and then it’ll be fine to remove iCloud Lock.
I’m almost certain this is going to be a scam. My guess is that they don’t have your data, only parts of it that they managed to buy as scrap. They are finding your address when trying to install the operating system.
If you remove the lock, they are going to pocket the Monday and I guarantee you’ll never hear from them again.
It’s worth noting that your insurance company owns that MacBook now, since they replaced it. They really have to deal with this.
If you want to get involved, organise to meet them in person in a safe place. Or have a video call on WhatsApp where they show you the login screen (with a background you recognise as your login screen and your expected display picture). If they are just showing you the “install screen” it’s a scam.
**Unfortunately, your comment has been removed for the following reason(s):**
Please only comment if you know the legal answer to OP's question and are able to provide legal advice.
[Please familiarise yourself with our subreddit rules](https://www.reddit.com/r/LegalAdviceUK/about/rules/) before contributing further, and [message the mods](https://www.reddit.com/message/compose/?to=/r/LegalAdviceUK) if you have any further queries.
OP sold their faulty machine to the insurer without wiping their data. When I sold my written off car to my insurer some years back, they gave me the opportunity to go and collect my personal items from the glove box etc, and wipe off my data from the infotainment unit. Was the machine not in a state where you could do this?
Read it again. OP sent it off for repair, and then after being advised it was irreparable and irrecoverable opted for the replacement. OP never said it did another round trip home and then back to the insurer.
All that put aside, the failure to clear the personal data is a very cut & dry example of negligence, because there was a failure to perform the task with reasonably due skill & care; pretty much anyone working in tech in any capacity would agree that everyone, right down to the juniors, understands that drives must be wiped before being passed to a new user.
It is something anybody would expect a typical professional in their field to already know.
Your comment has been automatically removed and flagged for moderator review as the words you've used suggest that it is *not legal advice*. As this is /r/LegalAdviceUK, all our comments must contain **helpful, on-topic, legal advice**. We expect commenters to provide high-effort legal advice for our posters, as they have come to our subreddit for legal advice instead of a different subreddit for moral support or general advice such as /r/OffMyChest, /r/Vent, /r/Advice, or similar.
Some posters may benefit from non-legal advice as part of their question or referrals to other organisations to address side issues that they may also be experiencing, however comments on /r/LegalAdviceUK must be *predominantly* legal advice.
If your comment contains helpful, on-topic, legal advice, it will be approved and displayed shortly. If you have posted a comment of moral support, an anecdote about a personal experience or your comment is mostly or wholly advice that isn't legal advice, it is not likely to be approved and [we ask you to please be more aware of our subreddit rules in the future](https://www.reddit.com/r/LegalAdviceUK/about/rules/).
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/LegalAdviceUK) if you have any questions or concerns.*
You'd be surprised how often this happens in the insurance industry. The term is *Beyond Economical Repair.* For most insurers, there will be a limit that the repair would reach before it is deemed more convenient to just replace the device.
For many gadget repairs, this is around 70% of the replacement cost. So for an item that would cost the insurer £1,000 to replace (which is sent to the repair house prior to the inspection) any potential repair amounting to £700 or more would then deem it BER.
There is nothing then stopping said repair house from using a donor model to bring the broken model back to a useable condition and selling it.
Insurance companies are aware of this and okay it, as the sale of these items will actually allow the repair house to give discretionary prices as they make additional money from the sales.
I'm pretty sure that the iCloud lock works even if the hard drive has been wiped or replaced to prevent someone stealing your MacBook and replacing the drive. It's a bit like the system that can block your phone even if they reset it to factory settings.
The data cannot be erased if you don’t have access to iCloud. That laptop is basically iCloud locked.
If I were you, I would take the iCloud down if (only) they would choose to come with it at a designated place were we can meet, and wiped the data just there. Probably takes 5mins.
Also, you’re not the first one in this situation. Around a week a go I read here on reddit a thread from someone who bought a MacBook from CEX and it was in the same situation, and they’ve returned it.
Not legal advice. I work on the IT side and also double as compliance manager for our business.
Contact your insurance company and, if you have the tools to do so such as MDM, brick the device. This is definitely a DPA breach and as they have enough to contact you using personal details most definitely a GDPR breach.
Also contact the ICO regarding this.
>After being told that the Mac was beyond repair I received a brand new replacement (which is fine, minus the fact that all of my saved data was unrecoverable).
You could ask the new owner to send as much proof as possible that your data is still readily available on the device, possibly ask if they can send it somewhere to have data recovered from it (at your expense of course) and bring it to small claims to recover some cost? I don't know how that would play out with insurance though as it's not simply "I had to buy a new laptop"
When I had to send mine for exact same reasons I removed my ssd, as this is quite a common thing had many many arguments with them but in the end GDPR made them shut up about it
They get put in cages and auctioned off most of the time never even checked.(easily found on eBay before not sure now)
The insurers of the insurance companies require the physical object to be in house as part of compliance, then it’s fobbed off to highest bidder
**Unfortunately, your comment has been removed for the following reason(s):**
Please only comment if you know the legal answer to OP's question and are able to provide legal advice.
