- ‘DigitalOcean’ has suffered a data breach of an undeclared kind, which has compromised customer billing information.
- The company states that only 1% of its paying accounts have been affected by the security incident.
- This is a serious event that could bring large GDPR-violation fines upon the cloud service provider.
‘DigitalOcean,’ the New York-based cloud service provider, is distributing data breach notices to its customers via email. From what is being reported, the compromised data includes the billing details that are linked to the DigitalOcean accounts. The exposure period was defined to be between April 9 and April 22, 2021, so it lasted for about 13 days. As the notification further details, user accounts haven’t been accessed, while passwords and tokens aren’t involved in this breach either.
The following information was accessed:
- Billing Name
- Billing Address
- Payment Card Expiration
- Last 4 Digits of Payment Card
- Payment Card Bank Name
Judging from these generic statements, we would deduce that the incident involved a card skimming snippet that was planted on DigitalOcean’s checkout page, but the firm hasn’t clarified this. What they stated is that the website is secure now, and their team has implemented additional security monitoring on all user accounts to make sure that this kind of flaw won’t occur in the future. Certainly, it would be nice to hear what flaw that was, but we didn’t get that.
On the number of accounts that this has impacted, the company’s security head Tyler Healy stated on TechCrunch that only 1% of billing profiles were affected. This is again consistent with the skimmer theory, but Healy declined to comment any further or address specific questions. Considering the size of the DigitalOcean customer base, though, even that 1% corresponds to a very significant number of entities.
The notification that is circulated to the affected clients also claims that the relevant data protection authorities have been notified, which should involve those in Europe. If these authorities investigate the breach and find GDPR violations, DigitalOcean could face fines of up to 4% of its global annual revenue.
In 2020, the company had revenue of $318.4 million, so the relevant fine could reach a figure of up to $12.7 million. Considering that the company is already going through a rough period in terms of its financial situation, something like that won’t be helpful at all.