The controller/processor is responsible for the circumstance. The data had zero protection. They were publicly accessible. The controller/processor therefore accepted that this data would be stolen and/or misused. You can't talk your way out of this.
Yes, this is the exclusion of liability under Art. 82 para. 3 GDPR. Companies can theoretically exonerate themselves if they can prove that they are not responsible for the breach.
But why does this not apply here?
The data was leaked through their systems, so they had a security vulnerability.
They would have to prove that they did everything technically possible to prevent the attack - they did not.
Even if hackers stole the data, the question remains: why was this even possible?
The GDPR requires an appropriate level of protection. Apparently, there were vulnerabilities that hackers were able to exploit.
Whether they are "to blame" or not is of secondary importance. The damage to you has already been done, and the GDPR protects data subjects, not just those technically responsible.
Yes, this is the exclusion of liability according to Art. 82 para. 3 GDPR. Companies can theoretically exonerate themselves if they can prove that they are not responsible for the breach.
But why does this not apply here?
The data was leaked through their systems, so they had a security vulnerability.
They would have to prove that they did everything technically possible to prevent the attack - they did not.
Even if hackers stole the data, the question remains: why was this even possible?
The GDPR requires an appropriate level of protection. Apparently, there were vulnerabilities that hackers were able to exploit.
Whether they are "to blame" or not is of secondary importance. The damage to you has already been done, and the GDPR protects data subjects, not just those technically responsible.
Thank you, wrote an email. Funnily enough, the store is now back to maintenance work
Since the BGH decision in the Facebook case from November 2024, it has been clarified that the "mere and temporary loss of control over one's own personal data" is sufficient for damage. In this case, the data was published unintentionally. They were publicly accessible to anyone, as Lilith Wittmann describes, who actually accessed them to a minimum extent. Is it difficult to deny damage under these conditions?
Trust is a good keyword: but I'm not clear about the connection between trust in Protectra and legal expenses Insurance? Have you misunderstood the business model of such legal service providers?
I don't understand what you mean by the Streisand effect in this context?
Well, that's right. The Streisand effect doesn't really fit. I just meant that it might not be so smart to enter into a contract with a shyster even though you haven't suffered any damage. Maybe this creates a problem in the first place, even though there really isn't one if you just leave it at that.
Protectra tries to get something out of it and if it works, then they pocket part of it. If not, they don't. They say I won't incur any costs, but is that really the case? If I assign the case, then I can't do anything myself, can I? What happens if I demand or have already demanded the deletion of data or something else that Protecta doesn't like and I may have ruined their business as a result? Am I then possibly in breach of Protectra's GTCS? Will there still be any costs afterwards? Or any phone calls, appointments and correspondence with anyone? I have no idea. As I said, I don't know the company and have never had anything like this to do with it. Maybe it's a good thing.
Someone here wanted to go through their lawyer and then report back. Maybe wait and see what he says?
Supergreg wrote on March 16, 2025 at 10:33 am: Hi,
i have summarized my approach. I hope you do the same.
1. Clarify whether I am affected
I have received the email from SlotMagie - so my data has been disclosed.
If you are unsure, you can request information from the company at in accordance with Art. 15 GDPR
2. Claim compensation for damages
I have sent SlotMagie a claim and invoked Art. 82 GDPR.
I demand at least €2,000 and set a deadline of 14 days .
If they refuse or do not respond, I will take the next step.
3. Submit a complaint to the data protection authority
If SlotMagie refuses, I will file an official complaint.
The more people do this, the greater the pressure.
The data protection authorities offer online forms for this purpose.
4. Check legal steps & organize class action lawsuit
If enough people join in, a class action can be useful.
I keep in touch with other affected parties and find out about law firms that prosecute GDPR violations.
This is how it usually works:
Company informs about the data leak (already happened).
Affected parties demand compensation (I am doing this now).
Company refuses or offers little (to be expected).
Many file complaints with data protection authorities (next step).
Legal action is taken (e.g. class action).
Company relents or loses in court.
