AEPD (Spain) - EXP202304633: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202304633 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00424-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code...") |
mNo edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 65: | Line 65: | ||
}} | }} | ||
The DPA fined a | The DPA fined a lending institution €600,000 for inadequate security measures, including its lack of two-factor authentication when approving loans. The controller acknowledged its fault and paid a reduced fine of €360,000 in accordance with national law. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 10 August 2022, a data subject notified 4Finance Spain Financial Services, S.A.U. (the controller) that they had received an unsolicited loan to their bank account with the controller. By 1 September 2022, the controller had received 10 more complaints of a similar nature from clients. The controller assessed the risk levels and severity of these breaches in August, September and November of the same year using an internal method based on ENISA. Based on these assessments, the controller determined that it was not necessary to notify the violation to the AEPD or to affected parties. | On 10 August 2022, a data subject notified 4Finance Spain Financial Services, S.A.U. (the controller) that they had received an unsolicited loan to their bank account with the controller. By 1 September 2022, the controller had received 10 more complaints of a similar nature from clients. The controller assessed the risk levels and severity of these breaches in August, September and November of the same year using an internal method based on European Union Agency for Cybersecurity (ENISA) standards. Based on these assessments, the controller determined that it was not necessary to notify the violation to the AEPD or to affected parties. | ||
Between 3 and 23 February 2023, the AEPD received various complaints from data subjects, who were clients of the controller, alleging similar unsolicited loans to their accounts. On 14 February 2023, the controller claimed to become aware of a data breach affecting personal data of its clients and employees. The breach ultimately affected 9636 data subjects and included names, birth dates, national identification numbers, foreigner identity numbers, passport or identification document numbers, payment data (such as banks and cards) and contact information. | Between 3 and 23 February 2023, the AEPD received various complaints from data subjects, who were clients of the controller, alleging similar unsolicited loans to their accounts. On 14 February 2023, the controller claimed to become aware of a data breach affecting personal data of its clients and employees. The breach ultimately affected 9636 data subjects and included names, birth dates, national identification numbers, foreigner identity numbers, passport or identification document numbers, payment data (such as banks and cards) and contact information. |
Latest revision as of 14:32, 15 May 2024
AEPD - EXP202304633 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 11.04.2023 |
Decided: | 07.05.2024 |
Published: | |
Fine: | 360,000 |
Parties: | 4Finance Spain Financial Services |
National Case Number/Name: | EXP202304633 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA fined a lending institution €600,000 for inadequate security measures, including its lack of two-factor authentication when approving loans. The controller acknowledged its fault and paid a reduced fine of €360,000 in accordance with national law.
English Summary
Facts
On 10 August 2022, a data subject notified 4Finance Spain Financial Services, S.A.U. (the controller) that they had received an unsolicited loan to their bank account with the controller. By 1 September 2022, the controller had received 10 more complaints of a similar nature from clients. The controller assessed the risk levels and severity of these breaches in August, September and November of the same year using an internal method based on European Union Agency for Cybersecurity (ENISA) standards. Based on these assessments, the controller determined that it was not necessary to notify the violation to the AEPD or to affected parties.
Between 3 and 23 February 2023, the AEPD received various complaints from data subjects, who were clients of the controller, alleging similar unsolicited loans to their accounts. On 14 February 2023, the controller claimed to become aware of a data breach affecting personal data of its clients and employees. The breach ultimately affected 9636 data subjects and included names, birth dates, national identification numbers, foreigner identity numbers, passport or identification document numbers, payment data (such as banks and cards) and contact information.
The breach was a brute force attack that attempted different combinations of national identity numbers and emails with passwords. Once the attackers gained access to client accounts, they took out loans in the data subjects’ names, which the controller accepted and placed into client accounts. The hackers then contacted data subjects via WhatsApp, pretending to be the controller and requesting the refund of the amount to an account number controlled by the attackers. 139 of the affected data subjects were victims of this fraud.
The controller notified the Spanish DPA (AEPD) of the data breach on 17 February 2023. It expressed that it did not consider the breach to pose a high risk to the rights and liberties of affected data subjects and that it thus would not communicate the breach to them directly.
On 11 April 2023, the AEPD initiated an investigation against the controller and ordered the controller to communicate the breach to data subjects, which the controller did on the same day.
In response to the breach, the controller registered the breach in the register of incidents, filed a police report, circulated a communication to clients noting that it did not communicate with clients via Whatsapp, reset certain user passwords and amended its password policy to require more complexity and implemented two-factor authentication.
Holding
The AEPD found likely violations of Articles 5(1)(f) and 32 GDPR and recommended a €600,000 fine. The controller acknowledged its fault and paid a reduced fine of €340,000 in accordance with national law.
In finding a likely violation of Article 5(1)(f) GDPR, the AEPD focused on the sensitive nature of the data, the method of attack and the number of affected data subjects. The types of personal data acquired in the breach, including data subjects’ contact information as well as their financial information and history, amplified the security risks. Such combinations of data, the AEPD noted, could be used to construct detailed financial profiles of data subjects that make them more vulnerable to identity theft, fraud and other cyberattacks – such as in this case, where attackers were able to contact data subjects after manipulating their finances.
Due to the controller’s inadequate risk assessments and security measures, the AEPD also found a probable infraction of Article 32 GDPR. The AEPD noted that the controller’s handling of financial data and identification information is sensitive and thus obliges greater caution in implementing security measures. It thus considered the lack of a two-factor authentication prior to requesting a loan a serious oversight that facilitated the breach. Though it commended the controller’s adoption of mitigating measures including two-factor authentication after the breach, the AEPD found that these changes emphasised the shortcomings in its prior security system. Even after the controller was made aware of the risks by client complaints and internal risk assessments, it failed to adequately estimate the severity of the data breach. The inadequacy of the controller’s risk assessment was further demonstrated by its failure to communicate the incident to affected data subjects until ordered to do so by the AEPD.
