HDPA (Greece) - 10/2024: Difference between revisions

From GDPRhub
mNo edit summary
(Thank you for this detailed summary! The facts section was very strong and provided important details. I reordered a couple things here for ease of understanding and reformatted according to our Style Guide, but edits here were quite minor. In the holding section, I added a bit more detail about why the HDPA found that security measures were lacking. Thanks again for your work on this : ))
Line 68: Line 68:


=== Facts ===
=== Facts ===
On 23 March 2022, the Hellenic Taxydromia Anonymous Ltd (controller) notified a personal data breach to the Hellenic DPA (HDPA) as a result of a cyberattack. The breached data included access to workstations and files of employees, passwords of network domain management accounts and miscellaneous folders, and was subsequently published on the Dark Web. In addition, the attackers installed malicious processes on the controller's system.
On 23 March 2022, the Hellenic Taxydromia Anonymous Ltd (controller) notified a personal data breach to the Hellenic DPA (HDPA) as a result of a cyberattack. The breached data included access to workstations and files of employees, passwords of network domain management accounts and miscellaneous folders, and was subsequently published on the Dark Web. In addition, the attackers installed malicious processes on the controller's system. Between 4,000,000 and 5,000,000,000 data subjects, including controller employees, executives, board members, lessors, customers, external partners, distributors, contractors, pensioners, borrowers and guarantors were estimated to have been affected.  


On 19 May 2022, the HDPA requested a description of the actions taken by the controller in addressing the data breach as well as the actions taken in relation to the notification of data subjects concerned or any third party. The controller responded by providing a cybersecurity incident report. It stated that it informed the public about the personal data breach and the actions taken in response. The controller also announced the incident internally, informed bodies affected by the incident (the International Post Corporation, PostEurop, and Universal Postal Union), and informed relevant national authorities. The controller also shared its policies concerning its system, data security, and privacy by design an default.   
On 19 May 2022, the HDPA requested a description of the actions taken by the controller in addressing the data breach as well as the actions taken in relation to the notification of data subjects concerned or any third party. The controller responded by providing a cybersecurity incident report. It stated that it informed the public about the personal data breach and the actions taken in response. The controller also announced the incident internally, informed bodies affected by the incident (the International Post Corporation, PostEurop, and Universal Postal Union), and informed relevant national authorities. The controller also shared its policies concerning its system, data security, and privacy by design an default.   
Line 74: Line 74:
On 27 July 2022, the controller notified the HDPA of a subsequent infringement incident, wherein the leaked of personal data was published on the dark web, as a consequence of the data breach. In response to a request for additional information from the HDPA, the controller shared with the HDPA the following documents further information concerning the dark web's publication of the data and a detailed analysis of the files posted on the website, including files and subfolder names and categories, categories of data subjects, types of personal data and description.  
On 27 July 2022, the controller notified the HDPA of a subsequent infringement incident, wherein the leaked of personal data was published on the dark web, as a consequence of the data breach. In response to a request for additional information from the HDPA, the controller shared with the HDPA the following documents further information concerning the dark web's publication of the data and a detailed analysis of the files posted on the website, including files and subfolder names and categories, categories of data subjects, types of personal data and description.  