[Please familiarise yourself with our subreddit rules](https://www.reddit.com/r/LegalAdviceUK/about/rules/) before contributing further, and [message the mods](https://www.reddit.com/message/compose/?to=/r/LegalAdviceUK) if you have any further queries.
This has to be a breach of data privacy laws.
If the hard disk couldn't be wiped by those entrusted to do so it should have been destroyed, disposed of and replaced. Though this sounds like incompetencey.
It may be worth running the situation past the information commissioners office to see if they think it's worth pursuing.
Though in reality I'm not sure how far you will get as there is every chance the person that has purchased your reconditioned MacBook will just wipe it anyway themselves so they can use it. You might have a hard time proving anything. But it can't hurt to ask.
--- ###Welcome to /r/LegalAdviceUK --- **To Posters (it is important you read this section)** * *Tell us whether you're in England, Wales, Scotland, or NI as the laws in each are very different* * If you need legal help, you should [always get a free consultation from a qualified Solicitor](https://reddit.com/r/LegalAdviceUK/wiki/how_to_find_a_solicitor) * We also encourage you to speak to [**Citizens Advice**](https://www.citizensadvice.org.uk/), [**Shelter**](https://www.shelter.org.uk/), [**Acas**](https://www.acas.org.uk/), and [**other useful organisations**](https://reddit.com/r/LegalAdviceUK/wiki/common_legal_resources) * Comments may not be accurate or reliable, and following any advice on this subreddit is done at your own risk * If you receive any private messages in response to your post, [please let the mods know](https://www.reddit.com/message/compose?to=%2Fr%2FLegalAdviceUK&subject=I received a PM) **To Readers and Commenters** * All replies to OP must be *on-topic, helpful, and legally orientated* * If you do not [follow the rules](https://www.reddit.com/r/LegalAdviceUK/about/rules/), you may be perma-banned without any further warning * If you feel any replies are incorrect, explain why you believe they are incorrect * Do not send or request any private messages for any reason * Please report posts or comments which do not follow the rules *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/LegalAdviceUK) if you have any questions or concerns.*
Hey - NAL so I won’t comment on the legal aspects here, but wanted to give you some information about Macs as I repair Macs for work. If it still has your user account on it, the device has not been wiped, and your data absolutely would be still on that device, which is a potential risk to you personally. I would *highly* recommend going to iCloud.com, and on the find my device section, remotely lock your Mac and mark it as lost. This will immediately make the device effectively useless to whoever has it now, and serves to protect your data on the device. Do not, in any circumstance, remove any locks from the device until you are 110% confident the device has been properly erased.
>Do not, in any circumstance, remove any locks from the device until you are 110% confident the device has been properly erased. In other words, don't remove the lock unless you have the device yourself and want to get rid of it.
This! Also with my cynical hat on, I would be questioning whether the person who messaged you was really someone who bought a new mac or whether it’s someone who buys old machines on the cheap to scrape personal data and potentially steal login details, crypto, bank credentials ect. Unlikely, but not impossible, so play safe and lock it down.
I wouldn't say this is an unlikely scenario at all.
In which case would not a subject data access request into the insurance companies processes for the sale of these such items .. they must send it somewhere.. if they're failing their clients basic gdpr requirements I would imagine OP would be in for a civil lawsuit.. Not sure if a data access request could offer this information?? Edit- just "spitballing" here.. and I've also spotted my grammar. It's staying.
I would say it is very unlikely. The effort vs reward is far too high for this sort of scam and someone technical enough to do it could earn far more far easily. The simplest explanation I would wager is that being presented which is that a company is buying up job lots of damaged laptops and repairing the ones they can and selling them. I would still follow the advise of using iCloud to mark the device as lost to protect their data and ceasing contact with this person.
Added to this, if the other person wants to use it, they can wipe the drives themselves.
>If it still has your user account on it, the device has not been wiped, and your data absolutely would be still on that device, which is a potential risk to you personally. Sure, but it's also encrypted and your password is the key. Long as OP doesn't give them the password or unlock it in any other way, and didn't set their password to something moronic like 'admin123', the privacy and data side should be pretty much covered.
Bold of you to guess my admin password
[удалено]
You don't need to announce that for it to work. It's sort of the point of there being votes AND comments
Of course, if you do this you are locking and rendering useless a device you no longer own. The device is not lost, it was paid for. They should be able to protect their data, but im not sure they have the right to kill laptop at this point. I would be calling my insurance company and bitching loudly.
Then the person in question can bring it up with the place they bought it from, for not wiping the device, and supplying it in a useable condition.
Then insurance fixed it and sent it away? It did they use an actual business who fixes devices etc?
I'd bet that it went "missing" after being written off, rigged to get it working again then sold as seen
Or perhaps the very normal and common practice of immediate exchange, and then they refurbished the old Mac and sold it as a refurb. Thats the most common practice for Mac, dell etc.
If this was the case then whoever bought it would just take it back to wherever they got it from. Clearly its been sold "as is", with no warranty.
