| The timeline of events in Scaleway's blog post is very dubious. If the SSD was stolen over one year ago why do they only acknowledge it now? In March 2021 [1] they were writing about how great their security was: > We are proud of our data centers and their security. We consider that we have implemented the best solutions to protect your most valuable asset: your data. We are well aware of the huge responsibility this represents. There can be no compromises when it comes to your data. Why were customers whose data was leaked only informed in June 2021? The delay of over 1 year is a huge GDPR issue. The timeline of the incident from public sources: 21 May 2021: Micode tweets a screenshot of the directory listing [2] 26 May 2021: First video on the subject [3] 6 June 2021: Scaleway customer is notified their data was leaked [4] 21 July 2021: Second video on the subject [5] 24 July 2021: Third video on the subject [6] 24 July 2021: Scaleway releases a French blog post stating "Over a year ago, an SSD was stolen" [7] Storing the data unencrypted is bad, but IMHO Scaleway's handling of the incident creates much bigger questions about their credibility. [1] https://blog.scaleway.com/how-we-protect-your-data/ [2] https://mobile.twitter.com/Micode/status/1395640486715662336 [3] https://www.youtube.com/watch?v=vt8PyQ2PGxI [4] https://www.lowendtalk.com/discussion/comment/3258386/#Comme... [5] https://www.youtube.com/watch?v=aOBVZUL1iBA [6] https://www.youtube.com/watch?v=xf_cKTlOYLo [7] https://blog.scaleway.com/incident-securitaire-video-youtube... Previous discussion: https://news.ycombinator.com/item?id=27957471 |