Breached online firm Timehop has revealed more details about a security incident which affected 21 million people, which will be an interesting test case for GDPR regulators.
The firm originally said it discovered a network intrusion on July 4 resulting in the compromise of names, email addresses and phone numbers.
However, in an update on Wednesday it claimed the breached data also included dates of birth, gender of customers and country codes.
It provided a handy breakdown of which breached records were in scope for the GDPR: including 2.9 million name and email address combinations and 2.2 million name, email address and DOB records.
The firm admitted “messing up” with its incident response.
“In our enthusiasm to disclose all we knew, we quite simply made our announcement before we knew everything,” it said.
“With the benefit of staff who had been vacationing and unavailable during the first four days of the investigation, and a new senior engineering employee, as we examined the more comprehensive audit on Monday of the actual database tables that were stolen it became clear that there was more information in the tables than we had originally disclosed.”
It will be interesting to see whether Timehop’s efforts at transparency appease regulators, given that it was incapable of spotting the initial unauthorized use of one of its admin’s credentials to log-in to a third-party cloud platform on December 19 2017.
After creating a new admin account, the hacker logged in on three separate occasions looking for PII, according to Timehop. By the time of a fourth log-in at the end of June, PII had unwittingly been moved into the cloud environment. The attacker then waited until the July 4 holiday before logging in again and stealing the database.
The ICO has said in the past that “those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.”