Public statement updated 26.3.2020
In our public statement 21.3.2020 we informed about a cyber attack against Forenom. On 20.3.2020, we started communicating the specifics of the breached data directly to the customers whose data had been compromised. If you were affected, you have now received an email from us specifying exactly what data of yours was breached. We contacted you via the email address you provided when making the booking with us.
For the sake of transparency and to prevent any confusion, we have decided to also update our public statement to include a more detailed description of the incident.
We aim at responding to all questions as soon as possible
If you have contacted us via firstname.lastname@example.org, we want to let you know that your contact request has been most likely received. Our privacy team is unfortunately very busy at the moment, but we aim at responding to all questions as soon as possible. Thank you for your patience.
Cyber attack against Forenom
Forenom was recently the victim of a cyber attack in which some of the personal data we hold in our systems was stolen. This was brought to our attention on Monday 16.3.2020 at 1.38 p.m. The cyber attack was directed at our ERP system which is used to process e.g. Forenom web shop account and customer data. The cyber attack wasn’t directed at any other of Forenom’s systems or processes. No guest or occupant data was leaked, but some data of the persons who have made the reservations was.
What action did we take?
Working with privacy experts, we immediately began our work on the official record of the incident and submitted it to the local Office of Data Protection Ombudsman on Tuesday 17th of March.
We started analyzing the leaked dataset and identifying all affected subjects and the extent to which they were affected. Without undue delay we started communicating to the data subjects directly with personal emails including the detailed information about the leaked dataset. If you were affected, you have now received an email from us specifying exactly what data of yours was breached.
We improved our systems immediately e.g. by auditing and fixing any potential vulnerabilities, improving our alerting systems, web application firewalls and security processes. We will continue to improve our security with the highest priority to make sure such incidents would be prevented in the future.
We also intend to file a crime report of the hacking incident.
Were you affected?
If you were affected, you have received an email from us specifying exactly what data of yours was breached. It is possible you may have received multiple emails, e.g. if you have Forenom web shop account and a separate customer profile as well. We contacted you via the email address you provided when making the booking with us. However, some contacts whose data was breached included invalid or otherwise outdated contact information, so we are unable to contact these subjects via direct emails. If you have any questions about this, please contact us: email@example.com.
What data was breached?
Below is a list of personal data included in the breach. However, most of the leaked data included only name and email. In the emails we sent out, we specified exactly what data of yours was breached.
- Name (Most cases)
- Email (Most cases)
- Phone number
- Social Security Number (Small portion of cases)
- Bank account number (Small portion of cases)
No credit card information or details were lost; we do not store or process credit card details in our system.
As for passwords, we use bcrypt hashing function with a randomly generated salt per-password which makes it computationally infeasible that your password could be recreated from the hashed form. In non-tech language that means you should have no reason to worry about your password. However, we would advise you to change password, especially if the password was weak or the same password was used also elsewhere.
How should you act?
We do not know the motives of the hackers, but common reasons for hacking include pure malicious intent, fraud or identity theft.
We recommend that you to reset your passwords
Despite the fact that your password should be perfectly safe, we recommend you change it if you use the same password in any other systems or if your password wasn’t strong, meaning it didn’t consist of at least 8 random letters, numbers and symbols.
Please monitor your email for any suspicious emails
As the data breach included digitally-held personal information such as email address, we recommend that you monitor your email for any suspicious traffic. Possible phishing messages and any links or attachments should not be opened. Such messages should also be deleted and emptied from the bin.
We have a team dedicated to answering our customers’ questions. If you have any questions or concerns please contact us at firstname.lastname@example.org.
Your privacy is of paramount importance to us and we take the objective of protecting and defending your privacy very seriously. We assure you that we will do our utmost to avoid such situations in the future.
We deeply apologize for any inconvenience this may have caused to you and thank you for your cooperation in the fight against cyber crime.