|
|
|
|
|
|
by randerson
2701 days ago
|
|
|
a) the data wasn't breached through the credential stuffing attack, it was breached at an earlier time on another site.
b) the credential stuffing attack itself is authorized access (because from the site's perspective, the user provided the correct username and password), not unauthorized access. |
|
|
Remember GDPR is specifically concerned with "A personal data breach" The original breach that led to the password being leaked was likely also a personal data breach (unless the only thing the hackers managed to access was the username/password database - and even then email address can constitute personal data in some cases), but there is definitely a personal data breach as a result of the credential stuffing attack (in the Deliveroo case, more than likely full home address, possibly other addresses too like work, possibly name, some level of credit card data, order history, etc.).
>> b) the credential stuffing attack itself is authorized access (because from the site's perspective, the user provided the correct username and password), not unauthorized access.
It's certainly authenticated access, but I think you'll struggle to convince a lawyer that it was authorised.