We know an issue occurred on the site over an hour ago with someone using my account to redirect the site, make fake posts, and change other settings. The problem has been corrected.

We will continue to monitor the situation and keep you informed.

  • trouser_mouse
    link
    English
    22
    edit-2
    1 year ago

    Under GDPR if you have had a data breach you have a legal obligation to assess whether you need to report it and you must make the report within 72 hours of discovering the breach.

    There are other types of reportable breaches too, I only mention data as it sounds most likely. You may or may not be subject to PECR which may also have been breached although less likely. I don’t really have enough familiarity with the regulation to discuss that one.

    If you are not sure if there has been a breach you may also need to discuss it with the relevant body or make a report.

    Please can you update what action you have taken regarding this and if the incident was reportable or not and the reasons why.

    It would be good to know if you had 2FA enabled on the compromised account particularly as it had admin privileges and if so how 2FA was circumvented.

    It would also be good to know what measures you have in place to prevent the same or other malicious attempts on your Open Collective and Patreon accounts as issues with those are potentially more serious.

    • 0xSim
      link
      fedilink
      81 year ago

      Under GDPR if you have had a data breach you have a legal obligation to assess whether you need to report it and you must make the report within 72 hours of discovering the breach.

      As an aside, this is why it’s no longer possible in 2023 to host a social site as a hobby. Of course GDPR is good, I’m glad it exists, but as an individual, it’s not the kind of responsibility I want for my hobby.

      • trouser_mouse
        link
        4
        edit-2
        1 year ago

        I think the difference between a hobby site and a large social media/ conversation platform is a site for your personal use without a comment section etc likely isn’t covered, whereas a site handling users personal data and transferring data between jurisdictions is.

        I absolutely agree there is no way I would want to navigate GDPR and other regulations as an individual and therefore no way I would host a Lemmy instance! It’s a big and complex undertaking, where basic compliance isn’t too difficult but dealing with any issues that you or someone else causes that impact you is a nightmare.

    • effingjoe
      link
      fedilink
      3
      edit-2
      1 year ago

      Doesn’t GDPR only apply to businesses with more than 250 employees? Now that I type this out, does it apply to non-commercial actions at all? Does lemmy.world have even 1 “employee”?

      Edit: I really should get better at just googling the questions I have instead of asking a stranger to do it, haha.

      Some parts of it don’t apply to small businesses but it’s mostly about record keeping, and it doesn’t matter if you are non-commercial, you still must comply.

      • trouser_mouse
        link
        21 year ago

        My understanding is if you process personal data (which includes things like screen name for the UK) then you need to comply.