topic Re: Arlo personal data breach in Arlo Secure

Arlo personal data breach

Edinburgh_lad1 — Thu, 22 May 2025 23:30:09 GMT

So, we got this email saying that there's been a personal data breach at Arlo. I found the email vague. Was there a personal data breach or not. Was any of my data leaked? If there was no evidence of unauthorised access, as the email claims, why is this classified as a personal data breach? The word 'breach' suggests to me that it was indeed breaking/violation/opening. The email also says that as a user, I'm not "adversely" affected by this data breach.

Re: Arlo personal data breach

StephenB — Fri, 23 May 2025 01:17:28 GMT

@Edinburgh_lad1 wrote:

So, we got this email saying that there's been a personal data breach at Arlo. I found the email vague. Was there a personal data breach or not. Was any of my data leaked? If there was no evidence of unauthorised access, as the email claims, why is this classified as a personal data breach? The word 'breach' suggests to me that it was indeed breaking/violation/opening. The email also says that as a user, I'm not "adversely" affected by this data breach.

@ittroll posted the text here:

https://community.arlo.com/t5/Arlo-Secure/When-are-we-getting-custom-modes-back/m-p/2451014#M13290

My assessment of what it means follows his post. Based on the wording in his post, I don't believe anything was actually leaked.

The "security incident" was the login outage back in 6-7 May which resulted in loss of access to your personal information.

A security incident that results in loss of access is included in the GPDR definition of "personal data breach". The GPDR requires Arlo to notifiy you of such incidents, and I believe the language used in their communication was to make it clear that it was the notification that the law requires. They acknowledge (and apologize for) the loss of access, and go on to say that - despite the "data breach" language - there was no compromise of your data.

Calling the login outage a "security incident" is interesting, as it suggests that the service was taken down by a cyberattack.

Re: Arlo personal data breach

Edinburgh_lad1 — Fri, 23 May 2025 05:56:48 GMT

Indeed. It's alarmist.

Re: Arlo personal data breach

StephenB — Fri, 23 May 2025 11:59:20 GMT

@Edinburgh_lad1 wrote:

Indeed. It's alarmist.

If it sounds alarmist to you, then I think that is really on the GPDR, not Arlo.

The GPDR requires notification whenever a security incident results in a personal data breach (as defined in the law itself, not what you might think a "security incident" or "personal data breach" is). The language Arlo chose ensured that there is no doubt that they are in full compliance with the GPDR - particularly important for a US company operating in Europe.

That said, I suspect the "loss of access" in the GPDR definition is intended to cover ransomware attacks where the data is encrypted by the attacker, but not compromised (since the attacker never gets it). Even if the company manages to decrypt it (for instance by paying the ransom), they are still required to notifiy you of the attack. But there are other possibilities (like a DDOS attack) that could also be classified as "security incidents".

Re: Arlo personal data breach

JamesC — Sun, 25 May 2025 17:36:49 GMT

On May 19th, some users received an email as mandated by EU’s GDPR requirements that may have caused some confusion. To help clarify, there was a short outage where some users temporarily were unable to log in but no data was compromised and there was no unauthorized access to data. Your account and information remain secure.

Thanks,

Arlo Team

Re: Arlo personal data breach

rsmith6121 — Tue, 27 May 2025 20:23:13 GMT

Because of this incident, I'm actually thinking about moving my cameras out of the Arlo cloud. Arlo has been steadily increasing the subscription price while not really improving their service quality, customer service or even the overall cloud security; hence the breach/server outage. All the reasons given in the following video, to cancel Arlo's subscription plan and switch to a basestation/smarthub, are spot on, in my opinion: YouTube Video

Re: Arlo personal data breach

Edinburgh_lad1 — Mon, 26 May 2025 17:52:04 GMT

Unfortunately, I have to agree with you.