Privacy settings

We use a number of cookies on our website. Some are essential, while others help us improve our portal for you.

Privacy settings

Here is an overview of all the cookies we use. You can choose to accept whole categories or view more information and select only certain cookies.

Essential (6)

Essential cookies enable basic functions and are necessary for the website to function properly.

Statistics (3)

Statistics cookies collect information anonymously. This information helps us to understand how our visitors use our website.
If the statistics cookies are subsequently deselected, they will remain on the computer until the expiry date. However, they are neither updated nor evaluated.

Online Casinos in general: Hacker attack on Merkur Bets (Page 6)

Topic created on 14th Mar. 2025 | Page: 6 of 8 | Answers: 106 | Views: 8,397
Supergreg
Visitor

frapi07 wrote on March 15, 2025 at 5:48 pm:

The controller/processor is responsible for the circumstance. The data had zero protection. They were publicly accessible. The controller/processor therefore accepted that this data would be stolen and/or misused. You can't talk your way out of this.

Yes, this is the exclusion of liability under Art. 82 para. 3 GDPR. Companies can theoretically exonerate themselves if they can prove that they are not responsible for the breach.


But why does this not apply here?


  • The data was leaked through their systems, so they had a security vulnerability.

  • They would have to prove that they did everything technically possible to prevent the attack - they did not.

  • Even if hackers stole the data, the question remains: why was this even possible?





  • The GDPR requires an appropriate level of protection. Apparently, there were vulnerabilities that hackers were able to exploit.

  • Whether they are "to blame" or not is of secondary importance. The damage to you has already been done, and the GDPR protects data subjects, not just those technically responsible.



  • This post has been translated automatically

    Rainmann
    Elite
    Supergreg wrote on 15.03.2025 18:05:

    Yes, this is the exclusion of liability according to Art. 82 para. 3 GDPR. Companies can theoretically exonerate themselves if they can prove that they are not responsible for the breach.


    But why does this not apply here?


    • The data was leaked through their systems, so they had a security vulnerability.

    • They would have to prove that they did everything technically possible to prevent the attack - they did not.

    • Even if hackers stole the data, the question remains: why was this even possible?





  • The GDPR requires an appropriate level of protection. Apparently, there were vulnerabilities that hackers were able to exploit.

  • Whether they are "to blame" or not is of secondary importance. The damage to you has already been done, and the GDPR protects data subjects, not just those technically responsible.




  • Thank you, wrote an email. Funnily enough, the store is now back to maintenance work

    This post has been translated automatically

    slotliebe89
    Elite

    Rainmann wrote on 15.03.2025 at 18:54:
    Thanks, wrote an email. Strangely enough, maintenance work at the store again now

    What did you write?

    This post has been translated automatically

    Benno444
    Visitor

    GambleMike wrote on 15.03.2025 at 16:09:

    Since the BGH decision in the Facebook case from November 2024, it has been clarified that the "mere and temporary loss of control over one's own personal data" is sufficient for damage. In this case, the data was published unintentionally. They were publicly accessible to anyone, as Lilith Wittmann describes, who actually accessed them to a minimum extent. Is it difficult to deny damage under these conditions?

    Trust is a good keyword: but I'm not clear about the connection between trust in Protectra and legal expenses Insurance? Have you misunderstood the business model of such legal service providers?
    I don't understand what you mean by the Streisand effect in this context?

    Well, that's right. The Streisand effect doesn't really fit. I just meant that it might not be so smart to enter into a contract with a shyster even though you haven't suffered any damage. Maybe this creates a problem in the first place, even though there really isn't one if you just leave it at that.


    Protectra tries to get something out of it and if it works, then they pocket part of it. If not, they don't. They say I won't incur any costs, but is that really the case? If I assign the case, then I can't do anything myself, can I? What happens if I demand or have already demanded the deletion of data or something else that Protecta doesn't like and I may have ruined their business as a result? Am I then possibly in breach of Protectra's GTCS? Will there still be any costs afterwards? Or any phone calls, appointments and correspondence with anyone? I have no idea. As I said, I don't know the company and have never had anything like this to do with it. Maybe it's a good thing.

