So you have the option to report to the ICO and look like a good boy or not report and line yourself up for the top tier of fines for not doing so if the ICO disagrees with your risk assessment of the breach. Deciding whether to report or not is also a risk assessment, of course. Does the quality of assessment on whether to report indicate anything about the quality of assessment of the breach?
Holidaymakers who used Thomas Cook Airlines had their personal information spilled onto the internet no thanks to basic coding cockups. Norwegian programmer Roy Solberg came across an enumeration bug that leaked the full name of all travelers on a booking, the email addresses used, and flight details from Thomas Cook Airlines …
Their incident reporting is obviously as late as their shitty charter flights.
If they are struggling to report themselves, I’m sure there a few competent people on here that can do it for them.
Is Graham Clueless still around?
stop telling us how serious you are!
We'll judge how seriously you take passenger data based on your actions, like everyone else.
"we take ... blah blah blah" ... well done, your PR dept googled the standard response. F**k off, none of you largish companies give a sh*t
Re: stop telling us how serious you are!
Yeah, that's canned incident response template number 1.
Yeah, I'm sick of hearing it too, and sadly it'll never stop.
Our tame examiners only exposed a few people's details, so we are certain no crims did any better.
GDPR requires reporting of data leak except when it doesn't :]
"the controller shall .. notify the personal data breach to the supervisory authority .. unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons."
So, no sanctions for such leaks and no requirement to report such leaks to the leaked-on. The only practical effect I've seen is multiple click-boxes on websites and some US websites blocking access in Europe.
Based upon the evidence we have, and the limited volume and nature of the data that was accessed,
So they are saying that they have so few customers using that site that it doesn't matter?
re: Spies Denmark
For a second I was wondering what the local Google affiliate was doing in a list of travel agencies.
What a bunch of $$$7
In good faith, I believe the company should publish the names and PERSONAL emails of all company board members and those holding the position of VP and above.
If they will do this, then I'll go along with them saying this is a LOW vulnerability... but you know they will never do this.
"After being alerted to this unauthorised access"
Except it wasn't an unauthorised access. The system was doing exactly what it was designed to do.
What they have there is an unauthorised disclosure. They had a duty of care regarding that data and they left it on a window sill where anyone could take a gander.