On April 14th, we informed our customers about the fact that the Sedo website was compromised by an unknown intruder through a previously unknown security loophole. This caused an unauthorized email to be sent out to a small number of our customers.
We’re taking our customers’ concerns seriously. That is why we’d like to use this opportunity to answer the most frequently asked questions regarding data security and data protection and clarify to which extent the security loophole has led to disclosing customer data.
What data has been compromised?
The intruder was only able to obtain email addresses. No other data has been compromised.
If only email addresses have been compromised, why did the unauthorized email contain my real name?
By exploiting the already closed loophole, the intruder triggered the email with the subject line “Confirm your Sedo Account” .
The salutation containing your name was inserted from our own database by automatically linking the account data with the matching email address.
This account data was and is safely stored in our system and couldn’t be read by the intruder.
Was the unauthorized email a fake or phishing mail?
No. The email itself was sent through our own system but was without any relevance or actuality. If you clicked on any of the links contained in that email, rest assured: Clicking on any of these links had no impact whatsoever.
Has an offer been submitted in my name, as stated in the email?
No. The information in this erroneously sent email can be fully ignored and disregarded. An offer to which you had no knowledge of has not been submitted, nor has clicking on any of the provided links in the email resulted in any consequences within your account.
Has an account been created in my name, as stated in the email?
No. The information in this email is not correct at all. No new or additional accounts have been created for you.
Why have I received an email, although my account has been deleted in the past already?
If a Sedo customer desires the deletion of his account, Sedo must always check to see if the deletion is legally allowed. In general, account data shall be erased as soon as it is no longer needed to carry out the original purpose of the account’s creation.. This would be the case amongst others if a customer is expressing the desire for deletion of their account. Account data cannot be deleted, though, if Sedo is liable to preserve the information. This requirement originates from German law (§ 147 “Abgabenordnung” and § 257 “Handelsgesetzbuch”). Sedo is a German company and therefore must abide by these laws.
This is why your account has not been deleted, but instead is suspended in such a way that your data is only stored for the purpose of our requirement by law to preserve records.
Thus, in the case of this unauthorized communication, it did not differentiate between active and suspended accounts.
What can I do if I want my old Sedo account to be deleted?
If in receiving this email you’ve noticed that you have a Sedo account that you no longer require, you can delete that account. To do so, please send us a note with the subject line “Delete account”.
If you have any further questions, we invite you to visit our customer support center via support.sedo.com. Please note that it might take a little more time than usual answering your requests due to the currently high volume of requests. Further information on our privacy protection policy can be found at: <link us about-us policies protecting-your-privacy>