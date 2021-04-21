The cyber attackers have made good on their threat. After requesting a ransom from Phone House, those responsible for the Babuk ransomware have filtered a first part with the data obtained. A spreadsheet with the data of 1,048,575 people, which is the maximum Excel rows per file and which technically belong to customers and employees of Phone House.

A file that we have been able to access from Xataka and a huge amount of personal data, such as the DNI, passports, emails, telephone numbers, landlines, dates of birth, nationality, physical addresses, postal codes, provinces, cities and in many cases even the store where Phone House customers registered.

When a leak of this style occurs, the usual procedure is for the affected company to contact the Spanish Data Protection Agency (AEPD) so that it can initiate an investigation. Although at the moment, neither Phone House nor the AEPD have ruled on the case.

Due to the enormous amount of personal data, it is worth wondering what can be done. Both on the part of the users who have seen their data leaked even by Phone House, who could be exposed to a sanction by the AEPD.

What Phone House Faces About Data Breach

When the data of the users of a company has been compromised, it has the obligation to notify this gap to the AEPD within 72 hours. Failure to do so, the agency can initiate a sanctioning process. Being precisely the delay in the communication of a cyberattack the most common reason why the AEPD sanctions a company.

Unfortunately, Phone House is not the first case we see where a large amount of data has been published. In 2018, cybercriminals stole the data of thousands of Air Europa customers. In March 2021, the AEPD fined the company 600,000 euros. Although, from the AEPD they explain to Engadget that only 10% of the attacks are investigated and only a few are finally sanctioned.

In the case of Phone House, the company has acted according to the indications of the experts by not paying the ransom, but the next step should be to contact the AEPD, if it has not already done so. For this, the agency has a Communication-Gap-RGPD tool specifically created for this.

If an investigation is initiated, the AEPD will ask Phone House to demonstrate that the company had all the appropriate prevention measures in place to avoid the breach.

If the breach is confirmed, Phone House should inform the AEPD and all affected users.

According to the GDPR, Phone House should notify all affected usersEither by mail, by phone or through another channel.

There is no specific deadline and it is not clear what information the company could give, because as it is not about passwords, it is not about giving the message to change this information. Yes they could alert affected users to be on the alert for targeted phishing attacksas possible cyber attackers could take advantage of this data to better profile future attacks against these users.

What the user can do

Affected users who want to file a claim can do so in two ways. To the AEPD itself for a violation of your data protection rights or by civil way, in case it is considered that there has been a loss due to this leak and it is desired to request compensation.

“The AEPD can only sanction, it cannot manage compensation”, explains Sergio Carrasco, an expert lawyer in security. “You, as a customer, have given permission for the company to manage your data. They have the obligation to keep your data safe. In order for them to be able to massively access all this data, they must have had a problem with their security protocol , regardless of whether there has been any vulnerability “.

The recommendation is to check what data has been leaked. Once the breach is confirmed, it is possible to claim before the AEPD. The agency will study case by case and estimate whether it is advisable to go through the civil procedure to obtain possible compensation.

The agency will examine the specific case and decide, with a prior study, whether or not to estimate the initiation of legal actions directed to compensate the damage. In these cases, before starting the claim, it is recommended to verify and check what data has been leaked.

Regarding whether we can request that our data be removed from the network, Carrasco explains that “a judge can compel a service provider to withdraw the information. However, in a .onion domain it can be more difficult. A normal lender will eliminate it for sure. ”

