Designbysi – Violation Found (Denmark, 2022)

The controller is Designbysi, a Danish fashion brand. Due to a security issue, hackers were able to implement a JavaScript code on Designbysi's website. Subsequently, customers saw an error message during their purchase with a request to re-enter their card information before purchasing an item. This enabled the hackers to collect the customers' payment card information. The hackers' attack could have potentially affected anyone purchasing items on the website between 26 April 2021 and 22 June 2021. It was not possible to identify exactly how many and which cards had been affected. As soon as Designbysi noticed the problem, the JavaScript code was removed and the personal data breach was reported to the DPA. Designbysi also sent a mail to all customers informing them about the breach and recommending them to contact their bank. Designbysi has also fixed the technical issue that made the attack possible. The Danish DPA issued a reprimand against Designbysi for violating Article 32(1) GDPR by not implementing sufficient technical and organisational measures to ensure an appropriate security level for the clients' accounts. In particular, Designbysi should have implemented two-factor authentication for persons who could change the website script.