    Someone here wanted to go through their lawyer and then report back. Maybe wait and see what he says?

    This post has been translated automatically

    ricweh
    Visitor
    Is the platform working again?

    This post has been translated automatically

    Supergreg
    Visitor
    Hi,

    i have summarized my approach. I hope you do the same.



    1. Clarify whether I am affected

    • I have received the email from SlotMagie - so my data has been disclosed.

    • If you are unsure, you can request information from the company at in accordance with Art. 15 GDPR




    2. Claim compensation for damages

    • I have sent SlotMagie a claim and invoked Art. 82 GDPR.

    • I demand at least €2,000 and set a deadline of 14 days .

    • If they refuse or do not respond, I will take the next step.




    3. Submit a complaint to the data protection authority

    • If SlotMagie refuses, I will file an official complaint.

    • The more people do this, the greater the pressure.

    • The data protection authorities offer online forms for this purpose.




    4. Check legal steps & organize class action lawsuit

    • If enough people join in, a class action can be useful.

    • I keep in touch with other affected parties and find out about law firms that prosecute GDPR violations.




    This is how it usually works:

    1. Company informs about the data leak (already happened).

    2. Affected parties demand compensation (I am doing this now).

    3. Company refuses or offers little (to be expected).

    4. Many file complaints with data protection authorities (next step).

    5. Legal action is taken (e.g. class action).

    6. Company relents or loses in court.




    Conclusion: It's worth sticking with it! Of course, this will all drag on.

    I'm sure that everything is already being done in the background to play this down as much as possible.

    I will not simply accept this case. The more people take action, the more pressure we will be under. If you are affected, do the same!

    Greetings Greg


    This post has been translated automatically

    frapi07
    Elite

    A general question: can you do this per online casino or only once?

    This post has been translated automatically

    gagapapamama
    Elite

    Supergreg wrote on March 16, 2025 at 10:33 am: Hi,

    i have summarized my approach. I hope you do the same.



    1. Clarify whether I am affected

    • I have received the email from SlotMagie - so my data has been disclosed.

    • If you are unsure, you can request information from the company at in accordance with Art. 15 GDPR




    2. Claim compensation for damages

    • I have sent SlotMagie a claim and invoked Art. 82 GDPR.

    • I demand at least €2,000 and set a deadline of 14 days .

    • If they refuse or do not respond, I will take the next step.




    3. Submit a complaint to the data protection authority

    • If SlotMagie refuses, I will file an official complaint.

    • The more people do this, the greater the pressure.

    • The data protection authorities offer online forms for this purpose.




    4. Check legal steps & organize class action lawsuit

    • If enough people join in, a class action can be useful.

    • I keep in touch with other affected parties and find out about law firms that prosecute GDPR violations.




    This is how it usually works:

    1. Company informs about the data leak (already happened).

    2. Affected parties demand compensation (I am doing this now).

    3. Company refuses or offers little (to be expected).

    4. Many file complaints with data protection authorities (next step).

    5. Legal action is taken (e.g. class action).

    6. Company relents or loses in court.




    Conclusion: It's worth sticking with it! Of course, this will all drag on.

    I'm sure that everything is already being done in the background to play this down as much as possible.

    I will not simply accept this case. The more people become active, the more pressure we will be under. If you are affected, do the same!

    Greetings Greg



    I can already tell you that nothing will come of it. They will pay a hefty fine to the regulatory authority (state) and the players will go away empty-handed.

    This post has been translated automatically

    garfield68
    Elite

    gagapapamama wrote on March 16th, 2025 at 12:10 pm:

    I can already tell you that nothing will come of it. They will pay a hefty fine to the regulatory authority (state) and the players will go away empty-handed.

    that's exactly how i see it, or they'll somehow talk their way out of it and end up paying nothing at all. i wouldn't be surprised....

