We know an issue occurred on the site over an hour ago with someone using my account to redirect the site, make fake posts, and change other settings. The problem has been corrected.
We will continue to monitor the situation and keep you informed.
We know an issue occurred on the site over an hour ago with someone using my account to redirect the site, make fake posts, and change other settings. The problem has been corrected.
We will continue to monitor the situation and keep you informed.
Under GDPR if you have had a data breach you have a legal obligation to assess whether you need to report it and you must make the report within 72 hours of discovering the breach.
There are other types of reportable breaches too, I only mention data as it sounds most likely. You may or may not be subject to PECR which may also have been breached although less likely. I don’t really have enough familiarity with the regulation to discuss that one.
If you are not sure if there has been a breach you may also need to discuss it with the relevant body or make a report.
Please can you update what action you have taken regarding this and if the incident was reportable or not and the reasons why.
It would be good to know if you had 2FA enabled on the compromised account particularly as it had admin privileges and if so how 2FA was circumvented.
It would also be good to know what measures you have in place to prevent the same or other malicious attempts on your Open Collective and Patreon accounts as issues with those are potentially more serious.
As an aside, this is why it’s no longer possible in 2023 to host a social site as a hobby. Of course GDPR is good, I’m glad it exists, but as an individual, it’s not the kind of responsibility I want for my hobby.
I think the difference between a hobby site and a large social media/ conversation platform is a site for your personal use without a comment section etc likely isn’t covered, whereas a site handling users personal data and transferring data between jurisdictions is.
I absolutely agree there is no way I would want to navigate GDPR and other regulations as an individual and therefore no way I would host a Lemmy instance! It’s a big and complex undertaking, where basic compliance isn’t too difficult but dealing with any issues that you or someone else causes that impact you is a nightmare.
Doesn’t GDPR only apply to businesses with more than 250 employees? Now that I type this out, does it apply to non-commercial actions at all? Does lemmy.world have even 1 “employee”?
Edit: I really should get better at just googling the questions I have instead of asking a stranger to do it, haha.
Some parts of it don’t apply to small businesses but it’s mostly about record keeping, and it doesn’t matter if you are non-commercial, you still must comply.
My understanding is if you process personal data (which includes things like screen name for the UK) then you need to comply.
Yeah, I realized I was just asking you to google something for me; sorry about that. I didn’t know t applied to usernames, though. How is that “personal data”?
No worries!
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-data/what-are-identifiers-and-related-factors/
This makes a lot of sense. I was thinking of “personal data” as “something that identifies a specific person” instead.