The article talks about notifications and risks to customers of Apollo, but it's not the customers' data that was stolen... It was that of 200 MILLION people who probably never opted into having their contact information packaged and sold to third parties.
Does it apply if they are business contacts (business address/phone number)? After all your company-issued phone isn't personal to you -- it identifies a role ("the purchasing manager for foobartronix") and if you leave that number will reach someone else.
I don't know how the "compliance world" treats, that but I bet it's a loophole many many people are trying to squeeze through.
(I do actually consider it personal to you. And I am a fan of what GDPR is trying to accomplish, in principle, but it's clear the law doesn't really work yet).
That's a really important thing to note. Consumer protection laws don't generally stretch to business contexts. And that's true in a lot of areas - from banking regulations to federal do not call laws. Many B2B marketing companies exist in that gray area, with dubious chains of opt in guarantees that shift liability around in case it comes to it. But it never comes to it, because there just isn't the same level of freely accessible recourse channels available for B2B-oriented concerns.
GDPR has a broader definition of PII than is used in the US, and includes any data that can potentially be used to identify an individual (even IP address), so it’s almost certain that it is within scope.
Here is the actual text of GDPR (there are many sites, hosted at .eu domains, that claim to tell you what the legislation says, but why not read the published law? (I chose English as HN is an English-language site): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32... )
My read is that the text of the law doesn't apply to people acting on behalf of a corporation, in their corporate persona (but this is why I linked to the text itself and not someone else's interpretation. It's not that long).
The law talks about identifying a person in their personal sphere (doesn't apply to being in your home; talks about ties to fundamental human rights, genetic and health info, etc) or things like credit approval, and many many many exceptions for "national security" an "legal" uses. It clearly does apply to what your employer knows about you!
Normally I hate these kind of hair-splitting "gotcha" cases I write up below, so I feel weird typing them. But the economic value is so high and frankly some of the the use, and abuse, cases so clear, I wonder. It's still early days for GDPR so these questions are, at the moment, rhetorical.
Here's an example: part (26) says, "The principles of data protection should apply to any information concerning an identified or identifiable natural person." But if I call a company the telephone receptionist will answer and I will know I can reach them by calling that number. If they have three I know I can reach the one I want to by calling repeatedly. Yet you don't want to prevent publication of company phone numbers (and what about suppressing them until the receptionist leaves -- that leaks personal info too). (the section is actually about pseudonymisation BTW).
Likewise per your example of IP addresses (in 30) If a company uses NAT then the company's IP address does not identify any single person, though it could be presumed to identify a particular subset. (adding IP address to other info could ID one person, and that is covered in 30)
If I remember correctly it was mainly scraped LinkedIn data and then they were getting emails either from LinkedIn or some other source and pairing them with the profiles (used their product approx 1yr ago so may have changed). Don't think those random LinkedIn users ever opted into it but maybe there was something in the LinkedIn terms that allowed 3rd parties to do that (or not). But I do remember after I moved to the EU and tried to sign up for Apollo/Zen Prospect for a new venture they said they wouldn't sell me the service because I was in Germany
This smells like someone leaving a DB open to the world (remember the old MongoDB open by default?)
I think stealing a whole database raises very serious questions as to how technically this was done and how would you prevent this at your company.
Unfortunately "transparency first" aside, companies don't usually release this information which leaves us all wondering how we can better protect our users (outside of having sane defaults, closed by default, no ssh, private networks etc...).
You would be surprised to find out how many large companies(i.e top 500) lost theier databases, banks included. Many can be googled but most never made it public or didn't even know what happened to them. Chances are that your contact data has been leaked by several parties already. My conclusion is that you can't secure data unless you make a goal of that and even then it's not a sure thing. All your private networks have multiple public entery points and possibly a coordinator(i.e kubernetes admin). Most ecommerce companies and even payment processing companies think of security as an accessory to their business not a primary concern. If they are too focused on security they loose market share(i.e the vetting takes too much time) The only solution is to consider all unencrypted data public and use encryption at the client level(i.e mobile device).
So is this must be the database that hundreds of relentless SAAS Sales Reps use to send me emails like "Hi there, wanted to bubble this up in your inbox and see if you'd be interested in a convo about your site and how we can increase xxx% revenue with our yyyy solution"
Oh you just wait! If you haven't gotten one of these yet, the latest version of this is that they actually send a calendar invitation (through a 3rd party service) for a meeting out of the blue. Gmail will helpfully pencil that time in on your calendar automatically until you go in and delete the event. This prevents legit meetings from being scheduled since people are afraid you have some important sales call. If you're absent minded and click "No" to your RSVP, they know you saw it! Blech!
These articles are always a little frustrating, especially to those of us who aren't familiar with data management on that scale. For example, how was the breach carried out? How did the company know it occurred? Was there something the company should have done, but didn't?
I understand why those details don't make it into the media, but it's hard not to be curious about it.
It's probably kept secret because if we knew how easy it was to steal their data that would be bad for their image. Most companies have little to no security other than "no one will think to request this url". Could be a past or present employee who knows all the unprotected systems and wanted to make some extra money selling the data.
The details usually are that that someone left ssh wide open, someone else had a look at the logs and though 'Gee I don't think we should have anyone logging in from Belarus', and hiring competent people with enough resources would have prevented this.
> Apollo’s database contains publicly available data, including names, job titles, employers, social media handles, phone numbers and email addresses. It doesn’t include Social Security numbers, financial data or email addresses and passwords, Apollo said.
Eh? So are email addresses included or not? They’re listed in both categories.
Based on the grammatical structure of the second sentence, it sounds like they're [email,password] pairs weren't lost, while emails alone may have been.
Can someone with more experience of these things tell me how these breaches are discovered, and how they know what information was taken? I presume it's not an exact science.
Not overly experienced with this, but years ago we used to add honeypot email addresses to our databases for a super simple & cheap way to at least get an idea of whether data had been exfiltrated. If you add a new email once a month you can get some 'timing' info, and then could start comparing against logs.
yeah, if you're absolutely inept and have insufficient logging/monitoring, you can't even tell how bad you'd been screwed. kinda like a Dunning Kruger effect of sorts
Some execs also think it's better not to know because they think they won't be responsible then. I have seen this with managers opposing pen testing because they were worried about the consequences of finding vulnerabilities.
"The email said that company said the breach was discovered weeks after system upgrades in July."
Wow. They emailed customers but made no public announcement that people's email addresses and personal info had been stolen and now available on the black market.
This is absolutely atrocious incident management and disclosure. I smell a lawsuit, possibly from the state or federal government.
If you want to do something about this (and other) negligible organizations, head over to https://opt-out.eu, search for Apollo, and the site will generate a GDPR erasure request that you can send. Disclaimer: I'm one of the site's creators.
> Apollo’s database contains publicly available data, including names, job titles, employers, social media handles, phone numbers and email addresses. It doesn’t include Social Security numbers, financial data or email addresses and passwords, Apollo said.
I have just read an article that might be useful for everyone who has received multiple calls from legit businesses at http://www.whycall.me/news/my-4500-payday-from-a-telemarkete.... It's quite difficult, but I think if we could win against those telemarketers, it will feel really good.
Isn't that data freely available already on their website ? It looks like you can get full name, company, position just by creating a free account. Maybe they just scrapped it.
