0

A website recently had a bug where users could effortlessly inadvertently access and operate other users accounts - payment information and all.

This website has an official community forum where they are responding to some inquiries with a copy-paste admitting it and that they are working on it. However, few users use this community forum; there have been no official announcements on this forum about it.

The company has not made any announcement on their website, they have not sent out an email notification, and there has been no official word anywhere. The website is large and housed in the USA, but operates internationally.

I feel that this is serious and their customers need to know their data was exposed.

What can I do?

  • 3
    It sounds like they *are* informing people. What you are looking for is for them to be more proactive in notifying all users. That's an important distinction. – schroeder Feb 20 '19 at 21:11
  • The PIPEDA act requires an organization to report a breach involving personal information under "its control". Therefore, the obligation to report the breach rests with an organization in control of the personal information implicated in the breach. "Control" needs to be assessed on a case-by-case basis. From what you said it looks like they are informing the users but their reporting method is not ideal. No harm in bringing up with their security advocate and get more detail. – Vcode Feb 25 '19 at 15:44

2 Answers2

2

Because they know about it and are open, when asked, about the problem, it is possible that there is nothing more they are required to do. Various jurisdictions require breach notification, but which jurisdiction applies to this company is beyond the scope of this site.

So, you can check to see if they need to report, and prompt them to do so or to report them to the relevant authority. Or you might find that there is no defined avenue for you to push the company to act.

As always, you could see if a journalist might be interested, but then you're scrambling for someone to take an interest in the problem.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • What would I google if I wanted to check who needs to report what? – guestp-p-p-panda Feb 20 '19 at 21:37
  • 1
    You would likely need to find out where the company is registered and google "breach notification in [location]". They have are also registered in Europe, then there is the GDPR route to go. – schroeder Feb 20 '19 at 21:44
1

If the website in question offers services to EU countries, then regardless of where it is based it is subject to the European General Data Protection Regulation (GDPR). Similar legislations apply from the US and other countries.

You seem to be referring to a vulnerability rather than to a confirmed data breach. According to the GDPR, websites affected by a vulnerability which exposes sensitive personal must quickly investigate whether the vulnerability resulted in a data breach. If the website has conclusive proof that the vulnerability was not exploited (e.g. from reliable logs) and if the vulnerability was remediated, then no notification is necessary. However if the vulnerability is likely to have been exploited and to result in a high risk for users, then the website must inform users proactively (e.g. via email). At any time you can inform your own national authority who must follow-up accordingly in case of violations.

The following are the relevant extracts from the GDPR:

‘personal data breach’ a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4)

It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject. (Recital 87)

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay (Article 33)

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. (Article 34)

[...] every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. (Article 77)

Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory: [...] handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period [...] (Article 57)

Enos D'Andrea
  • 1,047
  • 5
  • 12
  • The recent disturbance with log4j brought me interest to this topic. Is a B2B corporate required to disclose whether they had any affected components, and whether they were patched or not, given that no data breach actually happened? – Christopher Smith Dec 14 '21 at 10:08
  • @ChristopherSmith AFAIK if there is reasonable proof that no breach happened then B2Bs are not required to disclose anything - except if it is expressely requested in ad-hoc B2B contracts, which is very unlikely. This at least in Europe, other parts of the world may apply different rules. In any case a communication and/or a question to your national cert would clear any doubts. – Enos D'Andrea Dec 15 '21 at 21:19
  • @enos-dandrea Thank you very much for your reply. There has been no prior agreement to disclose patch/vuln status in my specific case in Japan. The thing with Japanese businesses is that there's a certain Japan-domestic cybersecurity compliance program which could be the origin of such an inquiry. B2B clients are often required by compliance to make sure that the other parties' systems are regularly updated, however, asking whether a specific vuln has been addressed is going too far, I think. – Christopher Smith Dec 23 '21 at 06:30