E-commerce platform data breach
Software developer data breach
Data breach notification obligation
Comment
Recently, two large companies have faced security incidents in Argentina. Remote working during the pandemic has increased the use of IT solutions, which has exposed many companies to a higher level of security risk. Both events discussed in this article were caused by unauthorised access to the companies' source codes.
E-commerce platform data breach
A recent e-commerce platform data breach could have compromised the personal data of approximately 300,000 users, as well as the company's source code (repositories). The company has informed that, according to an initial investigation, there is no evidence that the infrastructure systems were compromised or that none of the following data was leaked:
- user passwords;
- account balances;
- investments; and
- financial and payment card information.
However, as the firm integrates the NASDAQ (the index of technology companies), investors had to be informed of the incident.
Software developer data breach
A software developer and technological solutions company was attacked by LAPSUS$, a cyber-hacking organisation. According to reports, the organisation leaked 70 gigabits of data and master passwords for access to a considerable amount of internal services. The breach affected information about important clients. Because of the situation, the company informed in a press release that it had activated all security protocols and that it had initiated an exhaustive investigation.
Data breach notification obligation
In Argentina, Personal Data Protection Law No. 25,326 does not impose the obligation to report a data breach to the Agency for Access to Public Information (AAPI), which is the controlling authority for this law, or to the data subjects affected.
However, Resolution 47/2018 of the AAPI recommends the notification of data breach to the authority. Indeed, this rule recommends submitting a report to the AAPI that includes:
- the nature of the violation;
- the category of personal data affected;
- the identification of affected users;
- the measures taken by the controller to mitigate the incident; and
- the measures taken to prevent future data breaches.
Moreover, AAPI's Resolution 332/2020 on guidelines regarding AAPI's inspections provides for the notification of the data breach to data subjects and the data protection supervisory authority.
As security incidents have lately been increasing, it is crucial that companies implement the correct policies and procedures that properly comply with local regulations and international standards.
For further information on this topic please contact Mariano Peruzzotti, Mateo Darget or Andrea Sanchez Vicentini at Ojam Bullrich Flanzbaum by telephone (+54 11 4549-4900) or email ([email protected], [email protected] or [email protected]). The Ojam Bullrich Flanzbaum website can be accessed at www.ojambf.com.