Łódź, 28 March 2025
Dear Sir or Madam,
WITKO Sp. z o.o. with its registered office in Łódź, fulfilling its obligations as a data controller within the meaning of Article 4 paragraph 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereby informs that on 19.03.2025, our company fell victim to a hacker attack (phishing), which led to a breach of personal data protection by reading and downloading the e-mail of one of our employees. The breach may have concerned your personal data.
This event led to the loss of availability and also confidentiality of personal data, including customers, contractors and employees of WITKO Sp. z o.o.
What actions were taken in connection with the incident?
Immediately after the security incident was detected, the necessary actions were taken to prevent further breaches of personal data, in particular, control over the intercepted email was regained, and the President of the Polish Personal Data Protection Office was notified.
WITKO Sp. z o.o. makes every effort to minimize the effects of the attack and restore full functionality of IT systems in the shortest possible time.
What personal data was subject to the breach?
The attack resulted in a breach of the availability and confidentiality of your personal data, which may include:
• identification data;
• contact data (e-mail address, telephone number, residential address);
• PESEL number;
• first name, first names and last name;
• date of birth;
• series and number of your ID card;
.
Who can you contact regarding a breach of personal data protection?
If you have any questions regarding the breach, you can contact WITKO Sp. z o.o. by sending an e-mail inquiry to the following address: daneosobowe@witko.com.pl
What are the potential consequences of a breach of personal data protection?
The consequences of a breach of your personal data may be:
• processing of personal data for marketing purposes without prior consent (in the case of traditional marketing, i.e. sending marketing content to the employment address).
• publication or disclosure of personal data, which may violate your personal rights;
• threat of harassment or blackmail using the disclosed data;
• exposure to increased phishing attacks aimed at obtaining personal data;
• setting up an online account using personal data (e.g. on social networking sites);
• a third party attempting to obtain loans from non-bank institutions to your detriment, e.g. via the Internet or by telephone, without having to show your identity document;
• a third party attempting to gain access to systems supporting the provision of medical services and to gain insight into your health data (often access to patient registration systems can be obtained by confirming your identity using your PESEL number);
• use of personal data to exercise civil rights, e.g. by voting in a vote on civic budget funds;
• a third party using personal data to attempt to fraudulently obtain insurance or insurance funds;
• a third party using personal data to attempt to conclude civil law contracts;
• use of personal data by third parties to conceal their identity (e.g. when receiving fines);
• registering a prepaid telephone card (pre-paid), which may be used for criminal purposes.
What can you do to minimize the negative effects of the breach?
In order to minimize the potential negative effects of the incident, we recommend:
• reserve your PESEL number (PESEL number reservation is possible online - click the Zastrzeż PESEL button and log in, the system will take you to mObywatel.gov.pl or download and fill out the application at home or do it at your commune office) - from June 1, 2024, financial institutions (e.g. banks) are obliged to verify whether the PESEL number is reserved when concluding, for example, a credit or loan agreement;
• set up an account in the credit and economic information system in order to monitor your credit activity (there are systems, institutions and companies available on the market that offer services that allow you to monitor your credit activity. Here are some examples: Biuro Informacji Kredytowej S.A. website https://www.bik.pl, Biuro Informacji Gospodarczej InfoMonitor S.A. website https://big.pl, Krajowy Rejestr Długów Biuro Informacji Gospodarczej S.A. website https://krd.pl, Serwis CHRONPESEL website https://www.chronpesel.pl)
• change the login or password for systems in which the login or password was the PESEL number;
• enabling additional security on services that allow two-step verification;
• paying special attention to attempts to log into accounts and checking alerts sent to the email address;
• be cautious when contacted by banks or other financial institutions, especially when the interlocutor wants to obtain data such as ID number, bank account number, etc. by quoting the PESEL number;
• being careful when using social media, especially when receiving private messages containing links;
• if you notice someone impersonating you, notify law enforcement agencies of the possibility of a crime being committed;
• if you notice a violation of your personal rights through the use of personal data that was covered by this violation, we recommend using the personal rights protection measures specified in the provisions of the Civil Code.
You can check the security of your data yourself at: https://bezpiecznedane.gov.pl/ or at yours’s country similar site.
Taking these actions should minimize the negative effects of the breach and protect personal data from misuse.