Given these likely violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of €600,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €360,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/33 File No.: EXP202304633 RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE VOLUNTEER From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: On April 8, 2024, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against 4FINANCE SPAIN FINANCIAL SERVICES, S.A.U. (hereinafter, the claimed party), through the Agreement transcribed: << File No.: EXP202304633 AGREEMENT TO START SANCTIONING PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following FACTS FIRST: On February 17, 2023, the Innovation Division was notified Technological of this Agency a security breach of personal data sent by 4FINANCE SPAIN FINANCIAL SERVICES, S.A.U. with NIF A86521309 (hereinafter, VIVUS) as data controller. As a consequence of the known facts, on April 11, 2023, the Director of the Spanish Agency of Data Protection ordered the General Subdirectorate of Data Inspection (SGID) carry out the appropriate prior investigations in order to determine a possible violation of data protection regulations. SECOND: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: On February 17, 2023, the person responsible for 4FINANCE SPAIN FINANCIAL SERVICES (hereinafter VIVUS) makes an initial notification of the data breach personal with entry registration REGAGE23e00010208403, in which he states having suffered a confidentiality breach due to unauthorized access to customer data C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid Seeagpd.gob.es 2/33 clients, including basic, identifying and contact data of a total of 427 employees. The person in charge indicates that they continue to investigate the incident. On March 31, 2023, additional notification of the data breach is received personal with entry registration REGAGE23e00021779018, in which states: - Description of the incident: consisting of unauthorized access to profiles of clients in the VIVUS database. The incident was investigated internally. - Regarding the start date, they claim that it is unknown, while it is determines February 14, 2023 as the detection date. - They indicate that the affected data was not encrypted. - Regarding the consequences for the affected people, they affirm that they do not are affected, except for some very limited inconveniences, but in in any case reversible. - Regarding the categories of data affected, there are: basic data (Ex: name, surname, date of birth), DNI, NIE, Passport and/or any other identification document, payment method data (Card bank, etc.…), and contact information. - Number of affected: 9636 (There are no minors), they affirm that they will not be communications. - They claim that they have brought it to the attention of police authorities. - Detection method: Communication from someone affected. - A summary is included in which it is stated that through a force attack raw testing combinations of ID/password and Email/password, the Cybercriminals had access to the personal data of the customer profile of 9636 natural persons. These data included name and surname, DNI/NIE, date of birth, postal address, email, IBAN, mobile phone and bank card pseudonymized. They claim that 139 clients have been victims of fraud have requested credit in your name through the application, and once granted, they have contacted the customer via WhatsApp to request a refund immediately to a bank account number of cybercriminals. - They claim that as a reactive measure they have implemented 2FA. - The person responsible states that he will not inform those affected as he does not consider high risk. From this authority, the person responsible was ordered to carry out the communication of the personal data breach to the interested parties in accordance with the article 34 of the GDPR without undue delay and so that the measures can be adopted that they consider appropriate to avoid those risks that could affect their person. On April 11, 2023 and entry registration REGAGE23e00023503645, receives a letter from VIVUS confirming the sending of the communication individualized to all clients affected by the breach, providing capture of screen of an email where only the sender address is visible (vivus@sm.vivus.es) (but not the destination addresses). The body of this email contains information about the incident that occurred, about the data that has been possible be affected, the measures adopted by the company after the incident, the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/33 recommendations on possible measures to be adopted by the affected client and the possible means of contact for more information. Likewise, in relation to the indicated gap, the following have been received: claims in this Agency by affected people: Claim 1: on February 3, 2023 and check-in REGAGE23e00007166247, A.A.A. claim is received. related to the alleged identity theft by having requested a loan in his name and This having been granted by VIVUS and deposited into a bank account of your ownership. The transfer of this claim to VIVUS was carried out on March 16 2023 and a response is subsequently received on April 13, 2023 and registration input REGAGE23e00024080156. Claim 2: on February 5, 2023 and check-in REGAGE23e00007349177, complaint received from B.B.B. related to the alleged identity theft by having requested a loan in his name and This having been granted by VIVUS and deposited into a bank account of your ownership. The transfer of this claim is made on March 16, 2023 and Response is received on April 13, 2023 and with check-in REGAGE23e00024080388. Claim 3: on February 5, 2023 and check-in REGAGE23e00007333527, C.C.C claim is received. related to the alleged identity theft by having requested a loan in his name and This having been granted by VIVUS and deposited into a bank account of your ownership. The transfer of this claim to VIVUS was carried out on March 16 2023 and response was received on April 13, 2023 and check-in REGAGE23e00024082969. Claim 4: on February 6, 2023 and check-in REGAGE23e00007574937, D.D.D. claim is received. related to the alleged identity theft when a loan was requested in his name and having been granted by VIVUS and deposited into a bank account of your ownership. Provide a copy of the complaint to the Police and a copy of your ID. The transfer of This claim to VIVUS was made on March 16, 2023 and was received response on April 13, 2023 and check-in REGAGE23e00024084764. Claim 5: on February 11, 2023 and check-in REGAGE23e00008763533, claim is received from E.E.E. related with the alleged identity theft when a loan was requested in his name and having been granted by VIVUS and deposited into a bank account of your ownership of which this company was aware. A copy of the complaint is attached filed with the National Police. The transfer of this claim to VIVUS is carried out on March 16, 2023 and a response was received on April 13, 2023 and with registration REGAGE23e00024084642. Claim 6: on February 23, 2023 and check-in REGAGE23e00011468445, claim received from F.F.F. related to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/33 alleged identity theft in the application for a loan granted by VIVUS and deposited into a bank account owned by you. The transfer of this claim to VIVUS was made on March 16, 2023 and a response was received dated April 13, 2023 and check-in REGAGE23e00024084525. On March 16, 2023, the VIVUS person responsible for the different claims received, requesting the following information: - Detailed and chronological description of the facts and specification of the causes of the incident. - Number of people affected, category of data involved and possible consequences for those affected. - Actions taken to solve the incident and measures to prevent it from happening again. happen. - Treatment risk analysis, preventive safety measures implemented and impact evaluation where appropriate. - Copy of the Record of Treatment Activities. - If it has been communicated to those affected, the channel used, date of communication and details of the message sent. If the communication, indicate the reasons. VIVUS responded on April 13, 2023 and individually to each one of the transfers made by this entity. Content of the aforementioned writings The following relevant information is extracted: - For each of the claims, a detailed analysis of the scenario of impact on the specific client, indicating the dates on which They were aware of the corresponding incident, as well as the details regarding the communications they had with each client. - In relation to the causes that caused the incident, he states: That on August 10, 2022 was when he received the first notification from a client, who reported having received money in his bank account under a loan he had not requested. That the attackers made numerous login attempts using different IP addresses and using the ID or email of the client (as username) and a password, obtained from from external and non-VIVUS sources. Once they agreed, they requested loans on behalf of the client which were accepted and disbursed into his account. Later, the attackers They proceeded to contact said client through WhatsApp requesting the refund of the amount to an account number that was controlled by them. - It states that there are a total of 9,636 affected and that the type of data affected was the one existing in the web user's personal area. So specifically, there was: Name and Surname, Date of Birth, Address Postcard, Email, Mobile Phone, DNI/NIE, IBAN, Pseudonymized bank card, as well as data on active loans that the user had granted. not yet finalized such as the amount, accrued interest, term and expiration. - Regarding the possible consequences for those affected, he maintains that the nature of the set of personal data accessed is not C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/33 provided substantial information about the financial situation and that They considered that it did not entail a high risk for the rights and freedoms of those affected. - In relation to the actions taken by the person responsible to solve the problem. incident, communicate the adoption of the following measures: Record the gap in the incident log. Complaint to the Police. Official communication to different clients and through the website on information that the entity does not use WhatsApp. Reset all user passwords dated December 11 February 2022. Implementation of a two-factor authentication system implemented on February 21, 2023. Modification of the login password policy, increasing its complexity and forcing every user to modify it. Improvement of the operation of the SIEM system, reviewing the internal incident response procedure. Inclusion of clients affected by fraud in a certain category in order to avoid derived consequences. Sending communication to all affected clients. Your accreditation in new requirement. - In response to our request to provide risk analysis and security measures that were concluded, state the following: “The treatment of customer access data to web profiles and the acquisition of Online applications do not pose high risks for data protection, Therefore, an Impact Assessment of these has not been carried out. treatments. However, to guarantee technical and organizational measures The following security measures were specifically implemented relevant to the reported security incident: Security monitoring. Password policy: minimum complexity rules are defined for Passwords used to log into user profiles customers. Protection of web applications. Firewalls and intrusion prevention systems. Protection against Malware. Reporting, management and investigation of security incidents: management of security incidents is well established and complies with the expectations of the 4finance Group.” - States that, from September to the end of November 2020, the information security department conducted a comprehensive assessment of information security risks with the objective of evaluating and improving the security measures in the areas of software, network and data distribution, people and processes. As a result, measures of security to protect the organization against automated attacks from brute force related to password guessing. - Indicates having performed an external penetration test of the application vivus.es by a professional services firm on dates between on February 9 and 17, 2022. