When 15 million customers have to be informed that all their data including chat history, personal preferences and credit card ended up on the net... from a porn website, of all things.

The obligation to notify in the event of a data breach under Art. 33 and 34 of the GDPR can be a disaster for the data subject.

This article was first published at ITK SECURITY.

Last update 7 months ago by Patrick Ruppelt

Reading time: 3 minutes

How the World¹⁾ today, the largest provider of live porn streams "Cam4" has put all kinds of sensitive data of users unprotected on the net.

A total of 10.8 billion records with details of email addresses, credit card information of around 15 million users as well as entire chat histories and details of sexual preferences. It's a piece of cake to match that with Facebook, Instagram, Xing and LinkedIn.

Interestingly, the headquarters of Granity Entertainment DAC, the company that operates "Cam4", is located in Dublin, Ireland. In this respect, it will be interesting to see how Granity intends to evade the provisions of the GDPR. There is actually no justification for not acting in accordance with the European regulations and immediately informing all those affected about the incident.

Perhaps the way to go is to book a 1/1 page in a daily newspaper with sufficient coverage in each affected country and publicise it there. In Germany, that would (as far as I know) currently only be the FAZ, which comes into question for such a special "substitute report". And whether that is really justifiable - after all, Granity has all the contact details and can inform all those affected without any problems - that would then also have to be clarified. Let's see if a whole page is devoted to this tomorrow in the FAZ, then we'll know more.

Otherwise, the only option is to inform each user individually about the data breach.

But do the users like it that much? Especially when the wife also looks in the mailbox and sees what young hops and sex fantasies the faithful spouse is into, that's a completely different question.

∞

Update 8.8.2020: The provider Cam4 has pointed us to its counterstatement. You can find this here²⁾.

The rebuttal states:

Developers and security specialists were immediately deployed to investigate further and the team concluded beyond doubt that absolutely no personally identifiable information, including names, addresses, emails, IP addresses or financial information, was unlawfully accessible by anyone outside of SafetyDetectives and CAM4's investigators.

This is nicely packaged for marketing purposes, as it gives the impression that everything was not so bad. But that is only half the truth.

It was only because the security researchers from SafetyDetectives handled the find so trustingly and only extracted a few data records as examples that greater damage was averted. However, the data was indeed accessible and all the company's protective mechanisms failed. The data leak existed exactly as we described it.

Just as well a "common hacker" could have found the data sets and downloaded them illegally. Just because this didn't happen due to a lucky coincidence doesn't mean that everything was all right.

List of sources

↑1	https://www.welt.de/wirtschaft/article207787719/Datenleck-Warum-15-Millionen-Nutzer-eines-Pornoportals-bald-Post-bekommen-koennten.html
↑2	https://cam4.de.com/magazin/cam4-reagiert-auf-vorwuerfe-von-sicherheitsverletzungen/