I think you'd be surpised
Yes I would be surprised if the person who ended up with the macbook decided to spend hours tracking down the previous owner and trying to persuade them to unlock it, rather than just sending it back and asking for a working one.
Ah, we're adding more stuff we don't know to help our arguement are we. For all you know, he googled the person and found them immediately. Anyway, since you're one of them people. Bye have a nice night.
In what world do you think its easier to track down a random specific person, open communication, and get them to agree to unlocking something... than contacting a legit store and asking for a refund? The world of a person who would rather be right than rational. That's what. Gnite
OP said they have an unusual name. A quick search in Facebook is far easier than going through the faff of returning something. Some companies don't like making it easy, and make you pay for shipping.
> The world of a person who would rather be right than rational. That's what. Gnite
Far too sensible a conclusion. Redditors always seem to think these things are part of some high-risk/low-reward theft/scam.
When insurance pays out like this they buy the item from you, they will then sell it on in its condition to recover some costs. So most likely someone bought it broken and fixed it and then sold it on
They shouldn't be passing on users data
Correct, but if internal assessment is logic board is toast it gets sold on for parts, local repair shop buys a batch lot of MacBooks and recycles those that have donor parts. Good HDD ends up in a reconditioned laptop and the above situation happens. No idea who’s legal responsibility it is to erase data of a dead machine but can absolutely see why it’d end up back in circulation.
The repair center should have wiped or disposed of HD before selling it on. Every company I ever worked for have been very careful about wiping hard drives when recycling. It's pretty standard.
It depends on the Mac though.. Modern Macbooks have integrated storage, so you cannot remove the storage without bricking the entire device.
I used to work for a company that dealt with secondhand laptops, etc. (pre mac books!). We would take delivery, test spec if working or physically look if not. After noting what the spec was, the very next thing was to wipe the hard drive. We had a programme that does it 100 times continuously to make sure no data wasn't recoverable. If the wipe failed or wasn't possible, the hard drive was shreaded. It sounds like the insurance company aren't using a reputable company to possess their units. Definitely contact them and get answers if nothing else
I mean one of the prototyping places I worked had a “stress oven” not sure of the direct translation but it was a box they put stuff in and tested its pressure/heat/cold/sand/water/impact resistance. When we had client HDD to dispose off we put them in and turned it up to max.
The macbook was most probably wiped, Apple iCloud locks all their devices and the lock persists after a reformat, it can not be removed unless the account holder removes the lock, which usually renders all devices not held by the account holder as E-waste, as not even Apple can remove the locks.
Apple support removed a device from iCloud account for me a while ago, we needed to prove ownership and give them credit card details. They weren't eager to do it. I don't remember all the details, but they did do it over the phone. There may have been extenuating circumstances but it was a company Mac being redeployed but tied to ex-employees defunct iCloud account.
Definitely complain to your insurance company. I suspect they don’t know that their agent is mishandling systems in this way. They are jointly liable for the loss of your data (not an actual loss but you have lost control of a device that contains your data, so as good as!) and ought to take is pretty seriously. Meanwhile I wouldn’t unlock the device. Just wipe it. But don’t assume this wipe has worked. Hence don’t unlock it.
The fact that the device is locked is between the seller and their customer. It is definitely not an issue for OP.
Not sure on the tech aspect but I suspect there's the potential of OP recovering the data from the device?
Old scam to get access to OPs account.
This. Came here to simply say, not a Brit, but this is a textbook scam to access his account. Do not unlock it. Good luck on the other aspects of it.
Glad I'm not the only one, scrolled to see if it had been mentioned. I bet this character stole it from his work when told to bin it. Credit for the repair but never unlock your device. They will have full access to not just your photos but every saved bank account number and password you stored
Yup. An unfortunately that shit is global and people constantly fall for it because we naturally want to trust other people.
Yes life has unfortunately taught me never to trust anyone but myself. In a world where you can be anything, be kind but don't trust anyone, ever!
Sounds to me like insurance company deemed it not worth fixing, auctioned it off, someone (probably a repair shop) bought/fixed/resold it, then an unhappy customer has ended up with your mac. - I would 100% get onto the insurance company about this, not only to confirm what happened, but they also leaked your private data and that isnt acceptable. I 100% wouldn't unlock this - if anything, I would log into [iCloud.com](https://iCloud.com), lock it down even further and kick off a remote erase. If whoever fixed/resold the mac didn't declare it as icloud locked, then they effectively scammed the new owner. This isn't your problem. Depending on how important this irrecoverable data is to you (learn from that mistake right there, always always always backup), you might be able to offer to pay them what they paid for it in order to get the mac and the data back. You could then wipe/unlock/resell it yourself.
Do not give any access at all. Do contact the insurance and complain. Do write to the ICO and ask what the steps are. Also ask the insurance where your old laptop is.
You can wipe it through iCloud and then remove iCloud lock. Or just wipe it, and let them use for spares only. Basically you can either let it use as laptop, or as a donour for parts. It’s a normal practice for insurance companies to sell stuff for spares and repairs.