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/33 - They provide the Registry of Treatment Activities, in English, with the treatment activity affected by the gap: “Customer Registration and Contract Signing”. - They point out that the violation has been communicated to all affected clients in dated April 11, 2023 and which was initially notified to the AEPD on April 17 February 2023. - They affirm that among the measures adopted to avoid new incidents has been the implementation of the double authentication system (2FA) in the service is key Web. Within the framework of this investigation, on June 30, 2023, a first information request to the VIVUS responsible: - That the communication of the breach made is accredited, since it is only had provided the text of the communication. - The adoption of existing organizational measures in the organization to manage security incidents that affect data personal (the management of personal data breaches). - That the communications that the entity maintained with the first party be accredited. affected customer who contacted the company on August 10, 2022. - That the risk analysis is accredited to guarantee both the safety of the treatments as well as the rights and freedoms of the affected people, as well as such as, where appropriate, impact evaluations. - That they certify the reactive measures implemented after the security breach, influencing those measures aimed at stopping brute force attacks and to monitor user traceability. - That the complaint filed with the security forces be accredited. - Investigate the details of the existing procedure to identify customers who request loans through the web area. On July 19, 2023 and entry records REGAGE23e00048973515 and REGAGE23e00049304085, response to the previous request is received, The following relevant information for the investigation was extracted from its analysis: - Claims that the access credentials used were already available by part of the attackers prior to the breach, possibly coming from leaks from third parties and external sources, so the This attack does not correspond to a brute force attack but to an attack “credential stuffing”. - They provide a document with the total volume of failed login attempts broken down by date. From his analysis, the days between 4 and 14 February 2023, with peaks of up to 18 million failed attempts in a single day. - Indicates that in the moments prior to the breach, the VIVUS systems were protected against a high number of failed connections from the following way: Protection against "brute force" attacks was implemented in the vivus.es web application, increasing the waiting time of authentication after a failed attempt for a specific user. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/33 After subsequent failed authentication attempts, the waiting time wait was doubled for these users. Protection against a large number of fake web requests is implemented in the Imperva WAF software, mainly with the purpose of preventing denial of service (DoS) attacks. He configuration setting was to block any source that generates more than 450 requests per second. They affirm that the security systems for the vivus.es product were prepared to detect and alert about attack patterns common in web applications (SQL Injections, Cross Site Scripting (XSS), File Inclusion Attacks, Directory Traversal Attacks, DoS/DDoS attacks etc), but they did not detect or alert about a high number of failed connection attempts. - Recording of the telephone call received by the client is provided affected on August 11, 2022 at 8:46 p.m., in which the user affected person reports having received money from a loan that was not required. Subsequently, on August 12, 2022, this client sent via email the copy of the complaint filed, an email that was responded to by VIVUS on August 17, 2022 informing the client of the following: “our company has proceeded to activate the procedure applicable to these cases, which includes the management of the file as a fraud case, which implies the paralysis of all debt recovery actions since once Once the facts have been reported, there will be no claim from us.” - From the preliminary report of the director of INFOSEC (Department of Security of VIVUS) written on March 15, 2023, the following are extracted affirmations: On February 21, 2023, 2FA was implemented, which paralyzed the attack. There were 3905 success cases out of 218401 attempts made using ID/PASSWORD combination. There were 6977 success cases out of 2728941 access attempts performed by attackers using combinations of EMAIL/PASSWORD. Of the total number of successful accesses, they affirm evidence of data access from a total of 9497 VIVUS clients. - Two penetration analyzes carried out in February 2022 are accredited (at VIVUS mobile application) and June 2023 (to the web application that gave access to the personal client area). From the analysis of said reports, concludes that the vulnerabilities that were detected are not linked to the attack vector of the present security breach. - States that each incident detected was analyzed and managed by the incident management procedure and that the incident analysis was updated risks. The management procedure is documented previous incidents. - Four documents are provided with different analyzes and evaluations of the severity of the incident, carried out at different temporal moments (at as cases were discovered), using a internal methodology based on ENISA's own methodology. In these analysis, the risk level of the incident was assigned a quantitative value, evaluating three main parameters: The context of the gap (1 being minimum and 4 maximum). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/33 The ease of identification of the affected person (with a value between 0 and 1 maximum) The circumstances in which the breach occurred (with a value of severity from 0 to 2 maximum). After the analysis, a final value was assigned to the risk level of the incident, making use of the following formula: [Incident Severity= (Context*Ease of Identification of the Affected) + Circumstances]. From the analysis of each document provided with the previous evaluations, extracts for this report: A first document is provided with the initial evaluation of the incident when only one affected case was known, which is signed on dated August 11, 2022 by the entity's DPD. For To quantify the risk, the minimum value was assigned to the context (1), a value from 0.75 to the Ease of Identification (which had the following meaning according to methodology “Identification is possible from the data breached, with the need for investigation to discover the identity of the individual“), concluding the evaluation that the incident DOES NOT was sufficiently important to communicate it to the AEPD. This contrasts with the type of data filtered through the client web area, since that the set of these data allowed an easy identification of the individual without the need for additional special investigation. A new document is provided with a second evaluation of the incident when 11 clients were known to be affected, signed by the DPD on September 1, 2022 and concluding with a value of LOW risk, stating that “the severity of the incident is NOT sufficient entity to require notification to the competent authority nor to those interested.” In the risk assessment, a value of 0.75 for ease of identification, the maximum value being the scale used 1, with the meaning “Identification is possible through from leaked data without the need to carry out an investigation special to discover the identity of the individual.” The data set that were being filtered through the client's web area were, among others, the name and surname, date of birth, postal address, Email, Mobile Phone, DNI/NIE, which are sufficient to obtain identification of the affected person without the need to conduct special investigation. A third document is provided with the evaluation of the incident when 83 affected clients were known, signed by the DPD on 14 November 2022, the result of which was a LOW risk value, stating that “the incident is NOT of sufficient magnitude to that the security breach must be reported to the Spanish Agency of Data Protection nor to the interested parties, while the information personnel allegedly violated was minimal, and taking into account that access has been completely restricted.” The same was assigned value for Context and Ease of Identification than in points previous. A document with the evaluation of the incident when the information was available following information: “less than 35000 successful logins, but C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/33 the scope of the access data is unknown, currently 427 customers have been defrauded (as of February 17, 2022).” This document is signed by the DPD on February 17, 2023 and in the evaluation, a MEDIUM risk level is concluded, assigning in this case a maximum value of 1 to the Ease of Identification of the client affected (higher than the value of 0.75 given in the previous documents). However, the set of personal data leaked was the same as for previous affected customers. The result of this analysis led to the following conclusion: “[…] it must be communicated to the Agency Spanish Data Protection. However, in view of the violated data category, it is not considered that there are risks for the rights and freedoms of the interested parties, while the personal information violated is minimal, so it is concluded that It is not necessary to communicate to clients.” Within the four previous documents there is a section which refers to the assessment of the incident by the VIVUS security department: “Severity classification determined by the Information Security Unit in accordance with the Security Incident Response Procedure of the Information: HIGH SEVERITY (Level 1) due to financial impact”, Despite this statement, it was assessed that it was not necessary to notify the incident. - In relation to the four documents previously analyzed in which VIVUS concluded a level of risk and severity of the breach, by this inspection, a simulation is carried out with the Advisory tool. Gap, using the same data that was already available from VIVUS in September 2022, and resulting in the obligation to notify the breach to this Agency without undue delay. In the same way, The Communica-Brecha tool is used with the information that the person in charge had in September 2022, resulting in “You should communicate the breach to the AEPD.” The input data used in Both tools were the following: Sector of activity: Financial Entity The breach is a consequence of a cyber incident with unauthorized access to personal data. Data affected: basic, DNI number, postal address, telephone, email, financial without means of payment. People affected: 56 (information that was already available by the responsible as of