at3n 317 Posted July 8, 2019 Share Posted July 8, 2019 (edited) 2 hours ago, Harrryquartz said: This is the fine that company which had a data breach faces in the the UK where there was no financial harm to its customers, there are still a lot of options open once Gatehub make their next statement stating what they know. Does anyone know if crypto secret keys, in this context, would be treated as personal data under GDPR? In theory, Gatehub did not keep records of people's secret keys (only encrypted keys, which Gatehub could not decrypt), so it could be argued that an individual could not be identified using only the secret key. I don't think it's the same as credit card data, which will always be linked to an individual's record in a company's database. Also, fines such as the ones above would not be compensation to the victims, that would still need to be pursued separately. In fact, if such a fine was imposed on Gatehub, it would make it even harder for them to compensate... Edited July 8, 2019 by at3n Clarification Link to post Share on other sites
mrenne 716 Posted July 8, 2019 Share Posted July 8, 2019 2 hours ago, at3n said: In theory, Gatehub did not keep records of people's secret keys (only encrypted keys, which Gatehub could not decrypt), so it could be argued that an individual could not be identified using only the secret key. I don't think it's the same as credit card data, which will always be linked to an individual's record in a company's database. Encrypted personal data is also personal data according to GDPR. Furthermore, wallet addresses can be extracted from secret keys and wallet addresses could be stored together with personal data in KYC files, so it is theoretically possible to link the secret key to the identity of a person. This is a grey area in GDPR, with room for discussion, but there definitely are arguments. at3n and Ghobicat 2 Link to post Share on other sites
Harrryquartz 93 Posted July 8, 2019 Share Posted July 8, 2019 (edited) 3 hours ago, at3n said: Does anyone know if crypto secret keys, in this context, would be treated as personal data under GDPR? In theory, Gatehub did not keep records of people's secret keys (only encrypted keys, which Gatehub could not decrypt), so it could be argued that an individual could not be identified using only the secret key. I don't think it's the same as credit card data, which will always be linked to an individual's record in a company's database. Also, fines such as the ones above would not be compensation to the victims, that would still need to be pursued separately. In fact, if such a fine was imposed on Gatehub, it would make it even harder for them to compensate... BA was just an example of a hack and decisive action by the regulator. ICO can order compensation as well as issue fines and it relates to all aspects of personal data. Their prime responsibility is protect individuals affected or potentially affected by data breach and not the company. Gatehub have now contacted the ICOas they are registered as tier 1 organisation with ICO...... Registration number:ZA198432 Date registered:05 August 2016 Registration expires:04 August 2020 Payment tier:Tier 1 Data controller:Gatehub Limited Address:88-90 Hatton Garden London EC1N 8PN .............and ActionFraud to report and will be issuing statement via email in the next 7days. Edited July 8, 2019 by Harrryquartz Link to post Share on other sites
at3n 317 Posted July 8, 2019 Share Posted July 8, 2019 4 hours ago, mrenne said: Encrypted personal data is also personal data according to GDPR. But normally the data controller has a means to decrypt such data. If a controller encrypts the data and throws away the key (hands it off to the user in this case), does that reduce their need for compliance (could it count as anonymised data)? Furthermore, if the encryption is actually done by the client's browser, then the data controller never even knew the encryption key to begin with, and is essentially acting as a cloud storage service for data that was encrypted by the user. If all that was true, and perfectly executed, does that change anything? I guess that in this case it doesn't matter, because whatever protections were in place clearly failed, and not as a result of user error (we can presume). Perhaps I'm showing my ignorance, but the concept is interesting to discuss. 4 hours ago, mrenne said: Furthermore, wallet addresses can be extracted from secret keys and wallet addresses could be stored together with personal data in KYC files, so it is theoretically possible to link the secret key to the identity of a person. This is a grey area in GDPR, with room for discussion, but there definitely are arguments. Good point, maybe that would be enough to get them. Harrryquartz 1 Link to post Share on other sites