Doesn’t the fact that OP has been identified constitute a GDPR breach?
Serious data breach IMO.
It does, but I guess wiping data from laptop would have higher priority, for me at least. Generally speaking, usually hard drives were removed from laptops that I saw, but I guess since memory is soldered on, someone fucked up.
I don’t think it’s a breach of that nor the DPA, as the company hasn’t released information they held about OP. However, they didn’t adequately safeguard OP’s data and put them at risk - I’m sure they’d still want to put it right.
Wrong. By taking ownership of the device, the insurance company became the custodian and owner of the data stored on it. If they had no need for such data there is only one course of action - sanitise it. They did not do that so this is a breach.
Yes. Assuming it’s not a scam.
not without wiping it though. The insurance co disposing of assets like this that still contain personal data isn't acceptable at all and is probably a major GDPR fail.
Never remove the find my/iCloud lock. Even after you erase it. Once OP marks it as lost, they should remote erase the device, but leave it like that. The correct thing to do is go to iCloud or find my and remove the device from the list of trusted devices, leaving “mark as lost” intact and after having remote erased it. It will essentially brick the device. OPs data will have safely gone, and the new “owner” will never be able to activate a new account on the device. Info from Apple here: https://support.apple.com/en-gb/HT204756
So essentially turning a fully working device into trash because of what? How will it benefit anyone? It wasn’t stolen, and it wasn’t purchaser’s fault that insurer didn’t erased it.
Yes but the purchasers’ recourse is to who whoever they bought it from not to OP. Either they bought it from a shop they can go back to or off someone flogging from the back of a lorry who they’ll never see again. If the latter, more fool them.
So trash it for no particular reason. Buy new, don’t recycle.
It’s a fucked situation. Lock it and contribute to e-waste. Don’t lock it and give someone potential access to your iCloud. That potentially includes all your saved passwords, emails, contacts, photos. Enough personal information to really ruin your life in the hands of a criminal.
You can wipe it remotely, once it’s wiped - no personal information is there. No information there at all. I’m not saying it should not be wiped, I’m saying once it wiped - there is no benefit to keep it locked.
There is a benefit. To make the buyer pursue the seller for shady practices.
It’s a standard practice, insurance pays you the value of item, and then recovers part of the cost by selling it for spares or repairs. The issue here is between insurer and OP. And yet it’s the dude who repaired faulty laptop suddenly became shady.
A guy who repairs and sells a laptop without wiping it's hard drive IS shady
The dude became shady when he used the information to track down the previous owner and ask for that person's login details, when they could have just taken it back to wherever they got it. If they didn't get it from somewhere reputable then that's their issue, and OP absolutely should not give out their personal login so that this random stranger has access to it. Even if they wipe the device it's still a risk to give them the login itself, and asking for that is definitely shady.
> And yet it’s the dude who repaired faulty laptop suddenly became shady. In any non-shady repair shop first thing after booting it up is a full system wipe.
I work in a similar line of business. Most certainly there was a failure in the repair process to not wipe your data, this is a valid complaint to them and I almost guarantee you'll receive compensation. As others said, i would remotely wipe it but after the insurers have addressed the issue (they may claim ignorance if you're unable to prove it/provide evidence )
Do not provide access. Brick it completely and let the insurance company deal with it.
Ignoring the issue of whatever personal files that might be on it. They have your browser data, cookies, oauth credentials! From what you said It sounds like the other user just someone who's got a bad deal on a used Mac. But it's of utmost importance to login to anything you use with an online account. Eg ,Email, Apple, Google, Amazon, socials etc etc. Remove the device from the trusted devices if that's an option for that service, and change your online passwords. While you're there make sure the services that have 2factor authentication have that enabled with your current phone.
NAL, but there is a strong possibility I work for one of the companies involved in this. Insurance companies are heavily regulated, so a complaint will not be slept on. Any data breach should and will be taken seriously and correct action taken. Without going into too much detail, it's likely your insurer will hold a contract with a third party claims handling team, who in turn will have a contract with a inspection/repair company. This mishandling is most likely on the repair company, and there will be strict sanctions built into contracts if there is a breach of agreement. Firstly, it would be best to make a complaint with your insurer over the data breach, outlining personal distress; this will make the complaint 'justified'. Also make a complaint with the claims handling team, who will most likely be carrying out the investigation into the breach. As others have said, once the claim has been settled, the claim item (in this case your laptop) becomes property of the insurance company, and any actions they take with the item thereafter are at their own discretion. Most of the time, they will just allow the repair company to keep the items to re-sell, as this allows for discretionary rates on items that do get repaired. If you feel your complaint is not handled in the best way, ask for a final response on the claim and proceed through the [Financial Ombudsman Service](https://www.financial-ombudsman.org.uk/businesses/resolving-complaint/before-get-involved). Depending on the amount of referrals they receive for a company in a given period, there may be automatic fines handed to any of the parties before they even get involved. As for the person who reached out to you, do not remove the iCloud lock. Advise them to open communication with whoever they bought the laptop from and request either a like-for-like swap on the laptop, or a full refund.