September 27, 2022, date on which VIVUS files a complaint providing the list of known affected persons at that time moment). For the possible consequences, the simulation has considered the least possible damage (despite the fact that the real and known consequences on this date were possibly of greater severity), assigning the value: “people may find some very inconvenient limited and reversible that they will overcome without problem.” - Taking into consideration the severity assessment procedure of ENISA, Recommendations for a methodology of the assessment of severity of personal data breaches, which VIVUS has established as a reference: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/33 The Context (DPC) was valued with a value of 1, however, it should have been assigned higher value, since according to this methodology (it is hereby made inspector the unofficial translation into the Spanish language): Simple data, Preliminary basic score = 1. The score DPC could be increased by 1, for example, when the volume of the "simple data" or the characteristics of the person responsible for the treatment are such that the elaboration of profiles of the person or assumptions can be made about the social/financial situation of the person), with DPC = 2, or: Financial data, Preliminary base score = 3. The DPC score could be reduced by 1, for example, when the specific data set includes certain information financial, but does not yet provide any meaningful insight of the person's financial situation (for example, numbers simple bank accounts without further details), with DPC = 2, or good: Financial data, Preliminary base score = 3. The DPC score could be increased by 1, for example, when, due to the nature or volume of the set of specific data, complete financial information is disclosed (for example, credit card) that may allow fraud or A detailed social/financial profile is created. DPC=4. The Ease of Identification of the affected person should be valued as EI = 1, and not a lower value (VIVUS gives a value EI=0.75), as stated has analyzed in the previous point. From this it is concluded that the value assigned from VIVUS to the different variables of the severity calculation formula was lower than what should have been assigned, given the scenario that was being known about the security incident, due to have obtained a final result of severity that could be between MEDIUM and VERY HIGH. This result would have led VIVUS to communicate the incident to the AEPD and those affected since the first event. - In relation to the complaint filed by the person responsible, in the response to the request states: “the affected cases were collected from manually and given the difficulty in identifying them through the partial information available, up to 4 extensions of the initial complaint”, providing the following documentation in the response. Copy of the initial complaint filed on August 12, 2022 with the affected customer information on August 11, 2022. Copy of the extension to the previous complaint filed on December 28 September 2022 in which they affirm that in subsequent days they have been new clients affected, requesting loans fraudulent with a global amount of 42,610 euros and having been scammed 19830 euros. In this extension they provide a list with the data of the affected clients to whom VIVUS made the entry of the amount of the loan requested fraudulently, being in This listing approximately 56 bank account numbers different clients. From the analysis of this list by the present inspector It is striking that the same IP used in the loan application C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/33 of August 10, 2022 (which was recorded on August 11, 2022 after receiving communication from the affected client), was used subsequently to successfully apply for two new loans fraudulent at a later date, October 8, 2022 at 10:53 and 11:11. In the accredited complaints, VIVUS states that the attackers had entered the personal area of each of these clients and had requested a new loan in the contracting modality distance on behalf of the affected customer. - Provide a copy of a document with the general conditions of the loan that are accepted (by marking a checkbox) at the time of online loan application. - In response to our request to detail the procedures existing to identify a client when requesting a loan from Through the web portal, they affirm that there are two possible ways of identification: To request a FIRST LOAN, the so-called “onboarding procedure”. They claim that this procedure was not the used by the attackers, since all affected clients requested previously a first loan. This identification procedure initial consists of: On a first screen where contact information is requested and collects consent for privacy policy and commercial communications. On a second screen, a DNI number and a password to create the account or profile. On a third screen, the name, surname and date are requested. birth. On a fourth screen, an address in Spain is requested. On a fifth screen, a phone number is requested and subsequently verified by sending an SMS with a Unique one-time use code that the user must enter. On a sixth and final screen, different options are offered. identity accreditation, either by providing the credentials of Online Banking (through the TINK service), either providing the supporting documentation through a form and wait phone call that would verify the data. To request SECOND AND LATER loans (only way affected by the security incident), only the identification in the client's personal web area, using the user credentials (ID or EMAIL + Password). Once entered in the web area it was enough to select the amount of money that you wish to request, the desired return period and accept the contract conditions by activating a checkbox (check box). - In relation to this identification process they claim to have adopted and implemented the following reactive measures after the security breach: Resetting all customer passwords that, when clients access their personal area, they are obliged to set a new password. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/33 Implementation of a second factor of authentication (2FA), generating a 4-digit verification code that is sent through from the SMS channel to the customer's registered phone number. This 2FA dual-factor authentication system was strengthened later in April 2023 by adding two new rules (5 minute block after 3 failed attempts, being necessary new verification code, and the need for a new code if the client connects and disconnects from their profile). - They certify an updated document of the internal protocol for the management of incidents, whose update is dated April 29, 2023. The The modifications introduced therein have consisted of: Adjust the deadlines for the response phases to internal incidents, in case of delay in detection, to meet the notification period of the GDPR. The possibility of involving external legal experts in the response to personal data breaches. Data breach risk assessment template revised including new improved gravity calculator. - They certify the following reactive technical measures implemented to improve detecting security incidents: When failed authentication attempts from a single address Source IPs exceed defined daily thresholds, Splunk system SIEM generates an alert in real time that is sent to an email alert email to the security department and a communication channel Slack. When authentication success events originate from a single source IP address and are accessing more than 4 accounts different clients on the same day, a real-time alert is generated by the Splunk SIEM system and sent to an email security department email. When attackers use static IP addresses during a prolonged period these are entered into a special black list and in In the event of a subsequent authentication attempt, an alert is generated real time by the Splunk SIEM system and sent to email alert the security department. - In response to our request for risk analysis to be accredited for treatment activities affected by the gap, perform the following statement: “In May 2022, based on the planning of a new onboarding process (completed in October 2022) was carried out on corresponding Risk Analysis regarding Data Protection related to the Processing Activity called CUSTOMER REGISTRATION AND CONTRACT SIGNING.” Document is provided accrediting this risk analysis for the rights and freedoms of natural persons affected by the treatments of the aforementioned activity. Of Its analysis is extracted: It has a creation date of May 6, 2022. Threats and risk factors for the rights and freedoms of the interested parties, differentiating between inherent risk and the residual risk, referring to whether the risk has been fully mitigated C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/33 or partially. However, security measures are not listed. concluded as a result of this analysis to mitigate risks. A conclusions section is included where it is stated that the level of inherent risk is HIGH and residual MEDIUM, also performing the following statement: “the activity analyzed involves, among others, the creation of profiles on the basis of which decisions are made that can produce legal effects for natural persons. The above, based on the document called LISTS OF TYPES OF DATA PROCESSING THAT REQUIRES EVALUATION OF IMPACT RELATING TO DATA PROTECTION of the Agency Spanish Data Protection, implies an obligation to 4FINANCE as data controller to carry out a mandatory EIPD of the analyzed treatment.” - Document is accredited for the treatment activity “Customer Registration And Contract Signing”, with date of completion May 13, 2022. In it a systematic analysis and description of the treatment is carried out, an analysis of the intervening parties, an evaluation of the necessity and proportionality of the treatment and an evaluation and management of risks, listing measures adopted in its mitigation. - In response to our request to certify the sending of the communication made about the incident to the affected people, provide Excel list containing the Email and Name/Surname of people communicated, but the date on which the shipment was made is not detailed. On August 2, 2023, a new information requirement is made to the VIVUS responsible for the following actions: - The correct accreditation of the communications made. - The start date of the treatment activity “Customer Registration And Contract Signing”. - Confirmation of whether there were risk analyzes prior to May 2022, and its accreditation if applicable. On August 18, 2023 and entry registration REGAGE23e00056162842, receives a response to the previous requirement from whose analysis the following is extracted information relevant to the investigation: - Mass communication sent to affected clients on the date is credited April 11, 2023 at 8:09 p.m. - They affirm that the processing activity called “Customer Registration And Contract Signing” began on December 20, 2012 on the occasion of the registration of the first client on the platform. - In relation to confirmation of whether there were risk analyzes carried out in date prior to the one they had already contributed (May 2022), the following: That after the entry into force of the RGPD, audits have been carried out internal and external data protection, one of them at the end of 2019 and in which the need to carry out and document risk analysis that complies with art 32 of the RGPD. As As a result, “in May 2020, the company prepared a risk analysis in excel format (Risk Assessment Spain) that It included the probability of occurrence of certain risks. No