1

I noticed a severe data leak on a Chinese website allowing me to access other users' phone numbers, addresses and names.

Should I report this? I don't want the higher management at the company to assume I was purposefully hacking their site & take legal action.

schroeder
  • 129,372
  • 55
  • 299
  • 340
James Nixon
  • 165
  • 5
  • 2
    Good info in comments above. The nuance of wether GDPR applies is not what you’d think. It protects EU citizens’ right only if the data was processed/submitted while the user was physically in Europe. Regardless of the company’s legal status in any country. As an example, if I were to be visiting a website while in the USA, GDPR doesn’t apply. But visiting that same site from a physical EU location, instantly makes the company liable to GDPR regulation. (Hence why many sites outsides of EU simply decided to outright deny access if located inside the EU) – I'm a TI calculator Sep 20 '19 at 17:02
  • Thank you, I have reported them to the ICO. Hopefully, it gives them the motivation to fix this issue as after further investigation there is no easy way to stop the data from being returned. – James Nixon Sep 20 '19 at 17:37
  • Report to whom? Where do you want to report to? – schroeder Sep 23 '19 at 15:24
  • Chinese companies are not subject to GDPR anymore than Chinese laws are enforceable in Europe. – schroeder Sep 23 '19 at 15:25
  • @schroeder After doing a bit of research, it seems any company handling EU customer data has to comply with GDPR & as I'm from the UK, we have an ICO where we can report GDPR breaches. – James Nixon Sep 23 '19 at 15:33
  • China does not apply – schroeder Sep 23 '19 at 15:33
  • Article 3 states that there has to be an international legal agreement between the Union and the extra-Union country. In short, it has to be enforceable. – schroeder Sep 23 '19 at 15:34
  • Ah interesting @schroeder I'll take a look. After emailing, the company seem to want to fix the issue nevertheless. – James Nixon Sep 23 '19 at 15:36
  • @JamesNixon ha, you got more response than I have ever had, having come across a few simple issues in the past, and offering simple fixes that were never implemented... – LTPCGO Sep 24 '19 at 04:10

0 Answers0