Personal data of more than 37,000 Glovo riders leaked
On 3 August we learned of a new security breach in data protection suffered by one of the market’s major operators. In this case it is the company Glovo, a company dedicated to home delivery and which, due to its specific characteristics, processes a multitude of personal data of different agents, including the customers themselves and, of course, the so-called riders.
To understand the impact of these events, we must first be clear about what constitutes a data protection security breach.
What is a security breach?
Article 4 GDPR defines a personal data breach as “any breach of security leading to the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or to unauthorised disclosure of or access to such data“.
In this case, the breach of security of Glovo’s riders’ personal data has been caused by unauthorised access to such personal data, in addition to its subsequent auctioning in different places on the Deep Web. Specifically, some of the personal data of the riders that have been subject to such unauthorised access are their ID numbers, phone numbers, emails, bank account numbers, home addresses and contract types.
In addition to the above, the hackers claim that the data extracted also includes information on almost six million Glovo customer orders, including, among other things, customer names.
What does Glovo need to do to prevent this from happening again?
The former Organic Law 15/1999, of 13 December, on the Protection of Personal Data and its Implementing Regulations established a series of limited measures that those responsible for processing personal data, as is the case of Glovo in the present case, were required to adopt.
With the entry into force of the (no longer so recent) GDPR and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), this taxation of measures has been eliminated and what is known as the “principle of proactive responsibility” has been implemented, which implies that data controllers will be responsible for ensuring that the personal data they process are processed in compliance with the principles of the GDPR, and that data controllers establish the security measures they deem appropriate, taking into account the risks that have been assessed and the environment in which the personal data will be processed.
One aspect to bear in mind at this point, and taking into account the development and typology of companies that have been emerging in recent years, is that, increasingly, the environment in which data controllers process personal data (of customers, suppliers, employees, etc.) is centred on the digital environment, which may undoubtedly be more agile, but at the same time entails much greater risks and, therefore, such data controllers must increase all the security measures they have implemented to date, if they have not already done so.
It must be considered that it is inevitable that, at any given time, a company may suffer a cyber-attack and a personal data breach such as the one suffered by Glovo in this case may occur, but data controllers are required to carry out a detailed analysis of the risks to which the personal data they process are subject and, on that basis, establish the technical and organisational security measures that they consider, at their own discretion, to be appropriate.
However, as is logical, the supervisory authorities may carry out investigations and audits in order to determine whether the data controller has established and implemented the appropriate measures to guarantee the security of personal data or whether, on the contrary, the security measures that have been adopted have not been sufficiently assessed, or have not been assessed and implemented correctly, in order to prevent the personal data security breach that eventually occurred.
What are the consequences of this security breach for Glovo?
Of course, after hearing the news, everything seems to indicate that an investigation will be opened by the Spanish Data Protection Agency (AEPD) in order to determine the degree of liability of Glovo in the establishment, correct or incorrect, of the security measures applied to the personal data of both its riders and its users.
Everything seems to indicate, bearing in mind the scale of the security breach, that Glovo should have notified the AEPD and the users of the commission of this hacking, taking into account the amount of data and that a third party external to the organisation has made them public on the Deep web, having seriously compromised the rights of the data subjects affected.
Taking into account the above circumstances, and without prejudice to the fact that Glovo must carry out an in-depth analysis of the security measures implemented in its organisation in order to guarantee the security of the personal data of data subjects, the fact is that it may now be exposed to a sanction for not having complied with the principle of proactive responsibility and, if it has not done so, for not having notified the AEPD and the data subjects of the commission of this infringement and the violation of its security systems.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.