A large data leak in March affected the Brazilian platform James Delivery and 13 more companies from various sectors. Altogether 132,957,579 users from around the world were exposed in a database that began to be sold by criminals in June this year for values ranging from $ 100 to $ 1,100, according to the Binary Defense.
As for James Delivery, there are a total of about 1.5 million profiles, including e-mail addresses, passwords and locations. Sought by the team of TecMundo, the company states that “security is a priority topic for the company”, complementing having “a strict internal information security policy, with a fully dedicated team, responsible for making frequent updates to its systems.” The concern is not for nothing.
Brazilian company James Delivery is affected by data leakage.Source: Reproduction
Luís Fernando Prado, lawyer specializing in Digital Law, Privacy and Data Protection, explained to our team that, with the General Data Protection Law (LGPD) in force, there are some actions that must be taken, provided for by the legislation – even if not necessarily apply to this situation, which would require further analysis.
“In the case of data leaks, a company needs to communicate the fact to the affected holders and explain what happened and what it is doing to minimize the consequences of this exposure. To give satisfaction. It is in the law, it is a legal obligation. In other words, studies show that companies, when they are more transparent and proactive in this communication, end up suffering less reputational damage and even in the regulatory sphere “, he says.
“If [a situação] subjecting people to risk, it is necessary to notify the national data protection authority, which may open an administrative investigation to understand what happened “, he adds.
Ideally, users should be informed of cases like this.Source: Pexels
Each case is different
To reassure its users, James Delivery informs that, “faced with daily prevention routines and any indication of possible fragility, the company acts immediately, in order to mitigate possible damages and promote improvements in the existing controls”, also informing that “financial and banking data are not stored in the company’s databases and that passwords are securely encrypted.” In any case, the LGPD would not yet exercise power over what happened.
“The company would be subject to sanctions, but it is foreseen that they will only enter into force in August of next year, contemplating fines, data exclusion, publication of the event in mass media and others. But that only applies from that period” says Luís Fernando. Even so, the company is not free from possible lawsuits filed by its consumers. “I would have to see if, in fact, there was any damage to be compensated. It is on a case-by-case basis,” he stresses.
It is up to companies to assess the risks.Source: Pexels
Finally, being the fact prior to the LGPD, none of it applies to the leak, which serves as a warning to future similar events. “The obligation to report leaks to data subjects and authorities applies to incidents that could cause harm, with a relevant risk. In the case of incidents, companies must first check the content of the leaked information. If it involves address, financial data and health, would activate this mechanism “, highlights the lawyer.
“On the other hand, if it is a minor incident, for example, an encrypted database was leaked or just statistical data or very simple, there is not so much relevance for the LGPD. It is up to the company to evaluate and determine how to act”, he concludes, something that , according to the official statement of James Delivery, is in progress.
“With regard to the reported theme, the company informs that it has started an internal investigation to verify the facts, and that it is in communication with the competent authorities to conduct the necessary investigation processes that may be necessary”, says the platform.