First the FCCU has opened an investigation. This is a crminal investigation against the hacker. The only thing he can do is hide and run or try to negotiate some deal (but only with lower sentence) when he returns the data. Blackhat hackers are seldom hired in the industry and only when they have so many different compétences that they are very valuable.
They will collect all the possible data even the most small détails because it are the détails that gets hackers busted.
Secondly the privacycommission has opened an investigation. This is normal because it has been in the press. In this investigation it will ask itself the following questions ?
* which kind of data is lost and how was it lost ? (this is not clear yet)
* were all the victims informed of this ? (some say no on this forum)
* was the data sufficiently protected ? (according to the hacker the seeding of the data was not very strong and it was not encrypted)
* was the application sufficiently secured and tested ? (well look at the versions and decide for yourself. If you are responsable for the data of 100.000 members than I am not sure you have been acting as a good housefather by not buying the paid licence that was updated)
* did anybody send information about possible securityproblems and how were they handled by the network administrators, by the hosters and by the securitypeople of the network
* was the server sufficiently secured ? (it is not sure that they came in by the application, they could also have used vulnerabilities on the server of the application
* was the network secured enough ? this means is everything done to stop these kinds of attacks against my applications before they attack them (application firewall for example)
*¨was there logging and monitoring and why didn't any alarms go off with the securitycenter that should be monitoring what is happening on the servers and the network ?
* was the incident response sufficient when it became known or when the alarms started going off ?
so if you see this will be a very interesting case and not only because of 9lives but because this touches a very fundamental question - especially in Belgium where everybody acts as if nobody is responsable for anything when shit happens - which part of the security should be taken care off by the hoster and which part by the applicationadmin and how should they work and interact together.
Yoiu can file a complaint with the privacycommission by sending an email to firstname.lastname@example.org and you mention that are or were a member of the 9lives community and that you want them to investigate what happened and who is responsable and what to do to make sure that this doesn't happen again
You will get no money as long as your creditinformation or your EID information is not involved because the sums that would receive are there to compensate for all the administrative changes that you have to ask or to do
But just as with the NMBS case it will force the major hosters in Belgium to take notice and to invest more in security for us and everybody else and that makes it a good thing even if it is only a small mail.
This will probably not be an investigation or complaint against somebody and surely not against a volunteer (because in this case the commercial owner of the forum would be responsable to be irresponsable to use only unpaid volunteers to keep a forum with 30.000 daily visitors)