In September DFDS A/S discovered a privacy breach involving customer data. We deem the risk of negative consequences for our customers to be low, but as there is a general rise in spear phishing attempts, we are informing our customers about this incident, so that you can take the proper precautions.
All customers that may be affected by the data breach will be contacted directly in January.
On 6th September 2023, a configuration file available via the Internet was identified. The configuration file itself did not contain personal data. However, the file made it possible to bypass our implemented security measures and access a database in a web application, where customer data was visible. The data could not be altered or tampered with in the web application. The configuration file became available as the development of the application had occurred outside DFDS’s established IT systems and - procedures. The error was corrected immediately, and external access hence closed.
The affected database contained address lists with customer name, business phone number and business email address. Moreover, it contained a list of invoice details, including invoice number, due date, amount, and access to the email sent to the customer in HTML format.
When the breach was discovered, the external access to the application were shut down immediately. Moreover, the Danish Data Protection Agency1 was informed about the incident.
We deem the risk of exposure for our customers to be low, but as the data could be used for spear phishing, which currently is a rising trend in hacking attempts, we want to inform you of the potential risks, so that you can take the proper precautions.
If you have any questions or concerns about what has happened or would like further information, you are always welcome to contact our GDPR Team at email@example.com
The privacy of our customers is a top concern for us. We do everything we can to ensure all data is safe. On this occasion, a database occured outside our established IT setup and we have therefore fallen short in protecting our customers’ privacy satifactory, and that is not acceptable. We apologise for this and are taking all appropriate measures to ensure that data security incidents like this do not happen again.
A typical spear phishing attack is often sent to a select few people within a company usually via e-mail. The e-mail would look like a formal e-mail and would attempt to extract a payment for a previous or falsified invoice. It could also aim to get the targeted person to give up further information i.e., username or password through links provided in the e-mail.
Be extra aware of emails regarding payments or invoices.
Do not use any e-mail address or phone number provided in the e-mail as they might be a spear phishing attempt. Use the contact information you already have.
Be aware of emails and telephone calls from people requesting your details, (especially data such as your date of birth, residential address, email address, username or passwords which are often used to verify your identity).
If in doubt, always feel free to contact your DFDS contact person directly either by e-mail or phone, to confirm the matter.