Conclusion: It's worth sticking with it! Of course, this will all drag on.
I'm sure that everything is already being done in the background to play this down as much as possible.
I will not simply accept this case. The more people become active, the more pressure we will be under. If you are affected, do the same!
Greetings Greg
I can already tell you that nothing will come of it. They will pay a hefty fine to the regulatory authority (state) and the players will go away empty-handed.
gagapapamama wrote on March 16th, 2025 at 12:10 pm:
I can already tell you that nothing will come of it. They will pay a hefty fine to the regulatory authority (state) and the players will go away empty-handed.
that's exactly how i see it, or they'll somehow talk their way out of it and end up paying nothing at all. i wouldn't be surprised....
gagapapamama wrote on March 16th, 2025 at 12:10 pm:
I can already tell you that nothing will come of it. They will pay a hefty fine to the regulatory authority (state) and the players will go away empty-handed.
garfield68 wrote on 16.03.2025 at 12:22 pm:
that's exactly how i see it,or they somehow talk their way out of it and end up not having to pay anything. wouldn't surprise me....
I understand that there are different opinions on this subject, but I would like to point out that the legal situation is clear in this case.
A violation of Art. 82 GDPR.
There are numerous examples where companies have had to pay compensation.
If you are not personally affected or don't want to do anything, that's fine.
But I would ask you not to unsettle those affected with unfounded statements. It is important to look at the situation objectively.
The news channel WELT has also just reported on this data leak at Merkur and is now claiming here that it is unclear to whom the data flowed. I thought this point would have been clarified by now and that only this Lilith Withmann got hold of the data. In any case, it has now also been reported on television.
"All this data could be queried via GraphQL - with a very, very large query. You didn't even have to be logged in, you could simply get the data via queries called "users", "sessions" and "paymentOptionsV2". The system was therefore completely publicly accessible."
Therefore, it cannot be ruled out that others have obtained the data!
That is very important! Even SlotMagie (Merkur AG) has indirectly confirmed this!
We were made aware of the incident on February 28, 2025 after the responsible supervisory authority, the Joint Gambling Authority of the Federal States (GGL) in Halle/Saale, informed us about it. The person responsible for the hacker attack had reported their actions and access to the authority. The reported security vulnerability was closed by our specialists on the same day.
The attack as such took place during February and early March 2025. On March 12, 2025, GGL received further information about a successful attack. "
So they knew nothing before that and there were TWO successful attacks!
So they only reported what they were told. So they have no idea whether anyone else got hold of the data!
Well, she discovered the gap. Nobody can say whether she was the first and/or only one to do so. You can also enter your data in the relevant "Have I been hacked" searches. You can also do this free of charge on the Schufa website. You can then search by e-mail, telephone, ID number, IBAN, etc.
This searches all known lists, forums, marketplaces, etc. It is not possible to search for names or grin photos, but if, for example, the ID number appears there, then the other data will probably also be affected. If something is found, then it may be possible to draw further conclusions.
Hacker attack on Merkur Bets
Liked this post:
frapi07
Yes, this is the exclusion of liability under Art. 82 para. 3 GDPR. Companies can theoretically exonerate themselves if they can prove that they are not responsible for the breach.
But why does this not apply here?
This post has been translated automatically
Hacker attack on Merkur Bets
Nobody has liked this post so far
Thank you, wrote an email. Funnily enough, the store is now back to maintenance work
This post has been translated automatically
Hacker attack on Merkur Bets
Nobody has liked this post so far
What did you write?
This post has been translated automatically
Hacker attack on Merkur Bets
Nobody has liked this post so far
Well, that's right. The Streisand effect doesn't really fit. I just meant that it might not be so smart to enter into a contract with a shyster even though you haven't suffered any damage. Maybe this creates a problem in the first place, even though there really isn't one if you just leave it at that.
