Notification personal data breach for customers who ordered between 31-3-2017 and 11-10-2018
Questions & Answers
The information provided in this Q&A will be regularly updated with relevant additions since our investigation is still on going.
Unfortunately, a data breach has occurred at Tanita Europe. We became aware of this on Wednesday 26th of May. The data breach was probably present since February 2021. Personal data of web shop customers is part of this data breach. The data breach contains personal data of customers who purchased products via our web shop between 31st of March 2017 and 11th of October 2018. The specific categories of personal data probably concerned are: (company)name, address, telephone number and e-mail address of customers that ordered in our web shop in the period between 31st of March 2017 and 11th of October 2018). The data breach occurred because unauthorised persons gained access to our server sometime around February 2021. Last week, the server was encrypted (ransomware). At that point we discovered that unauthorised persons had had access to the server. It cannot be ruled out that personal data has reached the unauthorised persons.
Tanita has been hacked. What does this mean?
Wednesday 26th of May we detected that several files were encrypted on one of our servers. We also found a message on this server in which we were informed that the files were stolen and deliberately encrypted with the threat to publish it online. We quickly launched an investigation. We had to determine that personal customer data has probably also been accessed. We labelled the incident as a data breach and reported it to the Dutch Data Protection Authority. We have also filed a report with the police. Further investigation is still ongoing.
What data is involved?
Personal data of customers ((company)name, address, telephone number and e-mail address) who ordered in our web shop in the period between 31st of March 2017 and 11th of October 2018, is probably part of the data leak. Payment details like IBAN numbers and credit card details are not stored by us and therefore not affected. Thus far we have found no indication that personal data of customers that ordered in our web shop before 31st of March 2017 and after 11th of October 2018 is part of the data leak too, but in case our research does show other data was affected, we will directly update this message.
Are any payment details like my IBAN number or credit card number part of the data leak?
No, it only concerns (company)name, address, email address, phone number and product information of customers that ordered in our web shop in the period between 31st of March 2017 and 11th of October 2018.
How many customers does it concern?
This is still under investigation but up till now we have identified that data of 718 web shop orders placed in the period between 31st of March 2017 and 11th of October 2018 could have been affected. It is possible that it concerns fewer individual customers because it is likely that some customers placed multiple orders in this period. Thus far we have found no indication that more orders/ customers are affected but in case our research does show other data was affected, we will directly update this message.
Is my (clients) personal data in the My Tanita Healthcare app or Tanita Pro app also affected by the data leak?
No, all Tanita apps run on a different location (server) that has not been affected by the data breach.
Is my Tanita web shop account also affected by the data leak?
No, all Tanita web shop account data is stored on different locations (servers). The other locations/servers are not affected by the data breach.
What measures has Tanita Europe taken?
We started informing our customers and employees as soon as possible. We have also informed the parties with whom we work. In addition, we have engaged external specialists to investigate the incident, who is behind the attack, and how this can be prevented in the future.
What does this incident mean for me?
The data (possibly combined with data found elsewhere) can be used to commit identity fraud and other criminal activities, such as phishing and attempted fraud. It is advisable to be alert to parties who contact you by post, e-mail, WhatsApp, SMS or telephone. More information can be found on the police website: https://www.actionfraud.police.uk/ and with the national government: https://protect-de.mimecast.com/s/yVKZCoZ3XlirLYwzh1yziO/ . Here you can find information on how to recognize identity fraud and what you can do. Security tips can be found at the European cybersecurity organization ENISA, including on secure authentication (https://www.enisa.europa.eu/news/enisa-news/tips-for-secure-user-authentication , https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/authentication-methods . We recommend to create new passwords for all important accounts you have and do not reuse passwords on important accounts. Especially when your passwords may contain (parts of) the personal data that is part of the breach. Always choose long passwords with special characters and use a secure password manager if necessary. More information on using strong passwords can be found (among others) at: https://safepass.me/2021/03/11/complying-with-nist-password-guidelines-in-2021/ or https://www.fixjeprivacy.nl/tip/maak-sterkere-wachtwoorden/. There are also useful programs that help you remember and create different passwords. Examples are Keepass or LastPass. The website Have I been Pwned allows you to check for yourself whether your account details appear on lists of stolen information. If this is the case, it is even more important to change all your passwords as soon as possible.
Can this happen again?
We do everything we can to avoid repetition. We work together with security experts to screen our systems to rule out other vulnerabilities. We offer our sincere apologies to everyone for the inconvenience caused.
Is it safe for me to order in your web shop now?
Yes, the current web shop runs on a different server that is not affected nor connected.
Do you know if my data was involved?
If you ordered in our web shop in the period between 31st of March 2017 and 11th of October 2018, your personal data could also be involved. If you want us to confirm if your order data could have been affected, please share our order number (10 digits) so we can check. Please reach out to us via our email address firstname.lastname@example.org with your order number and ‘data breach’ in the subject line.
What is the current status?
The affected server is offline. The next steps for further recovery and the prevention of a similar incident in the future are currently being mapped out.
Who can I contact when I have other questions?
Please contact us via our email address email@example.com with ‘data breach’ in the subject line. We will do our best to answer your questions according to our current knowledge.