Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Disclose a data breach?

  • 20-10-2024 12:48PM
    #1
    irishgeo
    Registered Users, Registered Users 2 Posts: 9,707 ✭✭✭


    I have come across some GDPR data on the internet while doing some security research. I have identified the company its from in Ireland.

    What's the best way to disclose this data breach etc?

    If anyone has any advice please let me know via PM?



Comments

  • #2
    ItHurtsWhenIP
    Registered Users, Registered Users 2 Posts: 2,171 ✭✭✭ItHurtsWhenIP


    Check the company's website for a privacy statement (data protection notice) and see if they list an email address for data protection matters and notify them that way.

    If nothing there, they are unlikely to have a security.txt file on their site, but no harm in checking for one anyway. It might list their disclosure contact details.

    https://securitytxt.org/

    If all else fails try their info@, hello@ or whatever general contact email they list of their site or through a "Contact us" form.

    These are the steps that Troy Hunt of Have I Been Pwned usually carries out, when he gets his hands on a data breach.

    If none of the above work, fire a report into the Data Protection Commission. They'll eventually get around to looking into it.



  • #3
    irishgeo
    Registered Users, Registered Users 2 Posts: 9,707 ✭✭✭irishgeo


    https://www.boards.ie/discussion/comment/122742042#Comment_122742042

    Thanks. They have a data protection email address which i have emailed so lets see what comes out of that. It is not so much a data breach more they left something open to the internet.



  • #4
    AndrewJRenko
    Registered Users, Registered Users 2 Posts: 31,622 ✭✭✭✭AndrewJRenko


    Would love to hear how this played out.



  • #5
    spaceHopper
    Registered Users, Registered Users 2 Posts: 4,154 ✭✭✭spaceHopper


    Lets hope they don't shoot the messenger like fastway did

    About data leaks from Fastway Couriers : r/DevelEire

    IN-21-6-2 Fastway Couriers Decision Summary_EN.pdf

    Circuit Court: GDPR claim against Fastway stayed until determination of CJEU preliminary references | Irish Legal News



  • #6
    irishgeo
    Registered Users, Registered Users 2 Posts: 9,707 ✭✭✭irishgeo


    They never replied of course. Off to the DPC.



  • Advertisement
  • #7
    csirl
    Registered Users, Registered Users 2 Posts: 856 ✭✭✭csirl


    Inform the DPC via their online portal.

    But dont hold your breath on any outcome. They've a 5 year backlog of cases! They seem to prioritise regulating the big tech companies, but have little interest in the day to day stuff that impacts on ordinary citizens.



  • #8
    ItHurtsWhenIP
    Registered Users, Registered Users 2 Posts: 2,171 ✭✭✭ItHurtsWhenIP


    https://www.boards.ie/discussion/comment/123189121#Comment_123189121

    I would disagree that they are not doing the day-to-day stuff. I know of a number of examples of small and medium businesses that have been contacted by the DPC for failing to respond to an individual's request for access or deletion. Those contacts usually scare the bejasyus out of the company, so they generally resolve the situation within the timeframe set by the DPC's contact.

    Now I will agree that it will take some time for any kind of initial response from the DPC. They claim a 2 week response time, but it'll be more like 2 months.



  • #9
    AndrewJRenko
    Registered Users, Registered Users 2 Posts: 31,622 ✭✭✭✭AndrewJRenko


    https://www.boards.ie/discussion/comment/123189121#Comment_123189121

    I've had decent responses from the DPC within 3-6 months of complaining about SMEs.



  • #10
    mondeoman72
    Registered Users, Registered Users 2 Posts: 1,030 ✭✭✭mondeoman72


    I agree

    https://www.boards.ie/discussion/comment/123191677#Comment_123191677

    I agree. I know someone who had to complain to the DPC about failure to release a data request by Tusla and St John Ambulance. It got released



  • #11
    csirl
    Registered Users, Registered Users 2 Posts: 856 ✭✭✭csirl


    Yes they'll make initial contact with the organisation within 2-3 weeks and I imagine most just comply when contacted. They rely on cooperation.

    But cases where the data controller is uncooperative are not getting resolved. Ive a relative with a late 2019 case that is still live. About 3-4 times per year - usually when my relative contacts them seeking an update - they write to the data controller, who simply doesnt respond. This has been going on for years. Each time its a different staff member from DPC dealing with it and my relative has to update them from scratch as they are not up to speed on the history. Every so often they also get an apology letter from DPC over delays in concluding the case. Seems like they"ve no teerh when organisations ignore them.

    BTW the organisation in question is a state funded charity and the data been sought is not volumous - a handful of pages.



  • Advertisement
Advertisement