High penalty of the Personal Data Protection Office after a hacker attack. “Security measures proved ineffective”

UODO wrote that As a result of a hacker attack, the company lost access to its customer and employee databasewhich included, among others, PESEL numbers, ID cards, parents' names and surnames, dates of birth, places of residence, bank account numbers, e-mail addresses, and telephone numbers.

“As the company claimed, its the employee turned off the antivirus program and this enabled the ransomware attack. According to the administrator, the incident was short-lived and the company managed to regain access to the data. She also concluded that the purpose of the attack was not to obtain data, but to blackmail. Therefore, it concluded that there was no high risk of violating the rights or freedoms of natural persons,” we read in the statement.

The Personal Data Protection Office emphasized that the company did notify all data subjects about the fact, but it did so incorrectly and did not respond to the comments reported by the Personal Data Protection Office.

“The President of the Personal Data Protection Office comprehensively considered the evidence collected in the case. He also asked the company (the data controller) what solutions it had implemented after the attack. As a result, the Personal Data Protection Office found that the data controller had not applied appropriate technical and organizational measures that would minimize the risk to the data. And this happened. this is because, contrary to the provisions of the GDPR, it did not conduct an appropriate risk analysis. In this situation, this risk should have been combined with the possibility of using malicious software,” the office said.

As indicated, “one of the key methods to prevent such attacks is to use up-to-date software for all elements of the IT infrastructure.” “What the company did not do, because it did not identify such a threat,” it was explained.

The Personal Data Protection Office reported that, regardless of the previous failure to implement appropriate security measures, a penalty was also imposed for failure to verify whether the processing entity is able to guarantee appropriate technical and organizational measures to ensure that the processing complies with the requirements of the GDPR and protects the rights of the persons concerned. regulations.

“At no stage of personal data processing did the Administrator precisely determine all identifiable risks or threats, which is why the measures he implemented security measures proved ineffective. The measures implemented after the attack were also insufficient: the administrator was unable to demonstrate that they were appropriate to the risk because he had not assessed the risk,” we read.

“The administrator indicated that the human factor was to blame, but, as he himself admitted, he only conducted two training courses in the field of data protection. And only one before the event. This is not enough if the administrator believes that the 'human factor' creates a problem in his organization threat to data – added.

In the opinion of the President of the Personal Data Protection Office, there were also shortcomings on the part of the controller in notifying its former and current employees about the breach of their personal data.

“The President of the Personal Data Protection Office also noted the liability of the partners of the civil partnership to which the administrator entrusted the processing of data. He indicated that the company did not provide assistance to the administrator in fulfilling his obligation to implement adequate technical and organizational measures to ensure the security of personal data processing,” it was noted.

The Personal Data Protection Office added that “over the years, the processor has failed to inform the administrator about vulnerabilities in the server software, as well as about the need to update the operating system to the latest possible version.

For a company selling, among others, anti-burglary doors, a fine of PLN 350,000 was imposed. PLN, and for the entity entrusted with data processing – PLN 9.8 thousand. zloty.