An attacker inserted malicious code into the chatbot on the company’s payment page, potentially compromising the financial data (card numbers and CVV numbers) of 1.5 million UK data subjects; the compromised chatbot was not subjected to sufficient security vetting procedures, the company took four months to notify the ICO about the breach and the chatbot was managed by a third party which made it vulnerable to weaknesses outside the company’s control.
#GDPR #Privacy #DataPrivacy #EmergingRisk