A leak of over 468,000 email addresses, names, phone numbers and parcel‑tracking codes from Portugal’s national postal carrier CTT has been confirmed by HaveIBeenPwned. The breach triggers obligations under the EU General Data Protection Regulation (GDPR) and Portugal’s National Data Protection Authority (CNPD). This article outlines the regulatory actions, required remedial steps and the compliance timeline that CTT and any similarly affected entities must follow.
Regulatory action
- GDPR Article 33 (Notification of a personal data breach to the supervisory authority) requires CTT to inform the CNPD within 72 hours of becoming aware of the breach.
- GDPR Article 34 (Communication of a breach to the data subject) obliges CTT to notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms.
- Portuguese Data Protection Law (Law No. 58/2019) mirrors the GDPR timelines and adds that the supervisory authority may impose a pre‑emptive audit if the breach involves sensitive data or systemic security failures.
- ePrivacy Directive considerations apply because the leaked data includes phone numbers that could be used for direct‑marketing calls or SMS phishing.
What it requires
- Breach assessment and documentation
- Compile a detailed breach report covering the cause, scope, categories of personal data affected, and the number of records (currently verified at 468,000).
- Record the exact date and time of discovery, the date the data was first exposed (April 27, 2026), and any mitigation actions taken.
- Notification to the CNPD
- Submit the breach report via the CNPD’s online portal within the 72‑hour window. The report must include:
- Contact details of the data controller and data protection officer (DPO).
- Description of the incident and its likely consequences.
- Measures taken to address the breach and mitigate its effects.
- Submit the breach report via the CNPD’s online portal within the 72‑hour window. The report must include:
- Communication to data subjects
- Draft a clear, plain‑language notice for the 468,000 affected customers. The notice must explain:
- What happened and what data was exposed (email, name, phone, tracking code).
- Potential risks, such as targeted phishing attacks that exploit parcel‑tracking information.
- Steps individuals can take (e.g., verify sender addresses, avoid clicking links, enable two‑factor authentication where available).
- Contact information for a dedicated help desk or the DPO.
- Draft a clear, plain‑language notice for the 468,000 affected customers. The notice must explain:
- Technical remediation
- Conduct a forensic investigation to identify the vulnerability that allowed the leak (e.g., insecure API, misconfigured cloud storage, or compromised locker‑management system).
- Patch or re‑configure the affected systems, enforce strong authentication for internal tools, and rotate any exposed credentials or private IP details.
- Review and harden the security of the Locky locker platform, ensuring that configuration files and backend version data are not publicly accessible.
- Risk mitigation for phishing
- Work with email service providers and mobile carriers to flag suspicious CTT‑related phishing domains and SMS senders.
- Publish guidance on the official CTT website and social media channels showing examples of legitimate parcel communications versus spoofed messages.
- Record‑keeping and audit readiness
- Maintain all breach‑related documentation for at least two years as required by GDPR Article 5(1)(e).
- Prepare for a possible CNPD audit by having evidence of the breach response plan, staff training records, and technical logs readily available.
Compliance timeline
| Deadline | Action | Responsible party |
|---|---|---|
| Within 72 hours of discovery | Submit breach notification to CNPD | CTT Data Protection Officer |
| Within 7 days | Dispatch individual breach notices to all affected customers | Customer communications team |
| Within 14 days | Complete forensic analysis and publish a summary of technical findings | IT security team |
| Within 30 days | Implement remediation measures (patches, configuration changes, credential rotation) | Infrastructure operations |
| Within 60 days | Conduct a post‑incident review and update the incident‑response plan | Risk management & DPO |
| Within 90 days | Submit a final compliance report to CNPD, including evidence of remedial actions | CTT senior management |
Practical steps for other organisations
- Treat parcel‑tracking data as quasi‑sensitive: Even though it is not a traditional “special category” under GDPR, its combination with personal identifiers raises the risk profile. Store such data encrypted at rest and limit access to only those systems that need it for delivery operations.
- Implement DMARC, DKIM and SPF for all outbound mail domains to make spoofed CTT emails easier to detect by recipients’ mail servers.
- Educate customers: Deploy short video tutorials or FAQ pages that illustrate how a genuine CTT notification looks, what URLs are legitimate, and how to verify a tracking number directly on the official site.
- Monitor underground forums: The breach was first posted by a user named “Boogeyman”. Ongoing threat‑intel monitoring can provide early warning of new payloads or phishing kits that reuse the leaked data.
Bottom line: The CTT breach activates a clear set of GDPR and Portuguese data‑protection obligations. Prompt notification, transparent communication with affected individuals, and swift technical remediation are not optional – they are mandated by law. Failure to meet these timelines can result in administrative fines of up to €20 million or 4 % of global annual turnover, whichever is higher, plus reputational damage that can erode customer trust.
For the latest guidance on breach notification, see the CNPD’s official handbook and the European Data Protection Board’s guidelines on personal data breaches.
Comments
Please log in or register to join the discussion