Dear Sirs,

We are writing to inform you of the personal data breach that occurred at the Association of Business Service Leaders with its registered office in Warsaw (00-124), Rondo ONZ 1, KRS: 0000340712.

Being concerned about your security and privacy, and to lessen any negative effects of the incident, we have reported it to the supervisory authorities. Jointly, we have also implemented measures to further enhance the security of our systems and internal communications, which are described below.

COURSE OF THE INCIDENT

Between 6 December 2024 and 31 March 2025, we were the victim of a cyberattack. The incident involved an unauthorized person (the attacker) gaining access to the Office 365 e-mail account of one of our employees. During the attack, the attacker was able to view the contents of the e-mail correspondence stored in that account.

Immediately after discovering the attack, we blocked further access to the compromised e-mail account and related resources.

The security analysis did not reveal any evidence of a security breach or takeover of other e-mail accounts in our organization, nor did the attackers gain access to other applications or resources associated with the attacked employee's account.

TYPE AND SCOPE OF DATA 
PERSONAL DATA AFFECTED BY THE BREACH

The breach may have involved the following categories of your personal data:

name and surname, gender, address of residence or stay, business address, e-mail address, telephone or fax number, place of employment or position held, academic degree or professional title, image, tax identification number (NIP), REGON number of sole proprietorship, sole proprietorship name, entry on the ‘white list’ of VAT taxpayers, other public register number, bank account number, and other data that you have shared with us in e-mail correspondence.

POSSIBLE CONSEQUENCES OF THE BREACH

It is possible, but unlikely, that you will encounter noteworthy inconveniences, which may include, for example:

• sending unsolicited marketing materials (spam),
• phishing attempts, i.e. contacts from unknown persons trying to obtain your additional data or force you to take certain actions, including through telephone calls, text messages or e-mails;
• incurring additional costs, e.g. insurance fraud or extortion of insurance funds,
• attempts to impersonate you (identity theft) or attempts to use your data for criminal activities, e.g. unauthorized transactions or cybercrime;
• use of your e-mail address to create accounts on websites;
• exposure to significant stress or other mental distress, including anxiety or a feeling of insecurity;
• creation of graphics or films using your image with the use of artificial intelligence (AI);
• access to confidential information about your business activities that does not constitute personal data.

We have not currently received any information about negative effects related to the incident in question. Nevertheless, we recommend that you take necessary safety measures.

HOW CAN YOU PROTECT YOURSELF?

Your most effective way to protect your privacy is to take the following steps:

• alter the passwords for all important accounts, especially online banking.
• check your bank accounts for suspicious transactions or unexpected transfers.
• take particular caution with regard to suspicious e-mails, text messages or phone calls, especially those requesting additional data, files or links;
• avoid providing information about yourself in telephone conversations and e-mails;
• monitor your online accounts for unauthorized activity;
• register at https://www.bik.pl to monitor any unauthorized use of your identity;
• if there is a violation of your personal rights, including any form of direct or indirect discrimination, use the means of protection of personal rights indicated in the provisions of the Polish Civil Code and the Polish Code of Civil Procedure.
  
  

HOW DID WE SECURE YOUR DATA AFTER THE BREACH?

In response to the breach, we have taken the following measures to protect your personal data:

• we have blocked third-party access to the employee's compromised e-mail account;
• we have notified the President of the Personal Data Protection Office, the Central Bureau for Combating Cybercrime of the Polish Police and the CERT Poland about the incident;
• we conducted a security audit of the IT security measures in place across the entire infrastructure of the Association of Business Service Leaders;
• we conducted a professional post-breach analysis to determine the course of the incident and its effects;
• we analyzed our technical and organizational framework, including internal procedures and guidelines, and then implemented the necessary changes to improve overall security within the organization.

We sincerely apologize for the unanticipated event and we will take all necessary steps to protect your rights and freedoms, including providing you with the necessary assistance.

Should you require any support, including legal or factual assistance, please contact Ms. Wioletta Bobryk, e-mail: wioletta.bobryk@absl.pl.