It has been revealed that more than 200,000 Australians are likely to have been affected by the recent Timehop data breach.
How did the breach occur?
On 5 July 2018, the social media app company announced it had experienced a network intrusion resulting in the personal data of up to 21 million users being accessed, including the following combinations:
- 6 million names and email addresses.
- 6 million names, email addresses and dates of birth.
- 4 million names, email addresses and phone numbers.
An access credential to Timehop’s Cloud computing environment had not been protected by multi-factor authentication and was compromised on 19 December 2017.
PII (personally identifiable information) was not stolen until 4 July after Timehop employees migrated a database containing PII to the Cloud computing environment.
The Australian Financial Review has revealed that Timehop has “about 208,000 Australian users and […] had discovered that country codes and genders of some users had also been breached”.
The criminal hackers also compromised encryption keys used to encrypt or decrypt data, allowing them to access and show users’ social media content. These keys can no longer be used and users must ‘re-authenticate’ the app to view their social media posts.
Timehop’s response to the breach
In a statement on its website, Timehop said: “As soon as the incident was recognized we began a program of security upgrades.
“We immediately conducted a user audit and permissions inventory; changed all passwords and keys; added multifactor authentication to all accounts in all cloud-based services (not just in our Cloud Computing Provider); revoked inappropriate permissions; increased alarming and monitoring; and performed various other technical tasks related to authentication and access management and more pervasive encryption throughout our environment.
“We immediately began actions to deauthorize compromised access tokens, and as we describe below, are worked [sic] with our partners to determine whether any of the keys have been used. We will employ the latest encryption techniques in our databases.”
Timehop also said it had “been working with security experts and incident response professionals, local and federal law enforcement officials, and our social media providers to assure that the impact on our users is minimized”.
What could be the consequences of this breach for Timehop?
Timehop’s statement is very open about the fact that millions of users “in the GDPR zone” have been affected by the breach.
The EU GDPR (General Data Protection Regulation) came into force on 25 May 2018, and its scope extends around the world to every organisation that processes EU residents’ personal data.
Data processors are required to report all personal data breaches to data controllers, and data controllers are required to report breaches to the supervisory authority within 72 hours of their discovery if there is a risk to data subjects’ rights and freedoms.
Data subjects themselves must be notified without undue delay if there is a high risk to their rights and freedoms.
Failure to do so risks an administrative fine of up to €10 million (about AUD$15.8m) or 2% of annual global turnover (whichever is greater) – the lower tier of GDPR fines.
For other GDPR infringements relating to data processing, organisations risk administrative fines of up to €20 million (about AUD$31.6m) or 4% of annual global turnover (again, whichever is greater).
GDPR compliance checklist
Asia-Pacific companies with any connection to Europe – whether through subsidiaries, customers or suppliers – need to take steps to determine whether the GDPR is applicable to them, and to consider revising their information handling processes to ensure compliance.
IT Governance has put together a GDPR compliance checklist to help understand the essential steps you need to take to demonstrate compliance. In some cases, these GDPR compliance steps will supplement existing measures that many organisations adopt to comply with national laws in Asia-Pacific, including Australia’s NDB (Notifiable Data Breaches) scheme and the Australian Privacy Act 1988.