It’s been reported that cloud kitchen platform Freshmenu has come under severe attack over allegations that it chose to keep under wraps a data breach two years ago that exposed the personal information of over 110,000 users. The incident from July 2016 was brought to light this week by data breach-tracker HaveIBeenPwned.com. As per HIBP, a breach in the systems of Freshmenu exposed personal data including names, email addresses, phone numbers, home addresses, and order histories.
Tim Mackey, Senior Technical Evanglist at Synopsys:
Historically, organisations experiencing data breaches attempted to protect their brand reputation by failing to disclose any breach. In doing so, these organisations permitted successful malicious activity to continue because other organisations were effectively prevented from learning the techniques used by successful attacks. Lack of disclosure further prevented their users from being an active participant in protecting their personal data from future attacks.
With GDPR, as described in Article 33(1), a 72 hour window was defined wherein the breached organisation is required to notify the appropriate regulatory body. The current draft of India’s Data Protection Bill lacks such a window, preferring instead for disclosures to the Data Protection Authority of India to occur when, as described in section 32(1), the breached organisation determines “such breach is likely to cause harm to any data principal”. Put another way, upon identifying that a breach has occurred, it is the breached entity’s responsibility to determine whether harm to a user or customer could occur and only then would disclosure to regulators be required.
Such requirements are in direct conflict with the stated purpose of the Bill “the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy”. It is my hope that India’s regulators will reconcile this disconnect and mandate disclosures to the Data Protection Authority upon any data breach. Doing so would both increase customer and user confidence, but also improve overall data security through sharing of learned experiences.”
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.