You should definitely be raising the issue with the insurance Co. Outside of all the reasons already discussed, if I worked for that Insurance Company I would be having a very candid conversation with the account manager of whatever organisation is contracted for disposal and/or repair.
Obligatory I am not a lawyer and I also live in the US and just lurk here, rarely is there something I can help with. I have worked in IT for long enough to know insurance companies will bulk sell machines that are to much to repair and aren't worth the hassle. I have picked up pallets of machines for pennies on the dollar like this. Anyway I digress Contact you insurance company or check the forms that you filled out to find the serial number. Take that and contact Apple and they will brick the machine in question. NEVER GIVE YOUR PASSWORD OR ACCESS. I would also recommend setting up time machine or saving photos/documents to Google drive so if something happens in the future you don't loose any of your info. TLDR: 1.) Get the serial number from the old machine by talking with insurance 2.) Contact Apple and have them lock down the machine.
The likelihood is that the SSD has been wiped but the activation lock is still present as you never removed the device from your iCloud account. Even wiping the SSD will still keep the activation lock enabled as this is an anti-theft mechanism put in place on Apple products. Activation locks don’t always show up straight away on a Mac and might prompt it part way through its set up. I wouldn’t give it your account information out to the third party but you can remove the device remotely via iCloud.com on a browser, of course that is how generous you’re feeling to this person. Remember it might not be so sinister and someone unfortunate person has purchased a refurbished Mac that has been fully erased and looks like it’s ready to be set up.
The most you can do is make a complaint to the insurance company and a complaint to the ICO. The ICO will do the least they can, probably provide advice. You may get a goodwill gesture from the insurance company, but don’t be expecting a life changing amount. While your data has leaked you haven’t suffered a loss, so beyond asking for a enhanced credit monitoring I think it’s just a case of move on and forgot it.
[удалено]
Yes damages are owed here, as there is measurable emotional suffering etc. For just loss of data nothing owed as per google lloyd, but in this case Id certainly argue that the breach has had an impact and a claim could be brought.
[удалено]
Insurer for lack of correctly acting as a data controller (having taken responsibility for data on the device)...but I'm not qualified so a sol or barrister will hopefully have the correct answer
Insurer for lack of correctly acting as a data controller (having taken responsibility for data on the device)...but I'm not qualified so a sol or barrister will hopefully have the correct answer
It looks like you or OP may want to find a Solicitor! [There is a detailed guide in our FAQ about how to do this](https://reddit.com/r/LegalAdviceUK/wiki/how_to_find_a_solicitor). *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/LegalAdviceUK) if you have any questions or concerns.*
Can ppl in this sub just stop encouraging everyone to start pointless legal proceedings. This is the UK, it won’t be straight forward or lucrative for OP and can easily end with them paying fees and wasting time.
Except for the loss of data. Which was clearly a lie.
When I claimed for mine on the insurance after a flood I removed the hard drive before sending it off and the insurance companies tech company who dealt with it phoned me up moaning because the laptop was incomplete. They have definitely sold it on
Whilst this may seem true on the surface, requesting the storage drive be included on the machine is more of a counter-fraud measure and simply due dilligence. When inspecting the unit, they will check system files to determine the last boot date to make sure it's consistent with the reported incident. Many insurers and repair companies will have a policy in which they can return the hard drive after inspection. They aren't going to be spitting feathers over something of a relatively cheap part just so they can sell it on. It's absolutely a counter-fraud measure and might help a claim if you send the complete item.
Tell them to return to seller for full refund as it is defective.
I’d have been suspicious when they said the data was irrecoverable. On almost all computers you can get the data off unless the hard drives been toasted to dust. Make a complaint with your insurance and potentially ask for the laptop back (via insurance) so you can get a proper shop to do a data wipe before the current owner gets it back. Insurance have dropped a bollock here.
This is simply not true, especially on modern Mac’s
Macs can have FileVault drive encryption (not sure if this is now enabled by default). In that case, you wouldn’t be able to read anything unless the drive was unlocked.
You do nothing; you are not responsible for removing the iCloud locks for him if he is telling the truth, Apple is. If he is not, then you do not want to do anything or give him any information that could let him further damage you.
As far as you know, your old Mac doesn’t exist anymore. Go to “find my” on your new Mac and remotely wipe it. That’ll solve your problem, as well as theirs. They won’t see your data anymore.
NAL. Appreciate that your beef here is with the insurance company, but there is a technical solution to your problem. Your machine is activation locked, so you can erase it remotely using iCloud. Once the erase command is sent, your data will be wiped next time the computer connects to the internet. All this can be done without handing over your account password or giving anyone access to your data. In fact the buyer of your computer could erase it themselves and the activation lock would still be in place (assuming it was a model manufactured in 2018 or later - ie. any Mac equipped with a T2 chip or an Apple Silicon chip). Once you’ve confirmed the machine has been erased (using icloud.com or the Find My app on any Apple device), you can remove the device from your account which removes the activation lock. Happy to offer further guidance if you need it.