On 29 November 2022, the HDPA invited the controller to a hearing held on 6 June 2023. The controller explain that the cyberattack at 1:30 A.M. and was detected at 6:30 A.M. It received no alerts from the Windows Management Instrumentation Command tool due to a network connection failure. Following confirmation of the threat, the system was taken offline and a process of investigation, logging, categorisation, classification and notification of the parties involved was initiated. The controller immediately informed corporate customers of the incident. Though some systems were encrypted and could not be recovered, the vast majority of systems were recovered. The controller argued that, at the time of the cyberattack, it was facing financial difficulties. It submitted balance sheets to the HDPA, which indicated financial losses in 2020, 2021 and 2022.  
The HDPA invited the controller to a hearing held on 6 June 2023. The controller explain that the cyberattack at 1:30 A.M. and was detected at 6:30 A.M. It received no alerts from the Windows Management Instrumentation Command tool due to a network connection failure. Following confirmation of the threat, the system was taken offline and a process of investigation, logging, categorisation, classification and notification of the parties involved was initiated. The controller immediately informed corporate customers of the incident. Though some systems were encrypted and could not be recovered, the vast majority of systems were recovered. The controller argued that, at the time of the cyberattack, it was facing financial difficulties. It submitted balance sheets to the HDPA, which indicated financial losses in 2020, 2021 and 2022. Following the breach, the controller made significant resources available to shield the security of the system. The controller also stated that in order to better manage breach incident, it had launched staff training programs.  
 
Following the breach, the controller made significant resources available to shield the security of the system. The controller also stated that in order to better manage breach incident, it had launched staff training programs.  


=== Holding ===
=== Holding ===
The HDPA found that ELTA: i) had not implemented appropriate technical and organisational measures; ii) had not implemented appropriate data protection policies; iii) had not ensured confidentiality, availability and resilience of processing systems and services and the integrity of processes for regularly testing.
The HDPA found that the controller had not implemented appropriate technical and organisational measures, lacked appropriate data protection policies and failed to ensure confidentiality, availability and resilience of processing systems. As a result, it concluded that the controller breached Articles 5(1)(f) and 32 GDPR and imposed a € 2,995,140 fine.  
 
In order to calculate the fine, the HDPA took into consideration the following: i) the number of data subjects affected; ii) the level of damage; iii) the fact that took place a breach of controller's system, unauthorised access to resources, installation of malicious software and disclosure of data to the dark web; iv) the fact that there was a failure to implement the security policy, failure to ensure access to data by authorised users, insufficient technical documentation on the issues of the collection of domain passwords and underutilization of unusual warning messages activity by the protection mechanisms; v) the categories of personal data affected (personal data of particular significance, e.g., financial data, employees’ data, etc.); the fact that historical application data was not recovered and no measures were taken to limit the uploading of data on the dark web.  


The HDPA took into account the following mitigating factors: i) following the incidents, the system security was strengthened; ii) there was no leakage of special categories of personal data; iii) there has been a restoration of a significant part of the data volume from backups and restoration of service availability; iv) the controller has submitted an additional notification of the incident which included detailed information about the leakage of personal data to the dark web; v) the controller has submitted an additional notification of an incident which includes detailed information about the leakage data leakage to the dark web.
The controller's technical report revealed a failure to maintain adequate technical and security measures. The controller did not limit access to the data to authorised persons, creating vulnerabilities in the system's maintenance of confidentiality. In addition, the controller failed to regularly assess the effectiveness of its security measures and lacked adequate data protection policies. The insufficient security measures also failed to detect and prevent the cyberattacker's tracking activities and disabling of security measures using malware processes.  As a result of these shortcomings, the HDPA determined that the controller violated Articles 5(1)(f) and 32 GDPR.  


Following the abovementioned, the HDPA imposed a fine of 3,995,140 € to the controller.
In calculating the fine, the HDPA took into consideration the large number of data subjects affected; the high level of damage resulting from extensive data leakage; the installation of malicious software and the disclosure of data to the dark web; the failure to implement the security policy; the inadequate security measures; the types of data affected; and the fact that no measures were taken to limit the uploading of data on the dark web. It also took into account mitigating factors, including the strengthening of the system security, the fact that no special categories of data were implicated, the restoration of service availability and of a significant part of the data volume and the controller's cooperation with the HDPA. The controller also considered the HDPA's difficult financial situation at the time that the attack occurred.


