the problem is in the details of this carefully crafted PR statement that probably had to pass some judicial review to prevent it from outright lying
"the hackers had no access to actual customers"
ok let's go back to the structure of the server with the databases that was accessed
there are test databases and a few others that may be old
it wouldn't be the first time that Rex Mundi finds information on a server and tries to blackmail the firm who afterwards only declares that it is old data and that they were losers because they didn't have the newer data (which they always say is protected and safe
in fact this is the problem with many systems, they don't destroy fast enough older data and when they keep it (for reasons which I don't understand) they keep it most of the time on the same systems or on systems they don't sufficiently protect (because that costs some money)
but this doesn't mean that this isn't personal information and this doesn't mean that it doesn't have to be protected just as any other personal data from me or you DATA IS DATA (even if 10 or 50% of it is not correct or relevant anymore, the other information is still relevant and should have been protected as if it was new personal data and by the way how will you know if that 'old personal data' is old without checking it and by doing so making it active again ?)
if the data is not relevant anymore, why don't you just destroy it (and put that in your standards). Imagaine how much saver the world would be if all the yahoos and googles and microsofts destroyed all our old data after a few months or years of non-action or if we could say to facebook (destroy all my data that is older than for example a year)
it also means that the privacycommission will still have to start an independent investigation if only to find out what the leaked or breached data is about and happened. This is why the privacycommission should receive the right in these cases to send independent investigators at the cost of the 'victim'. The other advantage is that the 'public interest' they represent is assured that the incident is handled with respect to all the norms and standards that should have been implemented and with the independent appraisal from independent investigators whose only business value is that they tell the truth as it is 'in the public interest' (and I have no business interests in this proposal it is just logical sense and a copy from the Vincoitte controls before you can connect your own renewed electricity network to the public one)
LESS DATA iS MORE SECURITY AND LESS RESPONSABILITY AND LESS COSTS
secondly it is strange to read in the same declaration that the hackers didn't breach any information or that they didn't access any systems that were important but that they will take all necessary measures to prevent this from happening again
if you are used to (and bored by) marketing and PR stuff than you see that this doesn't make any sense
or the systems were not breached and the information is fake and nothing happened because your security is in order or it isn't. You can't have it both ways
this is not the kind of declaration that will inspire confidence and it is not on that kind of declaration that the privacycommission should decide what it will do. It should base its opinion only and solely on the facts and the facts are that some data has been leaked and that in the words of the numericable itself it is some kind of their data but not actual userdata.
just as when a fire investigators after the fire comes around to investigate
even if this sample of data seems on the first sight to be dummy data created to test or make a database, the test server was on the same server as the production databases and so the problem stays and if this data is from the test database they should have said so from the beginning and (depending on the data that seem to be released in a few hours (except if they or someone else for them pays (and doesn't forget to ask for a non-disclosure as part of the agreement by which you pay in two parts, one now and one much later except if the data was published something byway forgot to ask)
nobody is going to shoot you down because you gave a detailed and explicit account of what happened it is what should have been done from in the beginning but nobody is going to believe you (anymore) witht such stupid declarations (especially if the forthcoming dataleak will proof otherwise)
the PR people are a problem in incident management because they think they have to hide things and they think that by hiding or fuzzing things it will look better. No, on the contratry, it makes it look much worse.
And this is another reason why during such incidents you call in the independent investigators and you communicate that independent investigators are on the scene and that you wil communicate more details as "they come out and are proven to be exact (and not a possibility)" It doesn't mean that you have to publish technical information that will make it easier to attack your network but the impactanalysis has to be 100% correct and not fuzzed up by marketing and PR people.
this is what we expect from professionals who have to protect our data