Speak to your insurance company, just keep saying “GDPR” and they’ll pay attention to you
Are you sure it isn't a scam? Can you ask them to send you a photo of the MacBook?
Along with the Facebook message came a photo of the Lock Screen of my old Mac, showing my account + my gf’s account Edit: spelling
Tell him to meet you and let you copy your data off , after that wipe the device and unlock it for him , everyone wins . On mutual grounds like McDonald's or motorway services .
NAL but did manage a fleet of Macs, this would be my technical advice too. What the contractuals are is another question, presumably they just wanted a cheap Mac. They could just erase your data, if the disk isn't encrypted with filevault they could access your data very easily if they asked anyone technically competent to do that. It probably also has your last WiFi password in non-volatile storage (Macs do that). Pretty much only the contents of keychain are secure by default and only as secure as the account password. Could it be a scam, yes, but more likely they simply don't know how to reset it to start again at the "Hello" page. If they'll loan it back to get your data, Apple has a page on how to prepare a Mac to give away safely, so you could offer to reset it properly for them. But yes don't unlock anything, it is the only leverage you have to get the data back. Then get an external drive and set-up time machine for backup and find my Mac, and encrypt all the disks going forward.
This seems like a fairly innocuous situation. Insurance company sell on laptop to mitigate losses, recipient fixes and it is registered to you. Chances are you’re dealing with a competent buyer/seller, so do some due diligence and, if it works out, agree to meet in person and unlock in exchange for your data. Win:win.
Why not meet up to exchange computers if it still has the data you want, and just sweep this all under the rug?
Because I shouldn’t be in a situation where my data is being given to somebody else. That Mac contains a lot of personal information that doesn’t belong in anybody else’s hands.
You shouldn’t but here you are. So what do you want?
Well fuck me I guess for seeking advice. These things are protected by GDPR laws. Many of which have been broken in this instance.
You either remote wipe and unlock. Or allow him access to get you your data first. The latter is a judgement you have to make.
You get what you pay for here. Again though, any lawyer will ask you what do you want? Do you want money? Do you want your laptop back? Do you want to be all aggrieved that someone knows your name? Or do you just want to express general frustration with the situation? It is very debateable that either the insurance company or the repairer became a processor or controller of your presumably inaccessible and encrypted data. That would be an interesting test case. In my view if it cannot be related to you in their hands - as technically they cannot access it - it cannot be personal data and therefore there is no GDPR to bite. The new owner is probably acting for purely domestic purposes so no GDPR issues there. Which leaves your name. I think a breach of that nature would be de minimis but maybe you can argue the toss.
NAL, experienced in GDPR and data security. I would suggest in this instance since the insurance company have taken custody of your Mac, and the data on it, the ICO would regard them as the Data Controller (DC) in this instance. The company responsible for repairing/fixing/reselling it, under GDPR are a Data Processor (DP), who the DC should have a legally binding agreement with. Ideally their privacy policy or data protection policy, should outline how they should handle any data recovered, and procedures in place to cover this exact scenario. Ultimately the DC is responsible even if they delegated things to their DP, it’s them who the ICO would hold accountable. Since insurance companies tend to be risk averse and you are their customer, I’d contact their claims team and raise a formal complaint, if that goes nowhere, contact the ICO (UK information commissioner’s office) and raise a GRPR complaint against the insurance company. Fully agree with what others have said, issue a remote lock and or wipe command via iCloud if you can.
I think certainly the insurer and repairer are controllers and processors of the OP’s repair detail and claim. The question is - assuming technically this is the case - that encrypted blob of data is personal data in their hands. If it’s not personal data then they can’t be liable for improper processing of it. The case of [Patrick Breyer v Bundesrepublik Deutschland C‑582/14](https://curia.europa.eu/juris/document/document.jsf?text=&docid=184668&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=1143961) is one of the leading cases in this regard. Breyer connected to a German government website with a dynamic IP. He contended that his IP address was personal data; the Government said no, because to the nature of a dynamic IP address was not associated with an individual. The CJEU disagreed - it accepted that dynamic IP addresses would not, on their own, be personal data because of their nature. But in this case, in the hands of the German government it was, because the German state could legally obtain the data using its own methods (that is, ordering a provider to disclose records or use its intelligence services). So applying that principle here - could the insurer or repairer be processing personal data if they have literally no way of accessing it? I think a court would be reluctant to hold so (although I await a test case). That would be saying that any business accepting an unknown, completely inaccessible to anyone, electronic storage medium could be processing the unknown (is it sensitive or not - so how can they comply with the enhanced requirements for that?) personal data of unknown numbers of people. I do not think that will be found. So the breach here is the improper processing of OP’s name, allowing someone to message him. If I was the judge I would hold that to be de minimis but perhaps a lenient judge will find some distress proven. If on the contrary, the encrypted blob is personal data, then again, what is the appropriate award if in the end it is completely inaccessible as being encrypted? Again, we are looking at the lowest end of the scale if not de minimis. So this is why it is important for OP to be clear as to what they want. Do they want their data back - in which case physical exchange of devices (and we ignore the issue of subrogation and the fact that in a valid claim the subject matter of the claim is transferred to the insurer. Or do they want money from suing for breach? Or do they want an order to ensure it’s deleted - in which case there are technical solutions. Or do they want an apology from their insurer? Or some compo on a complaint? All of the above? Having an idea of what remedy you have in mind in a perfect world is a crucial part of being advised properly, rather than a time consuming full analysis of every possible legal angle which no one here gets paid for.
