Updated Anyvan, the European online marketplace that lets users buy delivery, transport or removal services from a network of providers, has confirmed it was the victim of a digital burglary that involved the theft of customers' personal data.
The company wrote to customers mid-last week to inform them of a "breach of security resulting in the unauthorised access to data from our user database," according to the email seen by The Register.
"This leaking of data came to our attention on the 31st December but we understand the incident itself occurred at the end of September. As soon as the incident came to our attention, our specialist IT team investigated it and have since taken the following remedial action: all passwords have been changed."
The data in question? "Customers' names, email and a cryptographic hash of their password were accessed and 'potentially viewed' but no other personal data was unwittingly shared. A probe of events continues," said Anyvan.
As well as being "very sorry for the inconvenience," the company advised customers who used a password to access their account from April last year to update it immediately and in line with good hygiene to "regularly change your password to accounts that hold your personal data."
Besides changing the passwords, it didn't mention how it would avoid the same incident from re-occurring. It is not known whether the password hashes were salted. Salting is normally done to prevent hash collision attacks - where an attacker tries to find two input strings of a hash function to produce the same result.
El Reg sent a list of questions to AnyVan last week about the compromise of its internal systems, asking how entry was gained; how it has since been secured; whether the password hashes had been salted; and whether customers in mainland Europe had been impacted or just those in the UK. We also asked if it had informed the ICO.
We can answer the last one. The UK's Information Commissioner confirmed to us it was not told of the incident by AnyVan. "Not all breaches need to be reported. Organisations are required to establish the likelihood of the risk to people’s rights and freedoms. If a risk is likely, the organisation must notify the ICO; if a risk is unlikely, it doesn't have to report it."
A spokesewoman added: "However, if an organisation decides it does not need to report the breach, it needs to be able to justify this decision, so should document it."
Additional details of breach reporting requirements are here.
Neil Brown, tech lawyer at decoded:legal, told us the breach in AnyVan’s case is "pretty limited in scope of personal data" and he could understand why it had opted not to tell the ICO.
Updated at 14.27GMT on 19 January to add:
AnyVan has sent us a statement following publication of this article to say that it did contact the ICO, "which has classified this as low risk due to the nature of the data.
"However, any matter involving customer data and privacy is taken extremely seriously and as such we have conducted a thorough review, engaged with third party technical consultants, put additional security measures in place, and of course notified potentially affected customers".
The Register has again asked the ICO to comment. ®
Updated at 19 January at 15:08 to add:
An ICO spokesperson told us: "In terms of us having received a data breach report, the position remains the same in that we don't appear to have received one."