 |
| Image: Unsplash |
They had just completed yet another cruise. This time too, they had managed to keep their feet dry, but as it turned out afterwards, there had been a leak after all. A data leak. And just like in the days of the Titanic, everyone acted as if nothing had happened.
They had
not received a personal notification that their data had been exposed. They
only found out by pure chance. In Europe, our first reaction is often to start
waving the GDPR around indignantly: surely they have to tell me if my data has
been leaked?! But it is not quite that simple. To begin with, the organisation
responsible for the leak must determine for itself whether the incident has to
be reported to the Dutch Data Protection Authority (AP). That is not required
if “it is unlikely that the personal data breach will result in a risk to the
rights and freedoms of data subjects”, as the AP explains. The leaked
information did contain personal data (including that of my seafaring
colleague), so they would probably not get away with that argument.
The next
step is for the leaking party to notify the victims, and here comes the catch:
only if the breach is likely to result in a high risk to them. Once again, the
organisation must make that assessment itself, of course based on the GDPR
rules. If personal data has been stolen by a hacker, the risk is fairly
obvious, according to the AP.
And that
is exactly the situation we are dealing with here. Last month, Carnival
Corporation, the parent company of Carnival Cruise Line, sent letters to
customers about a cybersecurity incident (though not to all customers,
obviously). A month earlier, an attacker had gained access to Carnival’s IT
systems through social engineering and copied customers’ personal data. The
information involved includes names, email addresses, dates of birth, gender,
and several Carnival-specific data elements.
Carnival
Corporation’s headquarters are located in Miami. Aha, I can hear you thinking
gloomily, that is well outside the EU, so that wonderful GDPR is of no use to
me. Wrong! The GDPR has what lawyers like to call extraterritorial effect: if a
company outside the EU also targets the European market, it falls under the
GDPR. And when I add everything up, it seems to me that a personal notification
to the affected individuals would indeed be appropriate here.
Unless...
Yes, unless the data was encrypted, the breach was stopped before anything
could be done with the data, or informing all victims would require a
disproportionate effort on the part of the company, for example because it no
longer has their contact details. In that last case, publishing a notice in a
newspaper or on social media is sufficient.
In
short: it is not as straightforward as it may seem. We do know how this
particular case played out: it didn't. That is why my data-breached colleague
asked me what you can do yourself in such a situation. The AP has put together
a useful
overview (in Dutch). Among other things, it states that you should change
any leaked passwords; that is indeed the very first thing you should do. They
also recommend changing the passwords for other accounts and apps if they use
the same password as the compromised one.
This
immediately shows why you should never reuse passwords: after a breach, it
creates a lot of extra work. Criminals will simply take the password from
website A and try it on websites B through Z. And of course, you should already
have enabled multi-factor authentication wherever possible.
After a
breach, you should also be extra alert to phishing attempts. Those phishing
messages may be far more sophisticated than the run-of-the-mill phishing
emails, because the attackers now have much more than just your email address.
With all that additional information, they can make their messages look highly
personal.
According
to the AP, a criminal cannot do much with just a bank account number (IBAN) or
a citizen service number (BSN) on its own. But be careful with combinations of
data — a copy of your identity document can be a real game changer when it
comes to identity fraud.
In
summary: stay alert...
And in the big bad world ...
- your fashion data has been leaked as well.
- Google itself is responsible for AI summaries.
- cybercriminals love schools.
- everyone could view all ServiceNow customer data without a password.
- Fable is the toned-down version of Mythos, with very tight guardrails.
- the
ban on the American acquisition of DigiD hoster Solvinity is a tough legal nut
to crack. [DUTCH]
- the Dutch Tax Administration reported a data breach caused by the use of Adobe Analytics. [DUTCH]
- the new Dutch VAT system will not end up entirely in American hands after all. [DUTCH]
- with Vlam on board, civil servants are set to blaze. [DUTCH]
