Personal data of millions of Dutch citizens may have been stolen from a company that offers IT services to car garages. There are reportedly 7.3 million stolen data points, although the exact number remains unclear. The stolen data includes name and address details, license plates, telephone numbers, dates of birth, and email addresses. Based on this information, criminals could, for example, see who owns expensive cars and where these people live, but identity fraud, WhatsApp fraud, and spoofing are also lurking around the corner. It is believed to be one of the largest Dutch data breaches ever.
Data processor files notification immediately
The leak originated at the IT company RDC. This company offers garages the option to automatically email customers when it is time for their vehicle inspection. It is not yet clear how the data was stolen, but according to RDC, there was no hack involved. It was the NOS that uncovered the data leak after the data was offered for $35,000 on a hacker forum. After the NOS informed the company, it immediately filed a report with the Dutch Data Protection Authority. Such a formal notification is mandatory in the event of a data leak, even when the information is already publicly known through the press.
In the meantime, it appears that RDC is taking the leak seriously. For instance, it has brought in Fox-IT, a network security expert, to investigate how the data was leaked. Additionally, it is tasked with helping to prevent future leaks.
Affected car companies must take action themselves
All affected car companies have been notified. They are also required to report to the Dutch Data Protection Authority. A collective notification is not permitted. Furthermore, RDC is not allowed to notify affected consumers itself. This is because the car company is the data controller and has a contractual relationship with the consumer. In this context, RDC is a third party authorized to process this data for the car company via a data processing agreement , but with respect to the consumer, the responsibility lies with the car companies.
Car companies would indeed be wise to inform their customers. The Dutch Data Protection Authority has previously indicated that when a breach poses a high risk, the controller must notify the data subjects without delay. Whether or not a high risk exists is a matter of fact. This takes into account, among other things, the number of affected individuals, the ease with which individuals can be identified, the severity of the consequences, and the scope and sensitivity of the leaked personal data. In this specific situation, it is indeed advisable to formally notify customers of the data breach. RDC has reportedly already prepared a message for the car companies in their digital environment. Naturally, controllers may also use a different message.
Responsibility for data breaches
Although the investigation is still in full swing, there is something we can already question. For instance, data regarding cars that visited a garage more than ten years ago has reportedly been leaked. This is despite the fact that the data was collected in late 2018 and early 2019. Nevertheless, with the arrival of the GDPR has become even more important to delete personal data in a timely manner. If it ultimately turns out that mistakes were made, which is not yet clear, the Data Protection Authority can intervene and impose fines.
