Today we are not talking about a current danger, but about the data protection incident at the electronics retailer Conrad and how one should proceed in such cases!
Through an attack on Conrad’s IT systems, unknown parties have gained access to a part of the IT system via a security gap. Customer addresses, fax/telephone numbers, but also parts of the stored IBANs for payment transactions were accessible. After the incident became known, IT experts identified the gap, closed it and checked whether the data had been misused.
Quick and well-organized response
Conrad informed the competent state data protection authority and filed a criminal complaint with the State Criminal Police Office in Bavaria – a step that must be taken within 72 hours according to the EU-DSGVO.
A press release on the incident was also published on Conrad’s corporate website, which provides information about the incident in a structured manner and even includes a FAQ list. From a PR perspective, this measure is more than exemplary and will have a positive effect on the company’s reputation afterwards.
Data protection promise: kept!
Although data protection precautions and notices are obligatory, their necessity is only proven in an emergency.
The fact that Conrad was able to clarify and report the incident so quickly and transparently indicates that a carefully planned process was activated in advance.
In its communication with its customers and the public, Conrad focused on its guidelines. At the same time, affected parties were informed that they could obtain information from the responsible data protection officers. For this purpose, a landing page was also created to address all customer questions.
The right offer from the consumer’s perspective! Data incidents lead to uncertainty on the part of the customer. Dealing responsibly with personal data also means reducing existing fears.
What are the lessons learnt?
Nobody is safe from hack attacks – not even the electronics expert Conrad! Security precautions, transparent processes and emergency plans must be standard.
From the outside perspective, the public communication of the data incident looks very simple. However, Conrad Electronic is a family-owned company with over 4,000 employees, 20 shops and around 1 billion euros in annual turnover. Human resources in IT, legal and PR are available – different in a small company!
A quick and transparent reaction pays off – the damage to the company’s reputation did not occur, usually the outcry is greatest when the incident becomes known. The investigation is still ongoing. Whether a fine will be imposed on Conrad, and if so, how much, is therefore still unclear. What is certain is that this open form of communication will have a positive effect in any case.