Data Protection Academy » Data Protection News » Thieves steal customer data from a craft business
Thieves steal customer data from a craft business
On 30 January 2019, a goldsmith was brutally attacked in Halle (Saale). In addition to the jewellery, the robbers also looted contact details of numerous customers of the craft business.
SCENARIO: THIEVES STEAL CUSTOMER DATA FROM A GOLDSMITH IN HALLE.
A customer reports:
"Yesterday I happened to read an article in the paper about a robbed jewelry store in Halle Saale. I thought, "Wait a minute! You know the name!"
This was indeed the goldsmith, with whom I had just sent several pieces to be refurbished. I did not hesitate long to call her. On the phone the agitated owner explained to me that during the robbery all the jewellery had been stolen from the safe, including the customer data written on it.
I was shocked. She also explained to me that although she had reported it to the police and her insurance company, as a precaution I should also inform my insurance company and report the damage. So I did.
I immediately called my girlfriend, who had also commissioned jewellery. Although she was concerned about the lost value of the jewellery, she was much more worried about her data, which was now in the possession of the thief. Name, address, phone number - all this information was kept together with the jewellery.
Besides, my girlfriend and I were going on vacation together tomorrow. But could we even leave our houses unattended? Or would our data be used for the thief's next raid?
An uneasiness was felt. My insurance company explained that they would not cover the damage. The police told me that they would be watching my safety. But what did that mean? That a policeman would watch my house? I don't think so. I felt left alone.
Although I had not used my data online carelessly, I was now feeling the effects of data theft. I learned that data security does not only affect online shops or social media, but all aspects of everyday life.
Because every person personal data is responsible for taking care of them. This begs the question: how could the data theft have been prevented? How quickly would I have been informed if I had not come across the incident in the press myself?
Does data security not have to be regulated by law? These are all questions that occupied me that night. We finally decided to go on holiday, but the bad feeling was still there."
External Data Protection Officer
You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.
What Robin Data says:
In this case, it seems at first sight that enough has been done for data protection: The customer data was kept in a safe together with the jewellery.
But real life has unfortunately struck in the form of a vicious robbery. The perpetrator obviously spied on the goldsmith and struck at the exact moment she opened the safe.
But even if the safe had been closed, the threat of a weapon would certainly have ensured that the safe would have been opened.
“Das ist höhere Gewalt!” könnte man nun sagen. Aber: das Datenschutzrecht gibt einen einfachen Hinweis, wie man die in diesem Fall die zwar nicht rechtlich aber moralisch sensiblen Kundendaten hätte schützen können.
Recommendation
Das anzuwendende Prinzip nennt sich “Pseudonymisierung” und wird im Kontext der Sicherheit der Verarbeitung von personenbezogenen Daten nach Artikel 32 DSGVO vom Gesetzgeber gefordert, wann immer es verhältnismäßig umsetzbar ist.
Pseudonymisierung bedeutet, dass Merkmale die eine Person identifizieren auf einem Datenträger durch ein “Pseudonym” (z. B. Code) ersetzt werden, die dann Identifikation der Person deutlich erschweren. Derjenige der die Zuordnung von Code und personenbezogenem Datum kennt, kann diese Operation rückgängig machen.
The application of this principle would also have made sense in the case of the goldsmith!
A good pseudonym for the goldsmith's case would have been the customer number. If she puts the jewellery in the safe with only a note of the customer number, the jewellery is lost in a robbery, but the customer addresses are still secure.
Ideally, this customer data is stored in a well-protected customer administration program and is provided with a secure password. In this case, the thief would then have to invest considerable effort to access the customer file in addition to the jewellery.
Conclusion
Sometimes simple methods help to implement data protection practically and safely, even for extreme situations.
- Internal control system - 10 September 2024
- TISAX requirements: Prepare certification step by step - 8 January 2024
- Audit management: Implementing audits more efficiently - 26 October 2023
This might interest you too:
https://media.robin-data.io/2020/05/29101239/Whatsapp.jpg
343
685
Caroline Schwabe
https://media.robin-data.io/2022/07/05140916/Robin-Data_ComplianceOS_white_logo.png
Caroline Schwabe2021-05-15 11:17:202022-12-06 14:13:52WhatsApp and privacy
https://media.robin-data.io/2022/05/23150704/homeoffice.jpg
341
685
Ulrich Hottelet
https://media.robin-data.io/2022/07/05140916/Robin-Data_ComplianceOS_white_logo.png
Ulrich Hottelet2020-03-26 14:24:282024-10-24 13:49:44Data protection and data security while working from home
https://media.robin-data.io/2022/05/23150651/Zusammenarbeit-2.jpg
341
685
Ulrich Hottelet
https://media.robin-data.io/2022/07/05140916/Robin-Data_ComplianceOS_white_logo.png
Ulrich Hottelet2020-03-09 09:04:232024-10-24 13:56:35Use of social networks by public authorities