Protectra tries to get something out of it and if it works, then they pocket part of it. If not, they don't. They say I won't incur any costs, but is that really the case? If I assign the case, then I can't do anything myself, can I? What happens if I demand or have already demanded the deletion of data or something else that Protecta doesn't like and I may have ruined their business as a result? Am I then possibly in breach of Protectra's GTCS? Will there still be any costs afterwards? Or any phone calls, appointments and correspondence with anyone? I have no idea. As I said, I don't know the company and have never had anything like this to do with it. Maybe it's a good thing.
Someone here wanted to go through their lawyer and then report back. Maybe wait and see what he says?
This post has been translated automatically
Hacker attack on Merkur Bets
Nobody has liked this post so far
This post has been translated automatically
Hacker attack on Merkur Bets
Liked this post:
Rainmann,
Zockerbernd
i have summarized my approach. I hope you do the same.
1. Clarify whether I am affected
2. Claim compensation for damages
3. Submit a complaint to the data protection authority
4. Check legal steps & organize class action lawsuit
This is how it usually works:
Conclusion: It's worth sticking with it! Of course, this will all drag on.
I'm sure that everything is already being done in the background to play this down as much as possible.
I will not simply accept this case. The more people take action, the more pressure we will be under. If you are affected, do the same!
Greetings Greg
This post has been translated automatically
Hacker attack on Merkur Bets
Nobody has liked this post so far
A general question: can you do this per online casino or only once?
This post has been translated automatically
Hacker attack on Merkur Bets
Liked this post:
garfield68,
Max_Bet,
Toastbrot
I can already tell you that nothing will come of it. They will pay a hefty fine to the regulatory authority (state) and the players will go away empty-handed.
This post has been translated automatically
Hacker attack on Merkur Bets
Nobody has liked this post so far
that's exactly how i see it, or they'll somehow talk their way out of it and end up paying nothing at all. i wouldn't be surprised....
This post has been translated automatically
Hacker attack on Merkur Bets
Liked this post:
frapi07
I think for each one individually.
This post has been translated automatically
Hacker attack on Merkur Bets
Nobody has liked this post so far
I understand that there are different opinions on this subject, but I would like to point out that the legal situation is clear in this case.
A violation of Art. 82 GDPR.
There are numerous examples where companies have had to pay compensation.
If you are not personally affected or don't want to do anything, that's fine.
But I would ask you not to unsettle those affected with unfounded statements. It is important to look at the situation objectively.
Thank you
This post has been translated automatically
Hacker attack on Merkur Bets
Nobody has liked this post so far
This post has been translated automatically
Hacker attack on Merkur Bets
Nobody has liked this post so far
Quote from the article by Lilith Wittmann:
"All this data could be queried via GraphQL - with a very, very large query. You didn't even have to be logged in, you could simply get the data via queries called "users", "sessions" and "paymentOptionsV2". The system was therefore completely publicly accessible."
Therefore, it cannot be ruled out that others have obtained the data!
That is very important! Even SlotMagie (Merkur AG) has indirectly confirmed this!
https://support.slotmagie.de/hc/de/articles/33449973896721-Hinweise-zum-aktuellen-Datenschutzfall
"When was the incident discovered?
We were made aware of the incident on February 28, 2025 after the responsible supervisory authority, the Joint Gambling Authority of the Federal States (GGL) in Halle/Saale, informed us about it. The person responsible for the hacker attack had reported their actions and access to the authority. The reported security vulnerability was closed by our specialists on the same day.
The attack as such took place during February and early March 2025. On March 12, 2025, GGL received further information about a successful attack. "
So they knew nothing before that and there were TWO successful attacks!
So they only reported what they were told. So they have no idea whether anyone else got hold of the data!
They have a big problem!
This post has been translated automatically
Hacker attack on Merkur Bets
Nobody has liked this post so far
This post has been translated automatically
Hacker attack on Merkur Bets
Nobody has liked this post so far
This searches all known lists, forums, marketplaces, etc. It is not possible to search for names or grin photos, but if, for example, the ID number appears there, then the other data will probably also be affected. If something is found, then it may be possible to draw further conclusions.
This post has been translated automatically