In a provision adopted against one of the main national providers of e-mail services, the Italian Data Protection Authority stated that communications of data breaches to users must not be generic and must provide precise instructions on how they can protect themselves from unlawful use of their data, first of all from identity theft.
In this specific case, the company involved will have to promptly release new notification of the data breach suffered by about one and a half million users regarding the fraudulent access to their e-mail accounts. The new communication must contain a description of the violation and its possible consequences and, in addition, must provide users with precise indications on the steps to take to avoid further risks. So, for example, users should be warned to no stop using compromised credentials and to change stolen passwords if they are also used to access other services.
The decision was taken by the Authority in the context of a procedure started following the data breach notification sent by the company. In its notification, the company stated that on 20th February 2019 a fraudulent access had been detected through a Wifi hotspot with the resulting violation of about one and a half million webmail user credentials. To contain the possible consequences of the data breach, the company had “forced” users to reset their passwords and had set up a special page on their web site to inform of the violation.
In order to communicate the data breach, the company later sent e-mails to all those affected by the incident, which, however, the Authority considered to be inadequate and not in accordance with the legislation on data protection. In fact, the company had sent two different communications depending on whether or not the user had changed password within 48 hours of notification of the data breach. In both cases the data breach was described as “anomalous activity on the systems” and to those clients who had changed password no further remedial action was suggested by the company, which declared that the change of password had made the previous credentials unusable. On the other hand, to those who had not already done so the company only suggested changing password so as to “eliminate the risk of undesirable access to accounts”. The Authority considered this kind of information insufficient, given the possible and serious risks to which users have been exposed.