C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/33 However, according to what was included in the subsequent report of external audit of the year 2021, said risk analysis did not include appropriately the risks to the rights and freedoms of affected.” Screenshot of this Excel document is credited. From the analysis by this inspector it is concluded that the risk factors in a generalized way and not for an activity of concrete treatment. Furthermore, it is carried out from the perspective of the consequences and impact for the company itself (losses economic and financial impact), not being, therefore, a risk analysis for the treatment activity affected by the gap that took into account threats to both the security of the treatments as well as for the rights and freedoms of the interested parties. A new document “ANALYSIS REPORT OF RISKS RELATING TO DATA PROTECTION” dated drafted May 29, 2021 and signed by the Protection Delegate of data. From the analysis of this document by the present inspector, concludes: In the introduction the following text is stated: “The present document is the result of carrying out the activities constituents of the Impact Assessment regarding Data Protection (hereinafter DPIA), in accordance with the established in article 35 and 36 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 and the Practical Guides prepared by the AEPD”. Contains the following sections Preparatory Aspects and Organizational, Identification of Affected Data and Evaluation of the Risk Level. In the section referring to the evaluation of the risk level, They analyze the following identified risk factors: Illegitimate intrusion into systems. Internal fraud. Human and technological errors (both in the management of loans, claims management, communications business and employee data management). This analysis is not specific to the treatment activity affected by the gap and does not take into account risk factors for the rights and freedoms of people affected by the treatment activity. It is stated that a risk analysis was prepared at a later date specific by treatment activity following the Treatment Management Guide Risks of this Agency. This analysis corresponds to the one provided in response to the previous request and which has a writing date May 2022. They affirm that the company is working on the implementation of a computer tool (CompaaS) that will allow more management effective and agile compliance with its obligations, as well as registering and periodically review your protection risk analysis of data. CONCLUSIONS C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/33 1. The attack vector of the breach was caused by illegitimate access by of attackers to the web area of multiple clients, using valid credentials that these were previously known (ID or Email + Password pairs), possibly as a result of some leak. The modus operandi was the following: - Once the attackers accessed the personal area of the affected client, They proceeded to request loans that were automatically accepted, the amount being entered into the bank account associated with the client. - Subsequently, the attackers contacted via WhatsApp posing as by VIVUS, informing them that a new loan in their name and in which they requested its return at a number of account that it was controlled by the attackers themselves. 2. It has been confirmed that the breach affected 9,497 VIVUS clients whose identity was impersonated, having requested on behalf of many of them personal loans that were granted automatically by the platform. 3. Regarding the data filtered through the client's web area, it consisted of: name and surname, date of birth, postal address, email, mobile phone, DNI/NIE, IBAN, pseudonymized bank card, as well as data relating to loans that are were in force against the company. 4. It has been proven that VIVUS initially detected the breach on August 11 of 2022 following the communication received from an affected client. Subsequently, on September 1, 2022, the company was aware of at at least 11 cases affected, and as of November 14, 2022 at least 83 clients affected. However, the breach was not notified to the present authority until on February 17, 2023, when there was evidence of the impact of at least 427 defrauded. 5. It has been proven that VIVUS analyzed the level of risk and severity of the gap on different dates (August 11, 2022, September 1, 2022 and November 2022), using an internal methodology based on ENISA consisting of the use of a formula to calculate the final value of the risk to based on variables such as the Context of the Incident, the Ease of Identification and the Circumstances of the incident, assigning a value to each of these variables according to a detailed scale in the methodology itself. From the final value of the risk obtained from the previous formula, the claimed party considered that it was NOT necessary to notify the violation of the AEPD or those affected. 6. It has been found that the value assigned to some of these variables was lower than the that should have been assigned, taking into account the knowledge that was had about the incident at this time. After the use, by the present inspector, of the Gap Advisor and Gap Communicate tools using the information VIVUS known in September 2022, has been obtained as a result in both tools the need to notify both the AEPD and those affected. 7. In relation to the communication of the breach to those affected, it has been proven that the person responsible finally communicated the incident to all those affected on April 11, 2023, after receiving the order to communicate from this authority. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/33 8. It has been proven that there were no specific risk analyzes for the rights and freedoms of people interested in the treatment activity affected by the gap until May 6, 2022. Prior to this date there were risk analyzes that were not specific to a treatment activity and directed at the possible financial impact on the person responsible, not analyzing risks to the rights and freedoms of people affected by the treatments. It has also been proven that the treatment activity affected due to the breach was recorded in the VIVUS Treatment Activities Registry and that It started in December 2012. 9. The existence of an Impact Assessment for the Data Protection (EIPD) of the processing activity affected by the breach, carried out on May 13, 2022 and which includes the following information: - A systematic analysis and description of the treatment - An analysis of the necessity and proportionality of the treatment - An analysis and management of risks. 10. In relation to the preventive measures implemented in moments prior to the gap, the following list is found: - Security monitoring: event review, security testing security and vulnerability assessment. - Password policy with minimum complexity rules to start session in the client web area. - Measures against brute force attacks based on waiting times after failed login attempts. - Firewall and anti-malware protection. - Prevention of DDOS attacks, SQL injection and other threats to through Imperva Web Application Firewall software. - Penetration analysis of the vivus.es web portal in June 2023, Previously (February 2022), another analysis of penetration, but with the focus on the VIVUS mobile application. - Internal procedure to manage security incidents. 11. In relation to the reactive measures implemented by the person responsible after Once the security breach is known, the following have been confirmed: - Implementation of a Double Factor Authentication (2FA) system implemented on February 21, 2023. They affirm that the implementation This measure was key to solving the gap since it was not later cases were detected. - Reset of all customer passwords on date 11 February 2022. - Inclusion of clients affected by fraud in a special category to avoid possible derived consequences. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/33 - Improvement of the SIEM monitoring system with the implementation of new real-time event analysis functionalities, in concrete: Generating alerts when authentication attempts failed messages from the same IP exceed a defined daily threshold. Generating alerts when security events occur. successful authentication from the same IP in more than four client accounts. Blacklists of suspicious IPs to track before new authentications received. - A communication was made to all clients informing them that the entity does not use WhatsApp as a means of contact. - The internal incident management procedure was updated (as of today). April 29, 2023) reviewing the template to evaluate the risk and severity of an incident that affects personal data, entering adjustments in response times to be able to comply with the GDPR notification. 12. In relation to the client identification process for the granting of loans, it has been confirmed that all affected clients had already requested a first loan previously and, therefore, had already made the identification process and initial registration in the system (which requires the user to provide identification documentation or make use of the external identification service of TINK online banking). However, it is proven that, for the request for seconds and subsequent loans, VIVUS only required correct authentication in the client's web area using the username (DNI or Email) and their password. Subsequently and as a reactive measure after the breach, VIVUS implemented double factor authentication (2FA) in the customer authentication (login) process in the web area, using the sending of SMS with a secure one-time use code and valid for a single connection to the client's personal web area, not knowing new cases of fraud as a result of the implementation of this measure. 13. From the analysis of accredited preventive and reactive measures, it is confirmed insufficiencies in the implementation of technical measures to guarantee the identity of users who requested second (and subsequent) loans through the web area. The introduction of the second factor of authentication (2FA) as a reactive mechanism, Although it is not a method that ensures total protection against attacks, it offers a level superior security, avoiding cases of identity theft even when the Customer passwords have already been compromised. Maximize the security of the authentication process was adequate, taking into account the potential impact of the possibility of requesting loans with the only requirement to authenticate correctly on the web portal. 14. On the other hand, deficiencies have also been detected in the technical measures preventive measures implemented to monitor and, fundamentally, alert against existence of multiple failed login attempts. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/33 THIRD: According to the report collected from the AXESOR tool, the entity 4FINANCE SPAIN FINANCIAL SERVICES, S.A.U. It is a great company with a turnover of 66,551,000 euros in 2022. