HDPA (Greece) - 10/2024: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=10/2024 |ECLI= |Original_Source_Name_1=HDPA |Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2024-04/10_2024%2520anonym_0.pdf |Original_Source_Language_1=Greek |Original_Source_Language__Code_1=EL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_S...")
 
mNo edit summary
Line 63: Line 63:
}}
}}


The HDPA imposed a fine of 3,995,140 € to the Hellenic Post (hereinafter “ELTA” or the “controller”) for violation of Articles 5 (f) and 32 GDPR, following its personal data breach notifications.
The HDPA imposed a fine of € 2,995,140 on the Hellenic Post for violation of Articles 5 (f) and 32 GDPR, following its personal data breach notifications.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
1st incident: On 23.03.2022 ELTA notified a personal data breach to the HDPA relating to encryption of software in its systems, as a result of a malicious attack.
On 23 March 2022, the Hellenic Taxydromia Anonymous Ltd (controller) notified a personal data breach to the Hellenic DPA (HDPA) as a result of a cyberattack. The breached data included access to workstations and files of employees, passwords of network domain management accounts and miscellaneous folders, and was subsequently published on the Dark Web. In addition, the attackers installed malicious processes on the controller's system.


On 19.05.2022 the HDPA, after examining the notification, requested a description of the actions taken in the context of investigating/ addressing the personal data breach, the actions taken in relation to the notification of data subjects concerned or any third party and any other relevant detail.  
On 19 May 2022, the HDPA requested a description of the actions taken by the controller in addressing the data breach as well as the actions taken in relation to the notification of data subjects concerned or any third party. The controller responded by providing a cybersecurity incident report. It stated that it informed the public about the personal data breach and the actions taken in response. The controller also announced the incident internally, informed bodies affected by the incident (the International Post Corporation, PostEurop, and Universal Postal Union), and informed relevant national authorities. The controller also shared its policies concerning its system, data security, and privacy by design an default.


On 01.06.2022 and 02.06.2022 ELTA responded to HDPA’s request, by sending an e-mail, including a cybersecurity incident report and the following information: i) the controller informed the public as regards the personal data breach and the actions taken; ii) the controller announced the incident internally; iii) the controller informed international bodies, e.g., International Post Corporation, PostEurop, etc.; iv) the controller also informed national authorities, such as the Hellenic Authority for Communication Security and Privacy; v) the controller informed the company "Water Supply and Sewerage Limited Liability Company” (EYDAP) (ELTA acts as a processor on its behalf), which had separately notified the HDPA; and vi) a supplementary notification had been submitted, including new information, which came out during the investigation procedure.  
On 27 July 2022, the controller notified the HDPA of a subsequent infringement incident, wherein the leaked of personal data was published on the dark web, as a consequence of the data breach. In response to a request for additional information from the HDPA, the controller shared with the HDPA the following documents further information concerning the dark web's publication of the data and a detailed analysis of the files posted on the website, including files and subfolder names and categories, categories of data subjects, types of personal data and description.  


On 21.06.2022 the HPDA requested copies of the policies and procedures adopted by ELTA and further details on how such policies and procedures are implemented.  
On 29 November 2022, the HDPA invited the controller to a hearing held on 6 June 2023. The controller explain that the cyberattack at 1:30 A.M. and was detected at 6:30 A.M. It received no alerts from the Windows Management Instrumentation Command tool due to a network connection failure. Following confirmation of the threat, the system was taken offline and a process of investigation, logging, categorisation, classification and notification of the parties involved was initiated. The controller immediately informed corporate customers of the incident. Though some systems were encrypted and could not be recovered, the vast majority of systems were recovered. The controller argued that, at the time of the cyberattack, it was facing financial difficulties. It submitted balance sheets to the HDPA, which indicated financial losses in 2020, 2021 and 2022.  


On 06.07.2022 ELTA shared with the HDPA: i) a systems & data security policy; and ii) a privacy by design and by default policy.
Following the breach, the controller made significant resources available to shield the security of the system. The controller also stated that in order to better manage breach incident, it had launched staff training programs.  
 
2nd incident: On 27.07.2022, ELTA notified a personal data breach to the HDPA (a supplementary notification was submitted on 29.12.2022) relating to the leakage of personal data which were published on the dark web, as a consequence of the abovementioned incident.
 
On 26.01.2023 the HDPA requested the hyperlinks with onion domain of Vice Society group, on which the personal data relating to the case are posted and any supplementary report shall be available on this matter.
 
On 21.02.2023 ELTA shared with the HDPA the following documents: i) The group's hyperlink to the dark web through which there is access to the personal data (http://vsociet***.onion/); ii) investigation report of Netbull, stating that ransomware group Vice Society has posted on the website it maintains on dark web (Hacker Forum), data related to the attack; and iii) detailed analysis of the files posted on the website in which including subfolder name, file name, file category, category of data subject, type of personal data and description.
 
