Outcomes - Selected Case Summaries



“White hat hacker” informs bank of security breach

Informal Resolution | 26 March 2020

A disk drive belonging to a bank’s data processor was hacked by a so-called ‘white hat hacker’ who sent the bank a few files to show certain weaknesses in their security setup. The hacker demonstrated that the breach was contained and shared information on how the drive had been accessed. Most of the data on the drive was of a technical nature, but some files contained personal data belonging to approximately 1,800 bank customers, including email addresses, active login names, ID codes and account numbers and balances, but no passwords. The hacker claimed, and this was later confirmed, not to have copied any files containing personal data.

The data controller notified the customers who were potential victims of the breach using the online banking platform’s internal messaging system, and followed up with a second notice informing the data subjects of the various forms of online fraud they may encounter, also suggesting additional mitigation actions, in accordance with the statutory requirements of the DPL.

All remote access granted to the data processor was revoked and a secure erase was performed on the hard disk drive once the investigation into the breach had been completed. The bank took measures to strengthen its compliance with the seventh data protection principle, e.g. by arranging ongoing online monitoring by an IT security company and the replacement of login details for the internet banking platform, portfolio ID numbers and account numbers. We concluded that there was no evidence that personal data had been breached, and the incident was therefore considered a security breach rather than a personal data breach and the case was closed.