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Previous issues In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is the processing of personal data, since VIVUS carries out this activity in his capacity as data controller, given that he is the one determines the purposes and means of such activity, pursuant to article 4.7 of the GDPR: "Controller" or "responsible": the natural or legal person, authority public, service or other body that, alone or together with others, determines the purposes and means of treatment; whether Union or Member State law determines. For its part, article 4.2 of the Regulation defines the “processing” of personal data as “any operation or set of operations performed on data personal data or sets of personal data, whether through procedures automated or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of enabling access, collation or interconnection, limitation, deletion or destruction” III Unfulfilled obligation of article 5.1 f) of the GDPR C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/33 Article 5.1 of the GDPR establishes the principles regarding processing, indicating, among other issues, that the personal data will be: “f) processed in such a way as to ensure adequate security of the data personal data, including protection against unauthorized or unlawful processing and against its loss, destruction or accidental damage, through the application of technical measures or organizational arrangements (“integrity and confidentiality”).” The principle of confidentiality, within the framework of the RGPD, implies the obligation to ensure that personal data is kept protected and can only be be accessible by those who have authorization for their treatment, in order planned and/or consented to by the data owners. In this sense, the GDPR defines personal data as “any information about an identified or identifiable natural person (“the interested party”); shall be deemed identifiable natural person any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or various elements of physical, physiological, genetic, psychological identity, economic, cultural or social of said person;” In the case at hand, the investigative actions carried out by the present authority, an alleged violation of the aforementioned principle of confidentiality. This violation is manifested through the following circumstances: The fact, confirmed by the claimed party, that the attackers accessed to personal data of clients through illegitimate access using Valid credential combinations (ID or Email + Password pairs). With Regardless of the way in which they accessed said credentials, their use to access the personal information of those affected constitutes a manifestation of the violation of the aforementioned principle. The subsequent contact of the attackers with the affected clients, becoming go through the claimed part to request the return of the money to accounts controlled by the attackers. It must also be taken into account that the favorable outcome of the fraud was not only based on personal information obtained illegitimately, but also took advantage of the trust that the clients deposited in VIVUS. The different claims presented by those affected herein authority that emerge in response to illicit actions and that expose I manifest both the exposure of your personal data without your consent such as the subsequent and reactive management of the situation by VIVUS. The complaint presented by the claimed party and subsequently expanded before the security forces and bodies in which they revealed the number of affected persons known at that time, in order for them to carry out the timely actions. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/33 The communication of the breach by the claimed party itself made both to the present authority as well as those affected themselves. Although said communication was carried out late and progressively, it represents a recognition of the violation of the confidentiality of the personal data of those affected. It should be noted that the violation of the principle of confidentiality in this case involves a set of personal data whose nature amplifies the implications of the security breach. This follows from the circumstance that among them, in addition to identifying or contact data such as names, addresses, DNI/NIE, and telephone numbers, various data were also found users' financial information, such as IBAN and information on existing loans in force. The combination of this type of personal data, including knowledge about the financial status of clients, significantly increases the level of risk and the implications of breach of confidentiality. This is due to the circumstance that such a combination not only increases the amount of information available to a malicious actor, but also widens the spectrum of possible abuses. Given the It is not about isolated data or individual pieces of information, but about the exposure of an integrated set of personal and financial data, when combine, they can be used to construct a complete and detailed profile of the financial and personal situation of an individual, which can allow an attacker carry out fraud and identity theft operations with a higher rate of success. Specifically, profiling affected individuals allows Attackers devise highly personalized deception strategies, such as phishing or scamming, significantly increasing the probability of success. Must Keep in mind that detailed information makes it easier to create messages credible that can trick victims into revealing even more information or carry out actions that compromise their financial and personal security. Likewise, unauthorized access and exposure of financial data, such as information on loans, put those affected in a position of significant financial vulnerability. This level of access, in addition to putting into risk the financial assets of those affected, it can also have an impact long-lasting negative impact on your credit history and financial reputation. Of the same form, the information on loans requested, apart from being sensitive from a financial point of view, it may contain details about the economic situation and personal needs of clients that could be used against your willpower. This information can motivate, not only fraudulent behavior, but also manipulation and blackmail, since malicious actors can exploit knowledge of a person's financial vulnerabilities to pressure her or induce her to take actions against her will or interests. Finally, the considerable number of people affected by the gap cannot be ignored. magnitude affected 9,497 clients. This circumstance, likewise, broad significantly the seriousness of the violation of the principle of confidentiality. It must be taken into account that a high number of those affected not only manifest the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/33 scale of the incident, but also multiplies opportunities for misuse of personal information, which exponentially increases the risk of fraud or identity theft, in the terms indicated above. IV Classification and qualification of the violation of article 5.1.f) of the RGPD If confirmed, the aforementioned violation of article 5.1.f) of the RGPD could mean the commission of the infractions classified in article 83.5 of the RGPD that under the The section “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 72 “Infringements considered very “serious” of the LOPDGDD indicates: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe violations that involve three years a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)” V Penalty for violation of article 5.1.f) of the RGPD According to article 83.2 of the RGPD “Administrative fines will be imposed, depending on of the circumstances of each individual case, in addition to or in lieu of the measures referred to in Article 58, paragraph 2, letters a) to h) and j). When deciding the imposition of an administrative fine and its amount in each individual case will be due account: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/33 c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or in charge of the treatment, taking into account the technical or organizational measures that have been implemented under of articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person responsible or the person in charge notified the infringement and, if so, in what extent; i) when the measures indicated in Article 58, paragraph 2, have been ordered previously against the person responsible or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through infringement.” In the same way, article 76 of the LOPDGDD establishes a series of criteria to graduate the possible sanction, following the provisions of section k) of the previous article: “In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, also may be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the performance of medical treatment. personal information. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected person could have induced the commission of the infringement. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Have, when not mandatory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which "There are disputes between them and any interested party." Taking into account these precepts, in the present case it is considered that The sanction to be imposed should be graduated in the following terms: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question such as the number of interested parties affected and the level of damages suffered. suffered; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/33 The concurrence of the aggravating circumstance in the violation of the principle of manifests itself in the nature, severity and duration of the violation. The nature of the violation, which involved the exposure of personal and financial data, highlights the risk significant for the rights and freedoms of the affected persons, especially considering the potential for financial fraud and identity theft. The severity is manifested by the direct impact on financial and personal integrity of customers, as well as the potential long-term damage to their trust and confidence. perception of security. Furthermore, the duration of the infringement, which ceased after the effective implementation of corrective measures, unnecessarily extended the period of vulnerability of clients' personal data, expanding the time frame in which the data was exposed to security risks. Likewise, the concurrence of the aggravating circumstance is also manifested in the number of affected stakeholders, given that it impacted more than 9,000 clients, which highlights both the scale of the incident as well as the considerable volume of individuals whose rights and freedoms were compromised. This widespread impact amplifies the severity of the infringement, given that each affected customer represents a potential case of fraud, identity theft, or financial loss, exponentially multiplying the negative repercussions of the incident. Aggravating circumstance provided for in section b) of article 83.2 of the RGPD: b) intentionality or negligence in the infringement; The Supreme Court has been understanding that imprudence exists whenever disregards a legal duty of care, that is, when the offender does not behave with the required diligence. In this sense, it establishes that in assessing the degree of diligence, the professionalism or otherwise of the subject must be especially considered, professionalism that occurs in this case, given that the activity of the recurring is constant and abundant management of personal data, which It implies greater rigor and care in order to comply with legal provisions. In this case, although direct intentionality is not suggested, negligence emerges both in the delay in notifying those affected of the breach (which took place after request from this entity) as in the delayed reaction after knowledge of the violation of the confidentiality of the personal data of its clients. Sayings elements reflect an omission in the duty of care that VIVUS had towards the protection of their customers' data, which reinforces and amplifies the severity of the infringement and justifies, consequently, the occurrence of this aggravating circumstance. Aggravating circumstance provided for in section b) of article 76 of the RGPD: b) The linking