    This post has been translated automatically

    slotliebe89
    Elite

    frapi07 wrote on March 16th, 2025 at 11:43 am:
    A general question: can you do this per online game store or only once?

    I think for each one individually.

    This post has been translated automatically

    Supergreg
    Visitor

    gagapapamama wrote on March 16th, 2025 at 12:10 pm:

    I can already tell you that nothing will come of it. They will pay a hefty fine to the regulatory authority (state) and the players will go away empty-handed.

    garfield68 wrote on 16.03.2025 at 12:22 pm:

    that's exactly how i see it,or they somehow talk their way out of it and end up not having to pay anything. wouldn't surprise me....




    I understand that there are different opinions on this subject, but I would like to point out that the legal situation is clear in this case.

    A violation of Art. 82 GDPR.

    There are numerous examples where companies have had to pay compensation.

    If you are not personally affected or don't want to do anything, that's fine.

    But I would ask you not to unsettle those affected with unfounded statements. It is important to look at the situation objectively.

    Thank you

    This post has been translated automatically

    Falko
    Icon
    The news channel WELT has also just reported on this data leak at Merkur and is now claiming here that it is unclear to whom the data flowed. I thought this point would have been clarified by now and that only this Lilith Withmann got hold of the data. In any case, it has now also been reported on television.

    This post has been translated automatically

    Supergreg
    Visitor
    Thank you for this information!



    Quote from the article by Lilith Wittmann:



    "All this data could be queried via GraphQL - with a very, very large query. You didn't even have to be logged in, you could simply get the data via queries called "users", "sessions" and "paymentOptionsV2". The system was therefore completely publicly accessible."



    Therefore, it cannot be ruled out that others have obtained the data!
    That is very important! Even SlotMagie (Merkur AG) has indirectly confirmed this!




    https://support.slotmagie.de/hc/de/articles/33449973896721-Hinweise-zum-aktuellen-Datenschutzfall



    "When was the incident discovered?


    We were made aware of the incident on February 28, 2025 after the responsible supervisory authority, the Joint Gambling Authority of the Federal States (GGL) in Halle/Saale, informed us about it. The person responsible for the hacker attack had reported their actions and access to the authority. The reported security vulnerability was closed by our specialists on the same day.
    The attack as such took place during February and early March 2025. On March 12, 2025, GGL received further information about a successful attack. "



    So they knew nothing before that and there were TWO successful attacks!

    So they only reported what they were told. So they have no idea whether anyone else got hold of the data!


    They have a big problem!







    This post has been translated automatically

    Hommie1304
    Visitor
    Does anyone have a template with which you can write to SlotMagie professionally?

    This post has been translated automatically

    Benno444
    Visitor
    Well, she discovered the gap. Nobody can say whether she was the first and/or only one to do so. You can also enter your data in the relevant "Have I been hacked" searches. You can also do this free of charge on the Schufa website. You can then search by e-mail, telephone, ID number, IBAN, etc.

    This searches all known lists, forums, marketplaces, etc. It is not possible to search for names or grin photos, but if, for example, the ID number appears there, then the other data will probably also be affected. If something is found, then it may be possible to draw further conclusions.

    This post has been translated automatically

    Hot Topics17th Mar. 2025 at 04:55 am CET

    Community Forum-Moderators

    Members who assist the GJ team in moderating the forum.
    Profile picture of AndreAndre
    Profile picture of gamble1gamble1
    Profile picture of Langhans_innenLanghans_innen
    Profile picture of SaphiraSaphira
    GambleJoe is aimed exclusively at user whose allowed to play legally with his current location in online casinos and does not violate the current law.
    It is the responsibility of the user to inform himself about the current legal situation. Gambling is prohibited for children and adolescents under the age of 18.
    GambleJoe is a registered trademark with the EUIPO of GJ International Ltd.

    © 2012-2025 GambleJoe.com

    Forgotten your password?

    Create a new password here

    • 1. Fill in the 3 fields carefully and click on the green button
    • 2. Check your email inbox for a message from GambleJoe
    • 3. Click on the confirmation link in the email and your new password will be active immediately