How bad is this data breach exactly?
In any case, it is great. It concerns 7.3 million data points with traceable personal data, although people can appear several times in the dataset. According to the Dutch Data Protection Authority, this may be the most serious data breach that the privacy watchdog has ever registered.
To estimate the exact impact, a lot depends on what is ultimately offered for sale with the data breach. The cyber criminals who have the data in their hands have not yet sold the dataset.
How do I know if I have been affected by the leak?
That too cannot be said yet: RDC does not yet know exactly whose data has been leaked. It is often unclear to customers of car companies whether their data is stored at RDC or with another supplier.
RDC itself will not inform those affected, but affiliated car companies can do so, the company says. “We have sent a sample email to affiliated car companies that they can send.”
Why do companies store this type of information?
It is important for companies to know who they are doing business with. They may also send customers e-mails to, for example, make them new offers, or in this case: remind customers of their MOT. Contact information is required for this.
But they do sometimes lose track of how long information is retained, says professor of ICT law Frederik Zuiderveen Borgesius. “According to the law, you should not keep information longer than is strictly necessary,” says Zuiderveen Borgesius.
Which period that is exactly is therefore the question. But the RDC dataset also includes data from people who visited a garage more than ten years ago. “I can’t imagine what it would take,” says the privacy expert. Companies should delete that information after a while.
“Many organizations think that throwing information away is more dangerous than keeping it,” he says. “But for the law it is the other way around.” In this case, the data are relevant according to RDC. “If a car is still driving, the data is of added value and you can keep it.”
What are the consequences for the company that leaked the data?
That cannot be said yet. The Dutch Data Protection Authority is in contact with the company in question, but does not want to say whether this concerns a concrete investigation. The privacy watchdog can impose heavy fines: for example, the BKR was fined 830,000 euros because it prevented people from gaining access.
Since this concerns a potentially unprecedented large data breach, the obvious question is whether there is also a high fine. The privacy watchdog believes it is still too early for that question. A lot also depends on the exact circumstances.