What happened?
Stripchat is a website owned by Technius Ltd. in Cyprus that hosts a large amount of aduld webcam operators. The owner has been reprimanded by the Cyprus data protection authority for a breach of over 64 million user accounts and not informing them properly about the breach. I didn’t know the website before, but on Oktober 22 2019 I get an e-mail from the website that an account has been created on this website. These kinds of e-mails are relatively common for me so I don’t pay any attention to the e-mail.
More than two years later, I get an alert from SpyCloud, a breach monitoring service.
Spycloud has fetched a data dump with over 64 million accounts and my e-mail address is in there.
The date and time of account creation indicated by the breached data exactly matches the e-mail
I got in 2019. However, the other data did not match my personal data. It looks like someone
used my e-mail address to create an account there.
My first response is asking Stripchat what personal data they have about me. Stripchat is actually quite responsive but demands I provide a copy of my passport before providing me with a copy of my personal data. I refuse to provide that. With regards to the breach, the refer me to a public blogpost where they provide some details. But they refuse to include details like the confirmation that my personal data is affected and if third parties still have access to my personal data. Even after I refer them to Spycloud for evidense that at least one third party still has access and the my personal data is affected they refuse to confirm those facts and stop responding.
I decide to file a complaint to make sure that they actually inform the other affected data subjects.
The compaint
On December 8 2021 I file a complaint at the Dutch data protection authority Autoriteit Persoonsgegevens (AP). The AP is actually quite quick to respond and on January 14 2022 the Cyprus DPA has acknowledged to be the lead supervisory authority. However, that’s where things start to slow down. The story of how article 60 of the GDPR and Dutch administrative law are a poor match and some other issues with the Cyprus SA are out of scope of this blog post. On october 19 2023 the AP send me a letter that includes the decision by the Cyprus SA. My complaint is well founded.
The decision
Download decision (PDF, mix of Dutch, Greek and English)
Feel free to skip through the Dutch and Greek pages, the meat of the decision is in English. For me, the complaint has three important parts.
Stripchat has unlawfully required me to provide a copy of my identity document for providing me access. For me, this was a relatively hollow victory because I knew exactly what the had about me: my e-mail address. And I could see that in the breached data. But for other data subjects, Stripchat has improved their access policies.
The Cyprus SA concluded that my e-mail was accessed by an unauthorized person. There is no evidense prvided for this claim, but I guess that Means that Google has had a breach without informing me. I have doubts about the accuracy of this conclusion.
Stripchat did not properly informdata subjects about the breach by publishing a blogpost. Stripchat has to inform data subjects by e-mail.
For all this Stripchat has received a reprimand. I’m happy with the content of the decision. I don’t think it’s a good idea to give a reprimand for not informing data subjects for such a major data breach. However ineffective for actually reaching data subjects, publishing a blogpost about the breach is definately not the same as a controller trying to hide a breach. Except for some nerdy process stuff I skipped over, I want to see some more enforcement like this.
What can you do?
Do you have a Stripchat account and did not get any notification?
Check Spycloud to see if your e-mail address is included in this “sensitive source”. If it is and you didn’t get an e-mail from Stripchat Stripchat can get fined if you file a complaint.
You can file a complaint at the Cyprus SA.
Or, you can file a complaint at your local supervisory authority if you live in one of the European member states. For my Dutch readers click here.
Please mention the decision by the Cyprus SA in the complaint.