== Comment ==
== Comment ==

Revision as of 13:31, 23 April 2024

HDPA - 10/2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Other
Outcome: n/a
Started:
Decided:
Published:
Fine: 2,955,140 EUR
Parties: Hellenic Post
National Case Number/Name: 10/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Iliana Papantoni

The HDPA imposed a fine of € 2,995,140 on the Hellenic Post for violation of Articles 5 (f) and 32 GDPR, following its personal data breach notifications.

English Summary

Facts

On 23 March 2022, the Hellenic Taxydromia Anonymous Ltd (controller) notified a personal data breach to the Hellenic DPA (HDPA) as a result of a cyberattack. The breached data included access to workstations and files of employees, passwords of network domain management accounts and miscellaneous folders, and was subsequently published on the Dark Web. In addition, the attackers installed malicious processes on the controller's system. Between 4,000,000 and 5,000,000,000 data subjects, including controller employees, executives, board members, lessors, customers, external partners, distributors, contractors, pensioners, borrowers and guarantors were estimated to have been affected.

On 19 May 2022, the HDPA requested a description of the actions taken by the controller in addressing the data breach as well as the actions taken in relation to the notification of data subjects concerned or any third party. The controller responded by providing a cybersecurity incident report. It stated that it informed the public about the personal data breach and the actions taken in response. The controller also announced the incident internally, informed bodies affected by the incident (the International Post Corporation, PostEurop, and Universal Postal Union), and informed relevant national authorities. The controller also shared its policies concerning its system, data security, and privacy by design an default.

On 27 July 2022, the controller notified the HDPA of a subsequent infringement incident, wherein the leaked of personal data was published on the dark web, as a consequence of the data breach. In response to a request for additional information from the HDPA, the controller shared with the HDPA the following documents further information concerning the dark web's publication of the data and a detailed analysis of the files posted on the website, including files and subfolder names and categories, categories of data subjects, types of personal data and description.

The HDPA invited the controller to a hearing held on 6 June 2023. The controller explain that the cyberattack at 1:30 A.M. and was detected at 6:30 A.M. It received no alerts from the Windows Management Instrumentation Command tool due to a network connection failure. Following confirmation of the threat, the system was taken offline and a process of investigation, logging, categorisation, classification and notification of the parties involved was initiated. The controller immediately informed corporate customers of the incident. Though some systems were encrypted and could not be recovered, the vast majority of systems were recovered. The controller argued that, at the time of the cyberattack, it was facing financial difficulties. It submitted balance sheets to the HDPA, which indicated financial losses in 2020, 2021 and 2022. Following the breach, the controller made significant resources available to shield the security of the system. The controller also stated that in order to better manage breach incident, it had launched staff training programs.

Holding

The HDPA found that the controller had not implemented appropriate technical and organisational measures, lacked appropriate data protection policies and failed to ensure confidentiality, availability and resilience of processing systems. As a result, it concluded that the controller breached Articles 5(1)(f) and 32 GDPR and imposed a € 2,995,140 fine.

The controller's technical report revealed a failure to maintain adequate technical and security measures. The controller did not limit access to the data to authorised persons, creating vulnerabilities in the system's maintenance of confidentiality. In addition, the controller failed to regularly assess the effectiveness of its security measures and lacked adequate data protection policies. The insufficient security measures also failed to detect and prevent the cyberattacker's tracking activities and disabling of security measures using malware processes. As a result of these shortcomings, the HDPA determined that the controller violated Articles 5(1)(f) and 32 GDPR.

In calculating the fine, the HDPA took into consideration the large number of data subjects affected; the high level of damage resulting from extensive data leakage; the installation of malicious software and the disclosure of data to the dark web; the failure to implement the security policy; the inadequate security measures; the types of data affected; and the fact that no measures were taken to limit the uploading of data on the dark web. It also took into account mitigating factors, including the strengthening of the system security, the fact that no special categories of data were implicated, the restoration of service availability and of a significant part of the data volume and the controller's cooperation with the HDPA. The controller also considered the HDPA's difficult financial situation at the time that the attack occurred.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.