Timehop admits its security breach was worse than first thought
The security breach suffered by Timehop on July 4 was much more serious than the company first thought. In an update to its original announcement, the company has revealed that while the number of account affected by the breach -- 21 million -- has not changed, the range of personal data accessed by hackers is much broader.
Timehop has released an updated timeline of events, having initially felt forced by new GDPR rules to publish some details of the breach before all information had been gathered. The company says that it is also unsure of where it stands with GDPR, and is working with specialists and EU authorities to ensure compliance.
See also:
In an updated version of its security announcement, Timehop reveals that in addition to the previously disclosed personal data that was accessed, hackers were also able to access date of birth, country codes and gender details for some users. The company admits that this is serious, saying that the data accessed "combined with other, outside data, this may identify an individual. Dates of birth further add to this ability".
The new GDPR laws that are in place in Europe have caused something of a headache for Timehop. It says:
By late Sunday afternoon we decided that it was safe to inform our user base. In the meantime, on Thursday, Friday, and Saturday, we were in contact with our lawyers in the United States and Europe trying to understand our responsibilities under GDPR. These are highly complex, and no one has experience in handling notifications since the law just came into effect. By Sunday we felt we had enough information to begin our GDPR notification, and set our sights to informing our users, and then beginning the more unhurried audit and forensic analysis of events first thing Monday.
But this in itself does not explain why the fact that more personal information had been accessed has only just been shared. To this, Timehop holds up its hands:
We messed up. In our enthusiasm to disclose all we knew, we quite simply made our announcement before we knew everything. With the benefit of staff who had been vacationing and unavailable during the first four days of the investigation, and a new senior engineering employee, as we examined the more comprehensive audit on Monday of the actual database tables that were stolen it became clear that there was more information in the tables than we had originally disclosed. This was precisely why we had stated repeatedly that the investigation was continuing and that we would update with more information as soon as it became available.
By Monday evening, as we understood the impact of having to release that more PII had been breached from the same event, we made the decision to also disclose more technical details about the event, more specific numbers of data lost, and a much more granular breakdown of the data types stolen. On that note, our investigation continues, and if we discover more data, we will inform you of that fact no matter how embarrassing that may be to us. We are absolutely committed to telling you what we know, when we know it.
As more information has come to light, Timehop has put together a table detailing the personal information affected by the breach:
Type of Personal Data Combination | # of Breached Records | # of Breached GDPR Records |
Name, email, phone, DOB | 3.3 million | 174,000 |
Name, email address, phone | 3.4 million | 181,000 |
Name, email address, DOB | 13.6 million | 2.2 million |
Name, phone number, DOB | 3.6 million | 189,000 |
Name and email address | 18.6 million | 2.9 million |
Name and phone number | 3.7 million | 198,000 |
Name and DOB | 14.8 million | 2.5 million |
Name total | 20.4 million | 3.8 million |
DOB total | 15.5 million | 2.6 million |
Email addresses total | 18.6 million | 2.9 million |
Gender designation total | 9.2 million | 2.6 million |
Phone numbers total | 4.9 million | 243,000 |
Timehop's investigation continues.
Image credit: Piotr Swat / Shutterstock