[BreachExchange] Delivery startup, iVoy, experiences data breach, over 127, 000 accounts exposed

Destry Winant destry at riskbasedsecurity.com
Fri Aug 7 10:20:05 EDT 2020


https://www.contxto.com/en/mexico/logistics-startup-ivoy-data-breach/

Contxto – What a week it must have been over at Mexican logistics
startup, iVoy. When your users’ data has been potentially compromised,
you have a lot to do.

Last Tuesday (28), news broke that it was among a series of companies
to experience a data breach. In the process, a reported 127,432
account users’ emails and iVoy passwords were exposed on an online
forum.

Putting things in perspective: If a person uses the same password for
everything (tsk tsk), that means they’re vulnerable on multiple fronts
(e.g. email, social media, e-commerce platforms) when that password is
obtained by an unauthorized party.

The startup stated that it’s deployed all its security protocols and
that “users’ personal data is safe.” But just in case, it advised them
to change their passwords.

iVoy published a statement on social media last Wednesday.

It’s a daunting situation, but it’s always best to prepare beforehand,
no matter your organization’s level of complexity.

What to do in case of a data breach

One can only begin to fathom what goes through a Founder’s or CEO’s
mind when they’re told there’s been a data breach. My guess is it’s a
word that rhymes with “spit” or “firetruck.”

After which they must see to solving the problem.

This is an (extremely) oversimplified explanation, but it’s important
you keep it in mind (if you haven’t done so already).

The first thing to do is assess the damage preferably with
cybersecurity experts. What information was exposed, when, and so on.
The measures you take will depend on the level of sensitivity of the
data that was compromised.

Christmas wish lists and pictures of your dog won’t sound the alarm.
Personal data (emails, phone numbers, banking info) call for all hands
on deck.

Based on these findings, your team (preferably with legal counsel)
will have to decide whether to disclose the breach to your users so
they can protect themselves, as well as the relevant authorities.

In this case, iVoy issued a statement confirming the breach and
advising its users on how to proceed.

You must also change your systems’ passwords and credentials and
reevaluate your cybersecurity strategy.

If not, you might as well invite hackers through your digital door.

Data breach in a worst-case scenario?

Throughout the aforementioned process, make sure you document everything.

If things go awry, you’ll need a paper trail to demonstrate that you
did everything within your means to solve the problem and protect
users’ information.

Will it be enough to shield you from a fine if worse comes to worst?
Meh, it’s complicated.

It might save you in court (it depends, as usual). But the damage it
does to your image can have long-lasting effects.


More information about the BreachExchange mailing list