Articles - Insight, ideas and inspiration to help you supercharge bookings.

Notification of Personal Data Breach

Written by Profitroom | Dec 12, 2024 2:13:46 PM

Dear Sir/Madam,

Pursuant to Article 34(1) and (2) of the General Data Protection Regulation of April 27, 2016 (GDPR), we hereby inform you that in December 2024, a personal data breach occurred during the processing of personal data by Profitroom S.A., located at Franklina Roosevelta 9, 60-829 Poznań, which is the Data Controller (hereinafter “We”). This breach involved unauthorized access to information resulting from a compromise of the Google account of one of Our employees, leading to the disclosure of personal data stored in that Google account to unauthorized individuals (confidentiality breach).

  • Nature of the Breach

On December 5, 2024, an unauthorized person or persons (it cannot be excluded that multiple individuals logged in using the same IP address) accessed the Google account of Our employee. They gained access to its contents, including the email inbox, email addresses, and personal data such as names, surnames, genders, workplaces, job titles, and phone numbers. On December 9, 2024, the attackers began sending phishing emails with an infected PDF attachment. This type of phishing email aims to obtain login credentials for Google services.

  • Potential Consequences of the Breach

Given that access to the Google account extends beyond the email inbox to features like the calendar and work documents, it is our duty to inform you that, as a result of this breach, it is possible that the attackers have obtained your email address, phone number, or other data shared with Our employee. This may lead to potential negative consequences, such as:

  • Receiving unwanted phishing emails urging you to click malicious links or download infected files.
  • Receiving unwanted phone calls.
  • Misuse of obtained data by unknown individuals for criminal purposes.
  • Use of the acquired data to create online accounts in your name.
  • Fraudulent agreements made using your data.
  • Impersonation to extract additional personal data from you.
  • Financial fraud, dissemination of your data, annoyance, distress, lack of access to services, or identity theft.

These potential consequences are listed as possibilities based on the nature of the data involved in the breach and may not necessarily occur.

  • Measures Taken to Mitigate the Breach

Thanks to our security systems, we were able to interrupt the attackers’ activities, preventing further phishing emails from being sent from Our employee’s email account. However, this does not guarantee that the attackers will not attempt to contact you using other means. We advise you to remain vigilant.

In response to the breach, measures have been implemented to minimize or eliminate potential adverse effects for you. These include immediate security protocols such as scanning, applying account blocks and resets, and reporting the breach to the supervisory authority, the Polish Data Protection Office (UODO).

  • Recommended Actions to Protect Against Potential Negative Consequences

If you use a Google account, we encourage you to regularly check your account's Security Checkup to identify suspicious logins or security alerts from Google. Additionally, we strongly recommend enabling two-factor authentication (2FA).

To further protect against potential consequences listed in Section III, you can:

  • Exercise caution by verifying links or attachments with the sender before opening.
  • Avoid providing login credentials or personal data via links or attachments in suspicious emails.
  • Be cautious during phone conversations.
  • Reset your passwords.
  • Enable two-factor authentication wherever possible.
  • Ignore requests for personal data.
  • Consider creating an account with a credit information service (e.g., bik.pl) to better safeguard your data.
  • Notify us immediately if you discover any unauthorized use of your data.


Contact for Further Information


For more details about the breach or to address any concerns, you may contact our Data Protection Officer, Ms. Beata Marek, via email at gdpr@profitroom.com.

Yours sincerely,
The Management Board
Profitroom
View full post