Cyber Incident Victim: WSS Detal
Date:
May 2025
Location:
Poland
Summary
Unauthorized access to the systems of WSS Detal resulted in the exposure of customers' personal data, including names, surnames, phone numbers, email addresses, and delivery addresses. The breach led to risks of unwanted phone calls, telemarketing, and potential fraud attempts using the leaked information. The company secured its systems, identified and blocked the source of the intrusion, and notified the Personal Data Protection Office.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On 21 May 2025, WSS Detal Sp. z o.o., operator of the Spar online store in Poznań, experienced an unauthorized access to its IT systems resulting in a personal data breach. The compromised data included customers’ first and last names, telephone numbers, e‑mail addresses, and delivery addresses used for orders. The breach was disclosed to affected individuals via a notification dated the same day, citing Article 34 of the GDPR.
The exposed information could be used for unwanted telephone contact, including telemarketing and attempts at fraud via phone. Additionally, attackers possessing the full set of data might attempt to defraud individuals by obtaining money or redirecting them to counterfeit websites, leveraging the authenticity of the leaked data to increase credibility. The notification warned that such misuse could lead to unwanted communications concerning personal or financial matters.
In response, WSS Detal secured its IT systems, identified and blocked the source of the unauthorized access, and reported the incident to the President of the Office for Personal Data Protection (UODO). The company provided an e‑mail address, [email protected], for individuals to report any observed misuse or irregularities related to the breach. For additional questions regarding the incident, individuals could contact the company’s legal office via the same e‑mail address. It also stated that it would continue to take all necessary steps to prevent similar incidents in the future.