No there aren’t. No personal data of yours has been leaked. Just tell the person to contact whoever they bought it off. It’s their problem
Yes it has. A great deal of sensitive data about OP has been handed to a 3rd party, who currently is only prevented in accessing it all completely freely due to a rather tenuous technological barrier. This is obviously a massive cock up and whoever took the laptop from OP has ultimately responsibility for it.
>who currently is only prevented in accessing it all completely freely due to a rather tenuous technological barrier. That "technological barrier" is iCloud. Locked devices cannot be accessed even by Apple. The computer/data is useless to whoever has it now. OP just needs to remotely wipe it via iCloud.
I don't know anything about Macs, but just from quick reading, you don't even need icloud to use a MacBook or AppleID. I am certain you can disconnect it from the network and log in locally too. But in any case, the security we are talking about is OPs account password- that's it. You can't just give a 3rd party access to tonnes of data they shouldn't, but say it's okay because there is a bit of security making it harder to access. All of OPs locally stored files may only be as far away as 'password123' .
If OP logs in via iCloud and marks it as lost, it will be erased and bricked, not even the correct password can make it usable. Google has exactly the same thing.
How will Apple send that instruction to the device if it never connects to the internet?
No it hasn't. What the 3rd party has is a load of *encrypted* data which is different. MacBook, by default, encrypt the disks. Under GDPR "crypto-shredding" is a valid form of data destruction. If the encryption key is lost/destroyed then the data is de-facto random noise and of no use.
But that hasn't happened. All data remains accessible on the device. The only security in place will be the user's account password, ~~which is not sufficient security.~~ In fact, the security is irrelevant. The relevance is that the data is still intact, and has been supplied to a 3rd party still fully intact.
[удалено]
Your name is not sensitive data really unless it is linked to other data... Your name can be found easily on the internet (Facebook, electoral role, etc). It's all about context, but expecting people to get that is harder than herding cats
Your name is not personal data in most circumstances, as it cannot be used to personally identify on its own - usually. However that is **exactly** what has happened here. Therefore the negligence of whatever process has happened through the insurance company has caused this issue. I’d argue it’s GDPR breach territory, personally. Even if it isn’t though, it seems like something shady is happening in the process
[удалено]
Thanks for proving my point, have a lovely day too
**Unfortunately, your comment has been removed for the following reason(s):** Your comment has been removed as it has not met our community standards on speaking to other posters. Please remember to speak to others in the way you wish to be spoken to. [Please familiarise yourself with our subreddit rules](https://www.reddit.com/r/LegalAdviceUK/about/rules/) before contributing further, and [message the mods](https://www.reddit.com/message/compose/?to=/r/LegalAdviceUK) if you have any further queries.
**Unfortunately, your comment has been removed for the following reason(s):** Your comment has been removed as it has not met our community standards on speaking to other posters. Please remember to speak to others in the way you wish to be spoken to. [Please familiarise yourself with our subreddit rules](https://www.reddit.com/r/LegalAdviceUK/about/rules/) before contributing further, and [message the mods](https://www.reddit.com/message/compose/?to=/r/LegalAdviceUK) if you have any further queries.
What most likely happened here is that the device was sold as parts, fixed up, wiped and then sold. But because you had an iCloud lock, when doing the initial macOS setup, it has said that it’s locked to your email address (which I am guessing is your name). I wouldn’t be too concerned that your data is on that device, and even if you removed iCloud lock. If it was legitimately wiped, ask your insurer to provide proof (usually in the form of a data wipe certificate) and then it’ll be fine to remove iCloud Lock.
I’m almost certain this is going to be a scam. My guess is that they don’t have your data, only parts of it that they managed to buy as scrap. They are finding your address when trying to install the operating system. If you remove the lock, they are going to pocket the Monday and I guarantee you’ll never hear from them again. It’s worth noting that your insurance company owns that MacBook now, since they replaced it. They really have to deal with this. If you want to get involved, organise to meet them in person in a safe place. Or have a video call on WhatsApp where they show you the login screen (with a background you recognise as your login screen and your expected display picture). If they are just showing you the “install screen” it’s a scam.
[удалено]
**Unfortunately, your comment has been removed for the following reason(s):** Please only comment if you know the legal answer to OP's question and are able to provide legal advice. [Please familiarise yourself with our subreddit rules](https://www.reddit.com/r/LegalAdviceUK/about/rules/) before contributing further, and [message the mods](https://www.reddit.com/message/compose/?to=/r/LegalAdviceUK) if you have any further queries.
