Today it’s not about a current danger, but about the data protection incident of the electronics retailer Conrad and how to proceed in such cases!

What happened?

Through an attack on Conrad’s IT systems, unknown persons have gained access to part of the IT system via a security vulnerability. Customer addresses, fax/telephone numbers, but also parts of the stored IBANs for payment transactions were thus accessible. After the incident became known, IT experts identified the gap, closed it and checked whether the data had been misused.

Fast and well-organized response

Conrad has informed the responsible state data protection authority and filed a criminal complaint with the State Criminal Police Office in Bavaria – a step that must be taken within 72 hours according to the EU GDPR.

A press release on the incident was also published on Conrad’s corporate website , which provides structured information about the incident and even includes an FAQ list. From a PR perspective, this measure is more than exemplary and will have a positive effect on the company’s reputation in the aftermath.

Data protection promise: kept!

Data protection precautions and notices are mandatory, but their necessity only becomes apparent in an emergency.

The fact that Conrad was able to clarify and report the incident so quickly and transparently indicates that a carefully planned process was activated in advance.

In its communication with its customers and the public, Conrad has focused on its guidelines. At the same time, data subjects were advised that they can obtain information from the responsible data protection officer. For this purpose, a landing page was also created that addresses all customer questions.

From the consumer’s perspective, the right offer! Data incidents lead to uncertainty for the customer. Responsible handling of personal data also means reducing existing fears.

What can we learn from this?

1. No one is safe from hack attacks – not even electronics expert Conrad! Safety precautions, transparent processes and emergency plans must be standard.
2. From an outside perspective, public communication of the data incident looks very simple. However, Conrad Electronic is a family-owned company with over 4,000 employees, 20 branches and an annual turnover of around 1 billion euros. Human resources in IT, legal and PR are available – not so in a small company!
3. A quick and transparent reaction pays off – the reputational damage has not occurred, and usually the outcry is greatest when the incident becomes known. The investigations are still ongoing. Whether and to what extent a fine will be imposed on Conrad is therefore still unclear. What is certain is that this open way of communication will have a positive effect in any case.