Timehop Discloses More Private Data Was Breached

July 14, 2018

 

Breached online company Timehop has disclosed more details concerning a safety occurrence which affected 21 million people, which will be an exciting test case for GDPR watchdogs.

The company initially said it found a network incursion on July 4 leading to the compromise of names, phone numbers, and email addresses.

Nevertheless, in an update on Wednesday, it claimed the infringed data also included gender of customers, dates of birth, and country codes.

It provided a helpful breakdown of which infringed records were in scope for the GDPR: comprising 2.9 million name and electronic mail address combinations and 2.2 million name, electronic mail address, and DOB records.

The company acknowledged “messing up” with its occurrence reaction.

“In our eagerness to reveal all we knew, we quite simply made our declaration before we knew the whole lot,” it said.

“With the help of staff who had been vacationing and absent during the first four days of the inquiry, and a new senior engineering worker, as we examined the more comprehensive audit on Monday of the actual database tables that were thieved it became clear that there was more information in the tables than we had initially revealed.”

It will be exciting to see whether Timehop’s efforts at openness satisfy watchdogs, provided that it was unable to spot the original illegal use of one of its admin’s identifications to log-in to a third-party cloud platform on December 19, 2017.

After generating a new admin account, the hacker logged in on three different events looking for PII, as per Timehop. By the time of a fourth log-in at the close of June, PII had unintentionally been moved into the cloud atmosphere. The attacker afterward waited until the July 4 holiday before logging in once again and thieving the database.

The ICO has said in the past that “those who self-report, who contract with us to settle problems and who can show effective accountability arrangements can suppose this to be taken into consideration when we consider any controlling action.”