Silkjaer 542 Posted July 8, 2019 Share Posted July 8, 2019 Likely only the secret key is stored in encrypted form, but looking at session data also “personal identifiable information” such as email addresses, is stored and accessible with the API. Link to post Share on other sites
Silkjaer 542 Posted July 10, 2019 Share Posted July 10, 2019 We've been contacted by a victim of June 27, so while we thought that the perpetrators were done this was a cue to look into movements to see if there were other thefts we didn't know about. Perpetrators have changed tactics and we have been able to identify several thefts, the latest being July 7, and the stolen amount is now close to 26M. Link to post Share on other sites
jlripple 92 Posted July 10, 2019 Share Posted July 10, 2019 Gatehub really screw up big time. Ripple trade should remove them from their website. Link to post Share on other sites
kanaas 3,903 Posted July 10, 2019 Share Posted July 10, 2019 We've been contacted by a victim of June 27, so while we thought that the perpetrators were done this was a cue to look into movements to see if there were other thefts we didn't know about. Perpetrators have changed tactics and we have been able to identify several thefts, the latest being July 7, and the stolen amount is now close to 26M.What do you mean by changing tactics? In what sense they changed? Link to post Share on other sites
Silkjaer 542 Posted July 10, 2019 Share Posted July 10, 2019 40 minutes ago, kanaas said: What do you mean by changing tactics? In what sense they changed? Not sending funds much around, changing accounts quite often etc. So only slight changes in how they operate. Link to post Share on other sites
mrenne 716 Posted July 10, 2019 Share Posted July 10, 2019 Now I am wondering, are there still xrpchat members that are keeping their funds at GateHub? Link to post Share on other sites
kanaas 3,903 Posted July 10, 2019 Share Posted July 10, 2019 2 hours ago, mrenne said: Now I am wondering, are there still xrpchat members that are keeping their funds at GateHub? hope not Link to post Share on other sites
kanaas 3,903 Posted July 10, 2019 Share Posted July 10, 2019 (edited) On 7/8/2019 at 8:15 AM, mrenne said: Yes, and sometimes the person responsible to keep the car keys is responsible if the car gets stolen. It just depends on legislation and situation. That's why I asked if the person that came with such a blanket statement was a specialist or not. If not, his answer is quite useless. Don't know how that legally translates, but there is a fundamental difference between cars/carkeys and cryptoassets/secrets. The first can become physically separated what means that the holder of the keys de facto cannot be responsible for the state of the car neither for the theft of the car, unless that car is placed on an environment that's under his full control (private parking lot, garage). With crypto one can say that the asset virtually is tied and even makes part of the keys and therefor being under full control of the key holder(s). One could say that encryption may separate the keys from the asset, but I think that's a weak argument and as said, I've no idea how this translates to different laws and jurisdictions..... We might soon (?) find out I guess.... Edited July 10, 2019 by kanaas Silkjaer, Ghobicat and jlripple 3 Link to post Share on other sites
at3n 317 Posted July 11, 2019 Share Posted July 11, 2019 16 hours ago, mrenne said: Now I am wondering, are there still xrpchat members that are keeping their funds at GateHub? For me, only small wallets that I use for testing; I still like the user interface and the simplicity of having someone else look after multiple sets of keys for you. But it would mean nothing to me if it was stolen. Haven't kept serious amounts on there since 2017. mrenne 1 Link to post Share on other sites
Harrryquartz 93 Posted July 11, 2019 Share Posted July 11, 2019 (edited) Gatehub have just released this information at conclusion of initial investigation: Our Security Team has concluded the first phase of an extensive forensic investigation intothe recent cyber attack on GateHub. A public statement with more information will be published on our blog soon. We have identified the accounts that were targeted in this attack and the information that was compromised. According to our records, the perpetrator gained unauthorized access to the following information: Email Hashed password Hashed recovery key Encrypted XRP ledger wallets secret keys (non-deleted wallets only) First name (if provided) Last name (if provided) The perpetrator did not gain access to the following information: Phone number Address Nationality Citizenship ID document(s) Proof of residence document(s) Date of birth Place of birth Any other information not included in the first list Edited July 11, 2019 by Harrryquartz JLCali 1 Link to post Share on other sites
princesultan 816 Posted July 11, 2019 Share Posted July 11, 2019 Wow that's really awful. Link to post Share on other sites
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now