Well-known regional e-commerce platform faces a data breach
By Mariano Peruzzotti and Belen Sorrentino.
In the past few days, one of the most important e-commerce platforms in Latin America suffered a security incident. This breach could have compromised the personal data of approximately 300,000 users.
According to reports, the platform’s source code was subject to an unauthorized access. The company informed that according to an initial investigation there is no evidence that the infrastructure systems were compromised or that user passwords, account balances, investments, financial or payment card information were leaked.
Those responsible for the attack accessed the data of approximately 300,000 users as well as the company’s source code (repositories). A repository is a folder in the cloud with source code for software, a server or service that stores information.
The company activated security protocols and is conducting a thorough analysis of the attack. For being listed on the New York Stock Exchange and integrating the Nasdaq (index of technology companies), the company had to inform its investors about the incident.
In Argentina, Personal Data Protection Law No. 25,326 does not impose the obligation to report a data breach to the Agency for Access to Public Information (“AAPI”), the data protection controlling authority, nor to the data subjects affected. However, Resolution 47/2018 of the AAPI recommends the notification of data breach to the authority. In effect, this rule recommends submitting a report to the AAPI that includes: (i) the nature of the violation; (ii) the category of personal data affected; (iii) identification of affected users; (iv) measures taken by the controller to mitigate the incident and (v) measures taken to prevent future data breaches. Moreover, Resolution 332/2020 of the AAPI recommends notifying the data breach to data subjects.
For further information contact: mperuzzotti@ojambf.com.
