Notification of minor personal data breach in nShift’s TMS product platform
Context
This document concerns frequently asked questions and answers relating to a personal data breach in nShift’s TMS product platform on 19 Sept 2022 relating to misdirected notification emails to certain customers. nShift’s assessment of the incident is that it is of low severity for the affected customers since the misdirected personal data was immediately deleted, together with other contributing factors.
If you have not been contacted by nShift about this incident, you are not affected at all by this data breach.
What happened?
During a reconfiguration in our TMS product platform, two faulty global notification rules were inserted, misdirecting shipping notification messages (relating to products DHL Sverige Inrikes and DHL PAKET) for some of your end users to one specific email recipient belonging to another company.
The recipient person at that customer company immediately contacted us when discovering he/she was receiving unrelated notification emails from us. The person, which is known to us and has been a customer contact for many years has confirmed that all erroneous notification emails were immediately deleted. The misconfiguration was not done specifically on your account and nobody has had illegitimate access to your account.
Which personal data was revealed?
The notification emails contained the following personal data about your end users/consumers:
- Sender: Name, address, contact details, address
- Receiver: Name, address, contact details, address
- Pickup address
- Parcel info (weight, size, number, description, etc)
Below is a redacted version of the leaked notification emails.
Who received the misdirected personal data?
All the misdirected notification email was sent to the same receiving person, who is an employed person with a customer company.
The recipient person at that customer company immediately contacted us when discovering he/she was receiving unrelated notification emails from us. The person, which is known to us and has been a customer contact for many years has confirmed that all notification emails were immediately deleted. The misconfiguration was not done specifically on your account and nobody has had illegitimate access to your account.
What does this mean for me as a user of the system?
The services are operating fully normal and all misdirected information has been deleted.
nShift (as a processor) assesses this incident to be of low severity. We don’t believe this incident needs to be reported to authorities nor that you need to inform the data subjects. This is our assessment based on our knowledge of the situation, but you need to make your own assessment and take all relevant factors into account.
Given that the single person of the misdirected notification emails is known to us as a customer over several years, we consider the recipient to be trustworthy. The individual contacted us immediately and supported us to resolve the situation quickly. The person has confirmed the deletion of the misdirected personal data.
Being the processor of the data processing, we are only providing our assessment as a support to you.
What should do if I have more questions?
You can read more about personal data breach and what is important at Integritetsmyndighetens pages here: https://www.imy.se/verksamhet/dataskydd/det-har-galler-enligt-gdpr/personuppgiftsincidenter/
You are welcome to contact Customer Support if you don’t find answers to your questions above. You can contact us through the Contact Form on our Help Center pages.