This is how the company replaces your damage after a data protection scandal
No time right now?
Miles & More, Buchbinder, Scalable Capital – data protection scandals and leaked customer data regularly make the rounds. But what can you do if a company or its service provider has leaked data and it is now circulating on the internet?
The privacy of customer data is a serious problem for companies. You are responsible for ensuring that the personal data of customers and interested parties are not made public. But it happens again and again that companies lose data through a hack or data theft or through targeted indiscretion. example Miles & More: As part of an attack, hackers let go of the data from 1.35 million customers of the well-known frequent flyer program.
The end of last week became known, whereby only the service card numbers, information on the status level and the name of the customer should be affected. Passwords and email addresses, however, are not affected. The damage in the Buchbinder case was also extensive, where extensive booking data was freely accessible for a long time – including telephone numbers of celebrities and politicians, accident reports and payment information.
Such cases are now coming to light more often than you think: In the autumn of last year, the successful low-cost broker Scalable Capital had to admit that a service provider stole around 30,000 customer data records or parts of them. Copies of ID, face photos, contact details, account numbers and tax identification numbers were stolen – in other words, the whole arsenal of data that can be used to carry out identity theft on a large scale, possibly even to apply for loans and to do numerous other things that help the customer Making life difficult and, in the worst case, leaving him standing as a cheat.
But what can and what should customers do when they become aware that someone has gained access to their data and possibly sells it on the Internet or uses it themselves to fake a false identity to third parties? In principle, if the consumer learns of this through media reports or a warning from the company – they are obliged to do so in the event of relevant incidents – they should check which data are affected. Because, especially when reading media reports, it is often not clear whether your own data sets are affected at all. The company is obliged to cooperate as far as possible.
First steps: which data is affected?
If access data is concerned, you as a consumer should ensure that the respective email address or the respective access is not used anywhere else with the same login-password combination. Interestingly, this happens more often than expected: If you try to log in to any other service with the same login / password combination with corresponding lists and leaks that have been circulating and circulating on the net, it becomes clear how often this works, terrifyingly. But password security and the need to choose a secure, complex password for each access is only part of the topic.
If personal address data, but also account numbers, come into circulation, this is initially annoying individually (especially if it includes addresses of celebrities, as in the case of Buchbinder), but in principle does not yet allow misuse. The combination of such data increases the risk of data misuse. In many cases, such a partial data set can also be enriched with a little criminal energy and research. Either way, it’s a violation of the GDPR that can be extremely expensive for a company.
In the event of a data leak, some damage is compensated by the company
It can also be literally expensive for you if, in addition to the account details, the CVC number of a credit card or complete credit card numbers with their expiry date come into circulation. Basically, there is a risk that they can be misused, which is why you should report to the issuing office (in most cases your bank). If it is a larger case, the banks are usually already informed about the extent of the leak and can decide whether new access data or a new credit card must be issued. This is often the safest way if it is not clear whether there is a risk of abuse.
Costs for this – and this is the relatively undisputed next sticking point – must be borne by the perpetrator, in this case the operator of the service who was himself the victim of the leak. While these are still comparatively accommodating in the case of Scalable Capital, for example in the case of costs for issuing a new ID document or a new credit card, as well as in Schufa measures, you as a customer may also have a right to immaterial damage compensation, for example because you are with have wasted a lot of time throughout history or certain damage only becomes quantifiable later. Your own tax ID and information about assets and retirement planning behavior is simply not anyone’s business. Apart from that, someone may have already tried to apply for a loan with the data, which in turn can influence your Schufa score the next time you are dependent on a loan yourself.
Immaterial damage: In the event of a dispute, many companies are stubborn
Since there is often a dispute here with immaterial damage, you can either turn to a consumer protection organization such as the consumer advice center, which usually only provides advice and suggests going to a lawyer very quickly – or to legal tech specialists such as EuGD or Little fairy. The European Society for Data Protection (EuGD) is – contrary to what the EU-official company logo suggests – no more and no less than a legal tech company that finances itself through attorney fees and asserts its claims for the customer. To do this, the company checks whether the customer’s data is affected, what the chances of compensation under GDPR Article 82 are, and thus prevents the impending statute of limitations. The lawyers will only take action against the company concerned if there is a corresponding chance. As with many portals on passenger or rental rights, the entire service is initially free of charge. Only in the event of success in court, i.e. when compensation is received, will 25 percent of the compensation amount be retained by the EuGD as a commission.
The EuGD is currently attracting more and more damaged customers from the aforementioned Scalable Capital case and the one that has since been discontinued Mastercard Priceless bonus program. In 2019, 90,000 customers were potentially affected.
Legaltechs are not always successful, but they reduce the risk
Unlike when you as a customer go to court against a company on your own (very few do that anyway), platforms such as EuGD or Kleinfee bear the litigation risk. This can sometimes catch the eye, as the EuGD recently had to realize: The Karlsruhe Regional Court had certified a plaintiff who had sued for adequate compensation for the data leak with the Mastercard Priceless bonus program that the damage was only minor . Personal data such as contact details (real name, telephone number, e-mail address or date of birth) and transaction data (purchase date, purchase price, dealer) are “non-compromising” with regard to payment at a petrol station, for example. “Either we protect this area or we don’t protect it. Otherwise we will see the protection of consumer rights provided for and intended by the GDPR taken ad absurdum ”, explains EuGD managing director Johann Hermann.
A lawyer bon mot says that you are in God’s hands in court and on the high seas – that may be correct, but it is all the more an argument for thinking about the services of a legal tech. Depending on the situation, it can also be helpful to be a little more vehement on the hotline of the company concerned. Because that usually has an interest in retaining the customer and polishing up the currently tarnished image.
