top of page

Any recourse for individuals subsequent to a data breach?

  1. 620 million accounts stolen from 16 hacked websites now for sale on dark web

  2. LGBT fury over HIV data

The above headlines are two separate incident. The first headline was reported in the media in Europe dated 11 February 2019 while the second headline was reported in the city state of Singapore coincidentally also dated 11 February 2019 (please refer to our earlier article titled `HIV positive status of 14,200 people leaked online - An Analysis').

You might ask what is the relationship between the two headlines? It is the aftermath of the data breaches.

In the first headline, some of the data allegedly put on sale were hacked from some websites who had earlier disclosed the breaches publicly and have warned their customers that their personal data with them had been compromised. In this instance, the customers, presumably individuals, have been forewarned.

In the second headline, those whose data were hacked were informed by the authorities that their personal data had been compromised and was published online. In this instance, the individuals were informed. In both cases, what were the avenues available to those whose personal data were stolen pursuant to a breach that is not of their own doing? 

In the first case, even if the customers were forewarned and assuming they proactively changed their security settings immediately thereafter, does it mean that their personal details would be safe from the current cache which is put on sale on the dark web? The answer is 'no'. Their details would still be there. Except the purchaser/hacker who purchased the details would not be able to access or hack into that individual's accounts as the security settings has been amended.

In the second case, what recourse and avenue are available to those individuals whose personal details are now in the public domain not of his/her own doing? Considering the social stigma that society attached to those who are HIV positive, their lives could possibly be destroyed with their personal details revealed publicly. Can they pursued a course of action against the authorities? In another case in the city state where a breach at a private HMO resulted in a data breach and the authorities imposing a fine on the organisation, who has overall supervisory responsibility on the authorities concerned in this HIV case?

In both cases, the aftermath and the casualty are always the unsuspecting individuals. What recourse does these individuals have? In EU, they might have the GDPR to fall back on, hopefully. In the rest of the world, who can they rely on for recourse? Hmmmm.


bottom of page