Data Protection Academy » Data Protection News » Thieves steal customer data from a craft business
Thieves steal customer data from a craft business
On 30 January 2019, a goldsmith was brutally attacked in Halle (Saale). In addition to the jewellery, the robbers also looted contact details of numerous customers of the craft business.
SCENARIO: THIEVES STEAL CUSTOMER DATA FROM A GOLDSMITH IN HALLE.
A customer reports:
"Yesterday I happened to read an article in the paper about a robbed jewelry store in Halle Saale. I thought, "Wait a minute! You know the name!"
This was indeed the goldsmith, with whom I had just sent several pieces to be refurbished. I did not hesitate long to call her. On the phone the agitated owner explained to me that during the robbery all the jewellery had been stolen from the safe, including the customer data written on it.
I was shocked. She also explained to me that although she had reported it to the police and her insurance company, as a precaution I should also inform my insurance company and report the damage. So I did.
I immediately called my girlfriend, who had also commissioned jewellery. Although she was concerned about the lost value of the jewellery, she was much more worried about her data, which was now in the possession of the thief. Name, address, phone number - all this information was kept together with the jewellery.
Besides, my girlfriend and I were going on vacation together tomorrow. But could we even leave our houses unattended? Or would our data be used for the thief's next raid?
An uneasiness was felt. My insurance company explained that they would not cover the damage. The police told me that they would be watching my safety. But what did that mean? That a policeman would watch my house? I don't think so. I felt left alone.
Although I had not used my data online carelessly, I was now feeling the effects of data theft. I learned that data security does not only affect online shops or social media, but all aspects of everyday life.
Because every person personal data is responsible for taking care of them. This begs the question: how could the data theft have been prevented? How quickly would I have been informed if I had not come across the incident in the press myself?
Does data security not have to be regulated by law? These are all questions that occupied me that night. We finally decided to go on holiday, but the bad feeling was still there."
External Data Protection Officer
You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.
What Robin Data says:
In this case, it seems at first sight that enough has been done for data protection: The customer data was kept in a safe together with the jewellery.
But real life has unfortunately struck in the form of a vicious robbery. The perpetrator obviously spied on the goldsmith and struck at the exact moment she opened the safe.
But even if the safe had been closed, the threat of a weapon would certainly have ensured that the safe would have been opened.
"This is an act of God!" one might say. But: the data protection law gives a simple indication of how one could have protected the customer data, which is not legally but morally sensitive in this case.
Recommendation
The principle to be applied is called "pseudonymisation" and is required by the legislator in the context of the security of the processing of personal data under Article 32 GDPR, whenever it is proportionately feasible.
Pseudonymisation means that features which identify a person on a data carrier are replaced by a "pseudonym" (e.g. code), which then makes identification of the person considerably more difficult. The person who knows the assignment of code and personal date can reverse this operation.
The application of this principle would also have made sense in the case of the goldsmith!
A good pseudonym for the goldsmith's case would have been the customer number. If she puts the jewellery in the safe with only a note of the customer number, the jewellery is lost in a robbery, but the customer addresses are still secure.
Ideally, this customer data is stored in a well-protected customer administration program and is provided with a secure password. In this case, the thief would then have to invest considerable effort to access the customer file in addition to the jewellery.
Conclusion
Sometimes simple methods help to implement data protection practically and safely, even for extreme situations.
- Internal control system - 10 September 2024
- TISAX requirements: Prepare certification step by step - 8 January 2024
- Audit management: Implementing audits more efficiently - 26 October 2023