Anyvan, a European online marketplace where users can purchase delivery, transportation, or removal services from their network of providers, has identified themselves as victims of digital robbery with theft of their customers’ personal data.
The company reportedly notified its customers in the middle of last week that “a security breach caused unauthorized access to user database data.” Register..
“This data breach caught our attention on 31st December, but we understand that the incident itself occurred at the end of September. As soon as the incident caught our attention, a dedicated IT team Investigated and took the following corrective action: All passwords have changed. “
Problem data? “The encrypted hashes of customer names, emails, and passwords were accessed and” potentially displayed “, but no other personal data was unknowingly shared. We will continue to investigate the event, “said Anyvan.
For customers who accessed the account using a password from April last year, “We apologize for the inconvenience” and said, “Please change your password to an account that retains personal information on a regular basis. data.”
There is no mention of how to avoid the same incident from happening again other than changing the password. It is unknown if the password hash has been salted. Salts are usually done to prevent hash collision attacks. The attacker finds two input strings in the hash function and tries to produce the same result.
Elleg Last week I sent AnyVan a list of questions about internal system breaches asking how the entry was retrieved. How have you been protected since then? Whether the password hash is salted. And were mainland European customers affected, or only UK customers affected? I also asked if I had notified the ICO.
You can answer the last one. A British intelligence commissioner confirmed that AnyVan had not been informed about the incident. “You don’t have to report every breach. The organization needs to establish potential risks to people’s rights and freedoms. If risks do arise, the organization should notify the ICO. If the risk is unlikely to occur, you do not need to be notified. Report it. “
A spokeswoman added, “However, if an organization decides that it does not need to report a breach, it needs to be documented because it needs to be able to justify this decision.”
Learn more about violation reporting requirements.
Neil Brown, technical lawyer at decode: legal, said the violation in AnyVan’s proceedings was “quite limited in the scope of personal data” and could understand why he chose not to notify the ICO. ®
AnyVan confirmed the digital intrusion and stated that the customer name, email and hashed password were revealed. • Registration
Source link AnyVan confirmed the digital intrusion and stated that the customer name, email and hashed password were revealed. • Registration