I want to know how the hackers first accessed the company's systems?

It is interesting when thinking of defences against such attacks.

Health data is very valuable, especially to insurance companies. I can also imagine how a bad actor might want to abuse that data.

@Mark_A I thought i'd try this [webmasterworld.com...]

I'm curious how health data relates to GPS. Doesn't seem to make a logical match, GDPR or no...

I'm curious how health data relates to GPS. Doesn't seem to make a logical match,

GPS coordinates are used to track the position of the user while doing an activity, think of running or cycling. Take change in location over change in time = speed. Then pair that with heart rate, age, weight and a few other indicators and you get a very accurate indication of the user's physical condition. My Polar watch is able to predict my 5k running time with astonishing accuracy.

Strava, is a social media website used by endurance athletes (running/cycling/Xcountry skiing etc...) to share their performance stats. A few years back it got into to trouble for openly sharing the anonymized GPS data of its user base. People plotted the data on maps, for various locations. The data revealed among other things the exact location US military bases in Afghanistan as well as the most common off base routes used by runners from the base.

Once again, this example reveals the information asymmetry that exists between these tech companies and the general public. It is easy to say I have nothing to hide, but the reality is that you don't even have the ability to fathom what type of information can be derived from the data held by these companies. In other words you don't even know what one would need to hide from, so how can one make an informed choice about whether one should or should not hide.

To make matters worse, in this specific case the data is no longer held exclusively by the "company" it is now potentially in the hands of nefarious actors.

@ engine

@Mark_A I thought i'd try this [webmasterworld.com...]

You are at a level of sophistication greater than me. We do have data online though, our CRM is in the cloud as is our email..

Last week a trusted organisation contacted us to say one of their machines had been compromised and had sent emails, they said - don't follow links or open attachments and please delete the email without opening. We hadn't received the dodgy email, one of our security scans of incoming email (the second of two) had picked up that the message was dodgy and deleted it.

It got my alarms up, if a single email from a hitherto trusted source can threaten, and by all accounts the email would have looked genuine to a human, then security is illusory at best, even with email scanning etc etc ..