of the offender's activity with the performance of medical treatment. personal information. Taking into account that the core of VIVUS' business activity is based on the granting loans and, therefore, in the intensive processing of personal data and financial, said link deepens the seriousness of the infringement. The company operates in a sector where trust and information security is fundamental, and for this reason it has the responsibility to guarantee with greater rigor the data protection principles regarding the information managed under of said activity, among which are sensitive data, such as bank details C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/33 and/or financial. The nature of VIVUS activity, consequently, amplifies the consequences of the alleged infringement, a circumstance that justifies the concurrence of the present aggravating circumstance. Depending on the aforementioned circumstances, in accordance with the provisions of the article 83.5 of the RGPD, and without prejudice to what results from the instructions herein procedure, it is considered appropriate to establish as a possible sanction a fine of an amount of €200,000 (TWO HUNDRED THOUSAND EUROS) SAW Unfulfilled obligation of article 32 GDPR Article 32 “Security of processing” of the GDPR establishes: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for people's rights and freedoms physical, the person responsible and the person in charge of the treatment will apply technical and appropriate organizational measures to guarantee a level of security appropriate to the risk, which, if applicable, includes, among others: a) pseudonymization and encryption of personal data; b) the ability to guarantee confidentiality, integrity, availability and resilience permanent treatment systems and services; c) the ability to restore the availability and access to personal data of quickly in case of a physical or technical incident; d) a process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to takes into account the risks presented by data processing, in particular as consequence of accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data. 3. Adherence to a code of conduct approved under Article 40 or to a certification mechanism approved pursuant to article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the present article. 4. The controller and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the person responsible or in charge and has access to personal data can only process said data following instructions of the person responsible, unless it is obliged to do so by virtue of the Law of the Union or the Member States.” It is necessary to point out that the aforementioned precept does not establish a list of measures specific security measures in accordance with the data being processed, but establishes the obligation for the person responsible and the person in charge of the treatment to apply technical and organizational measures that are appropriate to the risk entailed by the treatment, taking into account the state of the art, the costs of application, the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/33 nature, scope, context and purposes of the processing, the probability risks and seriousness for the rights and freedoms of the interested parties. Likewise, security measures must be appropriate and proportionate to the detected risk, determining those appropriate technical and organizational measures taking into account pseudonymization and encryption, the ability to ensure the confidentiality, integrity, availability and resilience, the ability to restore the availability and access to data after an incident, verification process (which does not audit), evaluation and assessment of the effectiveness of the measures. In any case, when evaluating the adequacy of the security level, one must take into account particularly taking into account the risks presented by data processing, such as consequence of the accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data and that could cause damages and losses physical, material or immaterial. In this sense, recital 83 of the GDPR states that “(83) In order to maintain the security and prevent the treatment from violating the provisions of this Regulation, The person responsible or the person in charge must evaluate the risks inherent to the treatment and apply measures to mitigate them, such as encryption. These measures must guarantee a appropriate level of security, including confidentiality, taking into account the state of the art and the cost of its application with respect to the risks and nature of the personal data that must be protected. When assessing the risk in Regarding data security, the risks involved must be taken into account. arise from the processing of personal data, such as the destruction, loss or accidental or illicit alteration of personal data transmitted, preserved or processed otherwise, or unauthorized communication or access to said data, susceptible in particular of causing physical, material or immaterial damages.” In the present case, in accordance with the evidence available in this agreement to initiate the sanctioning procedure, and without prejudice to what results of the instruction, it is considered that the known facts could constitute an infraction, attributable to the claimed party, for violation of article 32 of the GDPR. The imputation under Article 32 of the GDPR in the context of VIVUS is based on the alleged deficiencies identified in the application of technical security measures and organizational measures to guarantee a level of security appropriate to the risk what the processing of personal data entails. Of the investigative actions carried out by this authority, various circumstances have emerged that manifest a non-compliance in relation to the specific requirements of the article. Thus, although VIVUS carried out risk analysis on different dates using a internal methodology based on ENISA, it emerges from previous actions a incorrect assignment of values to key variables which implies underestimation significant risk and severity of the breach. This shows a possible inadequacy in risk assessment by not taking into account the state of the art, the costs of implementation, and the risks to people's rights. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/33 In the same way, the delay in communicating the incident to those affected until on April 11, 2023, after receiving the order from the competent authority, highlights a limitation on VIVUS's ability to ensure confidentiality, permanent integrity, availability and resilience of security systems and services data treatment. This delay in notification could pose greater risks for the affected individuals, thus failing to comply with the obligation of article 32 to quickly restore availability and access to personal data in case of incident. Likewise, the lack of analysis of specific risks for the rights and freedoms of the people interested in the treatment activity, and the concentration on financial impacts for VIVUS rather than risks to individuals affected, highlights an inadequate approach to data protection from a individual-centered perspective. The implementation of reactive measures by VIVUS, although necessary and useful to address the consequences of the security breach, while revealing insufficiencies in the anticipation and mitigation of data security risks personal. This highlights the importance of continuous risk assessment, proactive security planning and agile incident response, in accordance with the requirements of article 32 of the RGPD, all circumstances that have not been taken into account by VIVUS, as deduced from the actions carried out. In this sense, VIVUS's initial decision to allow new applications for successive loans based solely on a form of authentication with username and password reveals an underestimation of the risks associated with theft identity and financial fraud. Based on the fact that the affected customers had already completed an identification process for your first loan, the system VIVUS did not require rigorous identity verification for transactions subsequent. This practice opens the door for malicious actors, if they manage to obtain access credentials from clients, they can apply for loans fraudulently. The implementation of Double Factor Authentication (2FA) by VIVUS constitutes, without Without a doubt, a significant advance in the protection of data security and integrity of your financial transactions. However, this advance comes in a reactive moment, after critical vulnerabilities have manifested and a security breach has occurred with broad effects. The adoption of 2FA, Although crucial, it manifests a missed opportunity to have anticipated and mitigated proactively address risks before they materialize into real harm to clients, which is, in essence, the purpose pursued by the aforementioned article 32. The aforementioned deficiencies detected in the preventive measures prior to gap, especially with regards to user authentication for application for successive loans, underline an adequate risk assessment appropriate in accordance with the provisions of article 32 of the GDPR. As indicated in the conclusions of the research actions, despite the significant improvement that 2FA represents, the situation highlights shortcomings in technical measures preventive measures prior to the breach, particularly with regard to monitoring C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/33 of failed login attempts and the generation of alerts. The lack of a effective system for detecting anomalous authentication patterns makes it easier for potential attackers exploiting compromised credentials without being detected timely. In the present case, the nature of VIVUS's activity cannot be ignored, which operates in the financial sector, which means that the processing of personal data involves sensitive information, including financial and identification details staff. The circumstances related to said activity represent a greater demand regarding technical and security measures in order to protect the rights in matter of user data protection. Finally, it should be noted that the lack of adequate security measures by part of VIVUS is an issue that goes beyond the specific security breach produced. Although the implementation of reactive measures such as the Double Factor of Authentication (2FA) and the improvement of the SIEM monitoring system were steps important in response to the breach, VIVUS's non-compliance lies in a broader and pre-existing omission: the lack of adoption of a data security framework Comprehensive and proactive data. This lack of adequate security measures, regardless of the breach, points out a disconnect between the assessment of potential risks and the implementation of technical and organizational measures necessary to prevent such incidents. The situation shows a disconnection in the safety culture of the VIVUS information, where measures tend to be reactive rather than focused on a proactive and risk-based security strategy. This reactive posture limits the effectiveness of security measures and increases the vulnerability to future breaches, since not all necessary security measures are not directly related to the prevention of specific incidents, but rather to creating a comprehensively safe environment. In short, the measures adopted by VIVUS, the nature of its activity and its reactive management regardless of the security breach that occurred underline a alleged non-compliance with article 32 of the GDPR) which requires the implementation of appropriate technical and organizational measures to guarantee a level