Lithuanian company CityBee has reported the theft of its customer data, which has resulted in the theft of data such as customer names, surnames, personal identification numbers, and likely the disclosure of even more data such as phone numbers, residence addresses, and driver’s license number.
In Lithuania, it is the first leak of data of this scale in the history of GDPR.
Every company must make an effort to put in place appropriate technical and organizational data security measures to prevent similar cyber-attacks. Whether sufficient security measures have been implemented in this situation will be answered by the State Data Protection Inspectorate after conducting an investigation.
It is reported that the State Data Protection Inspectorate has launched an investigation into a widespread CityBee data security breach.
As a result of this incident, the police have also started a pre-trial investigation regarding the illegal interception and use of electronic data and illegal access to an information system. The police will try to identify the perpetrators of the crime during this investigation.
Foreign countries’ practice shows that companies are generally subject to higher or lower fines for breaching GDPR for the implementation of inadequate security measures, which lead to the leak of personal data.
Also, victims can meanwhile sue the company for damages. This is a good opportunity not for one to defend one’s violated rights, but to take advantage of the group-action lawsuit.
Consumers, meanwhile, should bear in mind that security measures must be taken not only by the companies that process such data but also by themselves.
The ECOVIS ProventusLaw Data Protection, Cyber , and IT Security, Operational Risk Team has prepared the following initial recommendations:
For consumers:
- to change the leaked email password;
- do not use the same passwords for different logins into different systems;
- do not use work e-mail accounts for personal services;
- use a password manager to create different passwords for all sites;
- in this situation, consider changing personal documents (to prevent your data from being used for fraudulent purposes);
- warn the relatives of possible cases of fraud and false reports against them;
We also recommend that you do not distribute or share stolen personal data or references to it, as such behavior only contributes to the committed crime.
Recommendations for business:
- use salt (cryptographic) method for passwords, where certain characters are inserted in each password during encryption. In that case, stealing the password hashes would be worthless.
- ensure continuous monitoring of IT systems;
- perform regular IT security tests;
- continuous improvement of cybersecurity systems;
- assess whether it is worth storing all the data and what reasonable retention period to choose;
- ensure fair communication with affected data subjects;
- prepare in advance for crisis management.
We wish the CityBee team strength, and for other businesses, it is a reminder of the importance of engaging in prevention and engaging in compliance, review, and improvement of GDPR and IT security requirements in day-to-day business operations to avoid such critical situations.
ECOVIS ProventusLaw can help you perform GDPR audits, IT / cybersecurity audits, provide consultations on other operational risks or data protection issues.
We can also help victims defend their violated rights due to data breach.