[BreachExchange] AnyVan confirms digital break-in, says customer names, emails and hashed passwords exposed

Wed Jan 20 10:48:10 EST 2021

https://www.theregister.com/2021/01/19/anyvan_confirms_digital_breakin_says/

UPDATED Anyvan, the European online marketplace that lets users buy
delivery, transport or removal services from a network of providers,
has confirmed it was the victim of a digital burglary that involved
the theft of customers' personal data.

The company wrote to customers mid-last week to inform them of a
"breach of security resulting in the unauthorised access to data from
our user database," according to the email seen by The Register.

"This leaking of data came to our attention on the 31st December but
we understand the incident itself occurred at the end of September. As
soon as the incident came to our attention, our specialist IT team
investigated it and have since taken the following remedial action:
all passwords have been changed."

The data in question? "Customers' names, email and a cryptographic
hash of their password were accessed and 'potentially viewed' but no
other personal data was unwittingly shared. A probe of events
continues," said Anyvan.

As well as being "very sorry for the inconvenience," the company
advised customers who used a password to access their account from
April last year to update it immediately and in line with good hygiene
to "regularly change your password to accounts that hold your personal
data."

Besides changing the passwords, it didn't mention how it would avoid
the same incident from re-occurring. It is not known whether the
password hashes were salted. Salting is normally done to prevent hash
collision attacks - where an attacker tries to find two input strings
of a hash function to produce the same result.

El Reg sent a list of questions to AnyVan last week about the
compromise of its internal systems, asking how entry was gained; how
it has since been secured; whether the password hashes had been
salted; and whether customers in mainland Europe had been impacted or
just those in the UK. We also asked if it had informed the ICO.

We can answer the last one. The UK's Information Commissioner
confirmed to us it was not told of the incident by AnyVan. "Not all
breaches need to be reported. Organisations are required to establish
the likelihood of the risk to people’s rights and freedoms. If a risk
is likely, the organisation must notify the ICO; if a risk is
unlikely, it doesn't have to report it."

A spokesewoman added: "However, if an organisation decides it does not
need to report the breach, it needs to be able to justify this
decision, so should document it."

Additional details of breach reporting requirements are here.

Neil Brown, tech lawyer at decoded:legal, told us the breach in
AnyVan’s case is "pretty limited in scope of personal data" and he
could understand why it had opted not to tell the ICO.

Updated at 14.27GMT on 19 January to add:

AnyVan has sent us a statement following publication of this article
to say that it did contact the ICO, "which has classified this as low
risk due to the nature of the data.

"However, any matter involving customer data and privacy is taken
extremely seriously and as such we have conducted a thorough review,
engaged with third party technical consultants, put additional
security measures in place, and of course notified potentially
affected customers".

The Register has again asked the ICO to comment. ®

Updated at 19 January at 15:08 to add:

An ICO spokesperson told us: "In terms of us having received a data
breach report, the position remains the same in that we don't appear
to have received one."