of security appropriate to the risk of personal data processing. Although VIVUS took measures reactive, these actions came in response to an already exploited vulnerability, rather than as part of a proactive risk management strategy. VII Classification and classification of the violation of article 32 of the RGPD If confirmed, the aforementioned violation of article 32 of the RGPD could mean the commission of the infractions classified in article 83.4 of the RGPD that under the The section “General conditions for the imposition of administrative fines” provides: “Infractions of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the largest amount: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/33 a) the obligations of the controller and the processor in accordance with articles 8, 11, 25 at 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on what is established in article 83.4 of the Regulation (EU) 2016/679 are considered serious and will expire after two years. infringements that involve a substantial violation of the aforementioned articles in that and, in particular, the following: (…) f) The lack of adoption of those technical and organizational measures that result appropriate to guarantee a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of Regulation (EU) 2016/679. VIII Penalty for violation of article 32 of the GDPR In the terms indicated by the aforementioned article 83.4 of the RGPD, the violation of the Article 32 will be sanctioned, “with administrative fines of 10,000,000 EUR as maximum or, in the case of a company, an amount equivalent to 2% as maximum of the total global annual turnover of the previous financial year, opting for the highest amount” Likewise, according to the previously established criteria, it is assumed that considers that in the present case it is appropriate to graduate the sanction to be imposed in the following terms: Aggravating circumstance provided for in section a) of article 83.2 of the RGPD: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as such as the number of interested parties affected and the level of damages suffered. suffered; In the present case, the occurrence of the aforementioned aggravating circumstance emerges. considering the nature, severity and duration of the alleged infraction committed. In the case of the nature of the violation, it manifests itself in inadequate treatment of personal and financial data, a critical aspect taking into account the sensitivity of the information involved. For its part, gravity arises from the potential significant harm to the rights and freedoms of affected individuals who possess failure to adopt appropriate security measures, including fraud risks and financial loss. Furthermore, the duration of the violation, extending from the time of breach to late implementation of corrective measures, justifies the concurrence of the aforementioned aggravating circumstance. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/33 Aggravating circumstance provided for in section b) of article 83.2 of the RGPD: b) intentionality or negligence in the infringement; In the terms previously indicated regarding the doctrine of the Supreme Court Regarding recklessness, in the present case negligence is manifested in the lack forecasting and the late adoption of measures such as 2FA, which are essential for the protection of personal data. This negligence indicates an omission in the application of a proactive and risk-based data security approach, essential to prevent unauthorized access and other forms of compromise of data. Negligence, therefore, manifests itself in this case in not anticipating and mitigating the risks, especially in a sector as sensitive as the financial one, which justifies the concurrence of the aforementioned aggravating circumstance. Aggravating circumstance provided for in section b) of article 76 of the RGPD: b) The linking of the offender's activity with the performance of medical treatment. personal information. The violation of Article 32 by VIVUS is particularly aggravated by the close linking your business activity with the intense and continuous treatment of personal data, given that granting loans involves the management of personal and financial information in an ordinary and massive manner. In this sense, the lack of adequate security measures puts at risk the essence of the operation in that this type of entities is based on and undermines confidence in the digital financial sector. In the same way, the nature of said activity required greater rigor in the adoption of security measures, a requirement that was not materialized in the case that concerns us. Taking into account the general conditions for the imposition of fines administrative procedures established by the aforementioned article 83.2 of the RGPD, taking into account to the circumstances of this case and without prejudice to what results from the instruction of this procedure, a fine of amount of €400,000 (FOUR HUNDRED THOUSAND EUROS). IX Adoption of measures If the violation is confirmed, it could be agreed to impose on the person responsible the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the which each control authority may “order the person responsible or in charge of the treatment that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain manner and within a specified period…” The imposition of this measure is compatible with the sanction consisting of an administrative fine, as provided in art. 83.2 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/33 It is warned that failure to comply with the possible order to adopt measures imposed by This body in the sanctioning resolution may be considered as a administrative offense in accordance with the provisions of the RGPD, classified as infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the above, by the Director of the Agency Spanish Data Protection, HE REMEMBERS: FIRST: START SANCTIONING PROCEDURE against 4FINANCE SPAIN FINANCIAL SERVICES, S.A.U., with NIF A86521309, for the alleged violation of the Article 5.1.f) of the RGPD and Article 32 of the RGPD, typified in Article 83.5 of the GDPR and Article 83.4 of the GDPR. SECOND: APPOINT R.R.R. as instructor. and, as secretary, to S.S.S., indicating that they may be challenged, if applicable, in accordance with the provisions of the articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector Public (LRJSP). THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the different claims filed and their documentation, as well as the documents obtained and generated by the General Subdirectorate of Data Inspection in the actions prior to the start of this sanctioning procedure. FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be:, without prejudice to what results from the instruction: - For the alleged violation of article 5.1.f) of the RGPD, typified in article 83.5 of said rule, administrative fine of 200,000.00 euros. - For the alleged violation of article 32 of the RGPD, typified in article 83.4 of said rule, administrative fine of 400,000.00 euros. FIFTH: NOTIFY this agreement to 4FINANCE SPAIN FINANCIAL SERVICES, S.A.U., with NIF A86521309, granting it a hearing period of ten business days for you to formulate the allegations and present the evidence you consider convenient. In your written allegations you must provide your NIF and the number of file that appears at the head of this document. If within the stipulated period you do not make allegations to this initial agreement, the same may be considered a proposal for a resolution, as established in the article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, you may recognize your responsibility within the period granted for the formulation of allegations to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/33 present initiation agreement; which will entail a 20% reduction in the sanction that may be imposed in this procedure. With the application of this reduction, the penalty would be established at 480,000.00 euros, resolving the procedure with the imposition of this sanction. Likewise, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a 20% reduction in the amount. With the application of this reduction, The penalty would be established at 480,000.00 euros and its payment will imply the termination of the procedure, without prejudice to the imposition of the measures corresponding. The reduction for the voluntary payment of the penalty is cumulative with that corresponding apply for recognition of responsibility, provided that this recognition of the responsibility becomes evident within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if both reductions were applicable, the amount of the penalty It would be established at 360,000.00 euros. In any case, the effectiveness of any of the two mentioned reductions will be conditioned upon the withdrawal or waiver of any action or appeal pending. administrative against the sanction. In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above (480,000.00 euros or 360,000.00 euros), you must do so cash by depositing it into the IBAN account number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Agency of Data Protection in the banking entity CAIXABANK, S.A., indicating in the concept the reference number of the procedure appearing in the heading of this document and the reason for the reduction in the amount to which it applies. Likewise, you must send proof of income to the General Subdirectorate of Inspection to continue the procedure in accordance with the quantity entered. The procedure will have a maximum duration of twelve months from the date of the initiation agreement. After that period has elapsed without it having been issued and notified resolution will expire and, consequently, the proceedings will be archived; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. 935-18032024 Sea Spain Martí Director of the Spanish Data Protection Agency >> C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 32/33 SECOND: On April 25, 2024, the claimed party has proceeded to pay the penalty in the amount of 360,000 euros making use of the two reductions provided for in the initiation Agreement transcribed above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to formulate allegations to The opening of the procedure entails the waiver of any action or appeal pending. administrative against sanction and recognition of responsibility in relation to the facts referred to in the Initiation Agreement. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter, LPACAP), under the heading “Termination in sanctioning procedures” provides the following: "1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction has only a pecuniary nature or a penalty can be imposed pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the alleged responsible, in Any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction has only a pecuniary nature, the competent body to resolve the procedure will apply reductions of, at least, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 33/33 20% of the amount of the proposed penalty, these being cumulative with each other. The aforementioned reductions must be determined in the initiation notification. of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of any administrative action or appeal against the sanction. The reduction percentage provided for in this section may be increased “regularly.” According to what was stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202304633, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to 4FINANCE SPAIN FINANCIAL SERVICES, S.A.U.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 936-040822 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es