The European Data Protection Board (EDPB) issued draft practical guidance on various types of data breaches to assist companies with identifying situations in which a data security incident may need to be reported to EU supervisory authorities (the government regulator for privacy in various EU member countries) and to the individuals themselves. One example discussed in the guidance relates to credential stuffing, i.e., attempts to log in to online accounts using stolen usernames and passwords. The example, however, is so specific that it leaves many questions unanswered. The example proposes that a vulnerability in an online banking website exposed certain data elements, like name, gender, date and place of birth, and user ID. A hacker then attempted to log in to 100,000 accounts using a fixed, common password. The user was able to successfully log in to 2,000 online accounts.

The EDPB says notification to all 100,000 data subjects is required, even if the attempts to log in were unsuccessful. The EDPB’s view is based on the exposure to the threat actor of the personal data of the full population, independent of whether the log-ins were successful. However, the example does not explain whether notification to the larger population whose account log-ins were not successful would be required had the hacker simply obtained usernames and attempted to log-in using the fixed, common password.

The EDPB also does not opine on the more common scenario where credentials obtained in an unrelated breach are used to attempt to log in to a different company’s website (i.e., Company A has a breach and the threat actor attempts to credential stuff Company B’s accounts, hoping that the users are recycling the same username and password across multiple, unrelated online accounts). In that scenario, Company B may not have had an actual breach unless the threat actor accesses a Company B account and, as a result of that access, was able to view additional personal information about the data subject. The guidance is not clear as to when Company B would be expected to report the incident to either supervisory authorities or data subjects. The obligation to report may be based, in some measure, on whether the threat actor was able to access additional personal information after logging into Company B’s account and whether such access exposed the data subject to additional risks.