Hearing before the HDPA: The HDPA invited the controller to a hearing on 29.11.2022. Finally, the hearing was held on 06.06.2023. The controller argued that: i) at the time of the cyberattack, the controller was facing financial difficulties; ii) the cyberattack at 1:30 a.m. and was detected at 6:30 a.m. and following confirmation of the threat, the system was taken offline and a process of investigation, logging, categorisation, classification and notification of the parties involved was initiated; iii) the training of the staff has started; iv) following the incident, significant resources were made available to shield the security of the system; and v) there were no alerts from the Windows Management Instrumentation Command (WMIC) due to a network connection failure; vi) the majority of systems were recovered from backups (magnetic tapes) that had not been encrypted and from copies that were located outside the infrastructure under attack and vii) as soon as the cyberattack was detected, the controller informed its corporate customers (acting as controllers or processors).


=== Holding ===
=== Holding ===

Revision as of 13:14, 23 April 2024

HDPA - 10/2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Other
Outcome: n/a
Started:
Decided:
Published:
Fine: 2,955,140 EUR
Parties: Hellenic Post
National Case Number/Name: 10/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Iliana Papantoni

The HDPA imposed a fine of € 2,995,140 on the Hellenic Post for violation of Articles 5 (f) and 32 GDPR, following its personal data breach notifications.

English Summary

Facts

On 23 March 2022, the Hellenic Taxydromia Anonymous Ltd (controller) notified a personal data breach to the Hellenic DPA (HDPA) as a result of a cyberattack. The breached data included access to workstations and files of employees, passwords of network domain management accounts and miscellaneous folders, and was subsequently published on the Dark Web. In addition, the attackers installed malicious processes on the controller's system.

On 19 May 2022, the HDPA requested a description of the actions taken by the controller in addressing the data breach as well as the actions taken in relation to the notification of data subjects concerned or any third party. The controller responded by providing a cybersecurity incident report. It stated that it informed the public about the personal data breach and the actions taken in response. The controller also announced the incident internally, informed bodies affected by the incident (the International Post Corporation, PostEurop, and Universal Postal Union), and informed relevant national authorities. The controller also shared its policies concerning its system, data security, and privacy by design an default.

On 27 July 2022, the controller notified the HDPA of a subsequent infringement incident, wherein the leaked of personal data was published on the dark web, as a consequence of the data breach. In response to a request for additional information from the HDPA, the controller shared with the HDPA the following documents further information concerning the dark web's publication of the data and a detailed analysis of the files posted on the website, including files and subfolder names and categories, categories of data subjects, types of personal data and description.

On 29 November 2022, the HDPA invited the controller to a hearing held on 6 June 2023. The controller explain that the cyberattack at 1:30 A.M. and was detected at 6:30 A.M. It received no alerts from the Windows Management Instrumentation Command tool due to a network connection failure. Following confirmation of the threat, the system was taken offline and a process of investigation, logging, categorisation, classification and notification of the parties involved was initiated. The controller immediately informed corporate customers of the incident. Though some systems were encrypted and could not be recovered, the vast majority of systems were recovered. The controller argued that, at the time of the cyberattack, it was facing financial difficulties. It submitted balance sheets to the HDPA, which indicated financial losses in 2020, 2021 and 2022.

Following the breach, the controller made significant resources available to shield the security of the system. The controller also stated that in order to better manage breach incident, it had launched staff training programs.

Holding

The HDPA found that ELTA: i) had not implemented appropriate technical and organisational measures; ii) had not implemented appropriate data protection policies; iii) had not ensured confidentiality, availability and resilience of processing systems and services and the integrity of processes for regularly testing.

In order to calculate the fine, the HDPA took into consideration the following: i) the number of data subjects affected; ii) the level of damage; iii) the fact that took place a breach of controller's system, unauthorised access to resources, installation of malicious software and disclosure of data to the dark web; iv) the fact that there was a failure to implement the security policy, failure to ensure access to data by authorised users, insufficient technical documentation on the issues of the collection of domain passwords and underutilization of unusual warning messages activity by the protection mechanisms; v) the categories of personal data affected (personal data of particular significance, e.g., financial data, employees’ data, etc.); the fact that historical application data was not recovered and no measures were taken to limit the uploading of data on the dark web.

The HDPA took into account the following mitigating factors: i) following the incidents, the system security was strengthened; ii) there was no leakage of special categories of personal data; iii) there has been a restoration of a significant part of the data volume from backups and restoration of service availability; iv) the controller has submitted an additional notification of the incident which included detailed information about the leakage of personal data to the dark web; v) the controller has submitted an additional notification of an incident which includes detailed information about the leakage data leakage to the dark web.

Following the abovementioned, the HDPA imposed a fine of 3,995,140 € to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.