Last week Mercedes-Benz was the subject of a data breach attributable to external causes . The news was leaked directly from the site of the well-known car manufacturer through a press release. According to what was reported by the German company, the impact would seem to be rather limited, around 1000 people.
What is a Data Breach and how it can happen
A data breach is a data breach that occurred due to accidental or unlawful causes. However, it is more relevant, even for judicial purposes, when the compromised data includes personal data or data attributable to natural persons. Although it is extremely immediate to trace this event to causes of a technological nature or to malicious attacks, in reality there can be many reasons behind a data breach .
In fact, for example, human error can become a trigger for an information leak . Just think of scheduled maintenance operations on parts of an infrastructure that leave it exposed to the Internet. In a few moments, it could potentially be possible to access other people's data without the necessary authentication and access control criteria. A similar event happened about a year ago at the site of the National Institute of Social Security (INPS). During the opening of the procedure for the request of citizenship income, for a period of time the portal showed personal data of other people in the clear, causing a data breach.
Similarly, internal staff for blackmail or revenge could also be the author of a data breach , exposing confidential data of a company's customers to the public domain.
The Mercedes-Benz case
What happened, however, to the German car manufacturer seems to be attributable to external causes and in particular to a cloud service provider who inadvertently exposed personal information. It would appear that the company took immediate action thanks to an internal audit and the support of a group of external security experts. From the data declared on the site, these are personal data entered by Mercedes customers on their portals in the period from 1 June 2014 to 19 June 2017.
The supplier has guaranteed that the security incident will never happen again and that the reason has been definitively remedied. However, the Mercedes-Benz data breach seems to have leaked a few driving licenses and mostly health care numbers, dates of birth and credit cards. Furthermore, the further verifications showed that out of the totality of more than 1.6 million data stored in company systems, less than a thousand was the basis of the leak .
What are the consequences after the Mercedes-Benz data breach
The consequences can be the most varied and depend on the local jurisdiction at the company headquarters. To tell the truth, the company involved is Mercedes-Benz USA and therefore subject to American laws regarding the processing of personal data. Unlike the European Union, where the GDPR is in force, in the United States there is no single law but each state has its own legal system on this issue .
However, the relevant laws are tightening around the world albeit to varying degrees. In any case, in these circumstances the company is always required to notify the relevant authorities as soon as possible. For example, in the case of the General Data Protection Regulation (GDPR) the notification must take place within 72 hours and if late, the reason for the delay must also be reported.
Furthermore, it will also be necessary to understand the origin of the data processed because if the company operates in several countries, it will have to comply with the laws of different countries at the same time. Finally, it is probable (but this aspect varies according to the laws) that a pecuniary sanction will also be imposed to varying degrees depending on the type of company.
In conclusion, data breaches are increasingly widespread events that must be limited as much as possible. Furthermore, national regulators are paying more and more attention to this issue, guaranteeing greater protection of potentially vulnerable citizens.