The database of Amber Windows contained 234.6 million records, including the personal information of over 500,000 UK individuals.
This data breach occurred when Amber Windows/Amber Commercial (Amber U.P.V.C. Fabrications Limited), an FCA regulated company, left a database open to anyone with a browser and an internet connection.
TurgenSec Statement
It does not appear like Amber Windows has made any efforts to inform the impacted individuals, report this to the ICO or take actions to prevent this from happening again. All of this is required by UK law.
According to the TurgenSec disclosure (link) there is a no-win-no-fee class action which impacted individuals can join.
TurgenSec suggested to Welp Magazine that anyone contacted by Amber Windows whether they purchased a product or not could be eligible to join the no-win-no-fee class action.
Nathaniel Fried, a director of TurgenSec, tweeted that Amber Windows was collecting data on “sexuality, divorces and illness”.
We contacted Amber Windows to request details on why they are collecting this data, but did not get a response in time for publication.
Fried also expressed frustration at the response TurgenSec had gotten from Amber Windows.
TurgenSec (London based security firm) attempted to responsibly disclose the data breach to Amber Windows.
From the TurgenSec disclosure:
Sensitive Data Heading summary:
- Title
- Name
- Phone Number
- Full Address
- Door Number
- Postcode
- IP
- Password (plain text)
- Username
- Mobile Number
- Bank Account Number
- Bank Name
- Bank Sort Code
In Britain, a key factor in determining liability is whether a reasonable person, with knowledge of the circumstances at the time of the breach, would have foreseen that the breach would occur. In assessing this, the court (i) will identify the likelihood of the data being accessed, (ii) what efforts had been taken to protect it and (iii) the steps taken following the breach to reduce and mitigate any damage caused.
If the breach is the result of negligence or a serious security flaw then the company may be held responsible for the breach.
The Information Commissioner’s Office (‘ICO’) has broad powers to enforce the Data Protection Act 2018 and the GDPR and penalties for non-compliance can be severe. Breaches can be reported to the ICO by members of the public, regulators, or even the controllers themselves.
In light of the recent breach of over 500,000 UK individuals’ personal information, the ICO has been informed and will be investigating the breach.
It has come to light that Amber Windows Ltd, did not use encryption technologies to protect the breached information and left them open on the internet for anyone with a browser to access.
Amber Windows was contacted for comment, but did not respond in time for publication.
UK regulators have a duty to investigate breaches of sensitive personal information that has been stored or transferred abroad, particularly if the ICO is aware that encryption technologies are available, or could have been used, to secure the information.
If the ICO finds Amber Windows Ltd. responsible for the breach, there will be large monetary repercussions for Amber Windows Ltd. and more questions raised about the protection of sensitive personal information. The threat to UK citizens with this breach is significant, which is why the ICO is investigating and why Amber Windows Ltd. will be held liable for failing to protect personal information of 500,000 UK citizens.
Amber Windows Ltd. must be held accountable for their negligence, or the ICO may have a very hard time enforce the Data Protection Act 2018 and the GDPR. For, in doing so, companies especially those in the IT industry will be much less likely to take their obligations to protect information seriously.