In our Exact Online application, selected users can store and manage their business opportunities. It was detected that some customers could see a part of other customer’s opportunities, after choosing and resetting certain filters in the opportunity card. The information that became erroneously accessible was so called ‘opportunity modification data’, and didn’t reveal e.g. the customer’s name, but could include the sales person involved and the user that modified the opportunity. This incident was reported in the late evening at 18 January, and the affected functionality was disabled in the early morning of 19 January. Analysis showed that only 3 customers and 2 Exact employees had used this functionality and viewed some of the involved data. There was one unsuccessful attempt to download data.
Since Exact is legally the data processor for these data and not the data owner, we are legally not allowed or required to report this incident to the Dutch ‘Autoriteit Persoonsgegevens’ (Personal Data Authority). Contractually, we are required to inform our customers of security incidents in case of a significant impact on the customer. After careful consideration, we decided not to report this incident to the customers involved, given that only three customers viewed the data, no downloads were detected, visible data didn’t reveal the customer’s name, only modification related data was visible and it is hardly imaginable that the data that was exposed could be used to cause the customers involved serious adverse consequences. The incident was caused by a default of the functionality, which was upon detection disabled immediately and reinstalled after being repaired. We confirmed our decision with our external lawyer.