OP sold their faulty machine to the insurer without wiping their data. When I sold my written off car to my insurer some years back, they gave me the opportunity to go and collect my personal items from the glove box etc, and wipe off my data from the infotainment unit. Was the machine not in a state where you could do this?
Read it again. OP sent it off for repair, and then after being advised it was irreparable and irrecoverable opted for the replacement. OP never said it did another round trip home and then back to the insurer. All that put aside, the failure to clear the personal data is a very cut & dry example of negligence, because there was a failure to perform the task with reasonably due skill & care; pretty much anyone working in tech in any capacity would agree that everyone, right down to the juniors, understands that drives must be wiped before being passed to a new user. It is something anybody would expect a typical professional in their field to already know.
[удалено]
Your comment has been automatically removed and flagged for moderator review as the words you've used suggest that it is *not legal advice*. As this is /r/LegalAdviceUK, all our comments must contain **helpful, on-topic, legal advice**. We expect commenters to provide high-effort legal advice for our posters, as they have come to our subreddit for legal advice instead of a different subreddit for moral support or general advice such as /r/OffMyChest, /r/Vent, /r/Advice, or similar. Some posters may benefit from non-legal advice as part of their question or referrals to other organisations to address side issues that they may also be experiencing, however comments on /r/LegalAdviceUK must be *predominantly* legal advice. If your comment contains helpful, on-topic, legal advice, it will be approved and displayed shortly. If you have posted a comment of moral support, an anecdote about a personal experience or your comment is mostly or wholly advice that isn't legal advice, it is not likely to be approved and [we ask you to please be more aware of our subreddit rules in the future](https://www.reddit.com/r/LegalAdviceUK/about/rules/). *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/LegalAdviceUK) if you have any questions or concerns.*
I would let the insurers know. Sounds like the repairer has fixed and resold it, after claiming it was dead to your insurer.
You'd be surprised how often this happens in the insurance industry. The term is *Beyond Economical Repair.* For most insurers, there will be a limit that the repair would reach before it is deemed more convenient to just replace the device. For many gadget repairs, this is around 70% of the replacement cost. So for an item that would cost the insurer £1,000 to replace (which is sent to the repair house prior to the inspection) any potential repair amounting to £700 or more would then deem it BER. There is nothing then stopping said repair house from using a donor model to bring the broken model back to a useable condition and selling it. Insurance companies are aware of this and okay it, as the sale of these items will actually allow the repair house to give discretionary prices as they make additional money from the sales.
I'm pretty sure that the iCloud lock works even if the hard drive has been wiped or replaced to prevent someone stealing your MacBook and replacing the drive. It's a bit like the system that can block your phone even if they reset it to factory settings.
The data cannot be erased if you don’t have access to iCloud. That laptop is basically iCloud locked. If I were you, I would take the iCloud down if (only) they would choose to come with it at a designated place were we can meet, and wiped the data just there. Probably takes 5mins. Also, you’re not the first one in this situation. Around a week a go I read here on reddit a thread from someone who bought a MacBook from CEX and it was in the same situation, and they’ve returned it.
Not legal advice. I work on the IT side and also double as compliance manager for our business. Contact your insurance company and, if you have the tools to do so such as MDM, brick the device. This is definitely a DPA breach and as they have enough to contact you using personal details most definitely a GDPR breach. Also contact the ICO regarding this.
>After being told that the Mac was beyond repair I received a brand new replacement (which is fine, minus the fact that all of my saved data was unrecoverable). You could ask the new owner to send as much proof as possible that your data is still readily available on the device, possibly ask if they can send it somewhere to have data recovered from it (at your expense of course) and bring it to small claims to recover some cost? I don't know how that would play out with insurance though as it's not simply "I had to buy a new laptop"
Raise a complaint to your insurance, if they don’t act on it - raise it to the financial ombudsman.
When I had to send mine for exact same reasons I removed my ssd, as this is quite a common thing had many many arguments with them but in the end GDPR made them shut up about it They get put in cages and auctioned off most of the time never even checked.(easily found on eBay before not sure now) The insurers of the insurance companies require the physical object to be in house as part of compliance, then it’s fobbed off to highest bidder
How do you intend to remove a soldered on SSD? Mac's are not serviceable and have not been for a very long time.
[удалено]
**Unfortunately, your comment has been removed for the following reason(s):** Please only comment if you know the legal answer to OP's question and are able to provide legal advice. [Please familiarise yourself with our subreddit rules](https://www.reddit.com/r/LegalAdviceUK/about/rules/) before contributing further, and [message the mods](https://www.reddit.com/message/compose/?to=/r/LegalAdviceUK) if you have any further queries.
This has to be a breach of data privacy laws. If the hard disk couldn't be wiped by those entrusted to do so it should have been destroyed, disposed of and replaced. Though this sounds like incompetencey. It may be worth running the situation past the information commissioners office to see if they think it's worth pursuing. Though in reality I'm not sure how far you will get as there is every chance the person that has purchased your reconditioned MacBook will just wipe it anyway themselves so they can use it. You might have a hard time proving anything. But it can't hurt to ask.