AEPD (Spain) - PS/00179/2020: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
 
 
(14 intermediate revisions by 2 users not shown)
Line 19: Line 19:
|Date_Decided=
|Date_Decided=
|Date_Published=18.03.2021
|Date_Published=18.03.2021
|Year=
|Year=2021
|Fine=600
|Fine=600000
|Currency=EUR
|Currency=EUR


Line 30: Line 30:




|Party_Name_1=Air Europa Líneas Aéreas S.A
|Party_Name_1=Air Europa Líneas Aéreas S.A.
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=Air Europa Líneas Aéreas S.A.
|Party_Name_2=
|Party_Link_2=
|Party_Link_2=
|Party_Name_3=
|Party_Name_3=
Line 50: Line 50:
}}
}}


The Spanish DPA (AEPD) fined Air Europa Líneas Aéreas S.A. with €600,000 for the infringement of Articles 32(1) and 33 GDPR, due to the lack of  
The Spanish DPA (AEPD) fined Air Europa Líneas Aéreas S.A. €600,000 for the infringement of Articles 32(1) and 33 GDPR, due to the lack of appropriate technical and organisational measures and of an adequate level of security and due to the delay in the notification of a personal data breach.


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
Air Europa notified a data breach to the AEPD related to the unauthorized access to contact and credit card information that affected to 489,000 data subjects and to 1,500,000 records.  
Air Europa notified a data breach to the AEPD related to the unauthorized access to contact and bank cards information that affected to 489,000 data subjects and to 1,500,000 records. The unauthorized access was carried out via hacking and malware. One of the problems that were found in a posterior audit was the use of a weak password, among other vulnerabilities, some of which were technical, like the lack of a multi-factorial authentication system. 


=== Dispute ===
The bank cards data included the numbering, expiry date and CVV. These data of around 4,000 bank cards was used to commit fraud. However, Air Europa classified the breach as medium risk and decided not to inform the affected data subject, arguing that it would be impossible to identify all of the data subjects and that a public notification was not necessary because there was not a serious risk for the rights of the affected data subjects.     


Additionally, the AEPD was notified of the data breach more than one month after Air Europa had knowledge of its existence (the data breach was notified by a banking institution to Air Europa on 17th October 2018; Air Europa notified the AEPD on 27th November 2018).


=== Holding ===
===Dispute===
in progress


== Comment ==
Were the technical and organisational measures adopted by Air Europa enough to ensure an adequate level of protection for the data that they process?
 
Was the notification of the data breach delayed?
===Holding===
The AEPD, based on the posterior audits on the breach, concluded that there had been a lack of appropriate technical and organisational measures that derived in an inadequate level of security, and there had been therefore an infringement of Article 32(1) GDPR.
 
The AEPD remarks that the level of security for the protection of the data was not adequate by design and by default. They support this with the fact that Air Europa was not able to detect the data breach themselves, but they only had notice when they were notified by a banking institution.
 
The AEPD sanctioned Air Europa with a fine of €600,000:
 
*Due to infringement of Article 32(1), for the lack of appropriate technical and organisational measures and of an adequate level of security, the fine was €500,000.
*Due to infringement of Article 33, for the delay of more than one month in the notification of the personal data breach, the fine was €100,000.
 
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


<pre>
<pre>
Page 1
1/35
 Procedure Nº: PS / 00179/2020
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: On 02/04/2019 the Director of the Spanish Agency for
Data Protection agrees to initiate investigative actions in relation to the
notification of a security breach made by AIR EUROPA LÍNEAS AÉREAS,
SA, with CIF *** CIF.1 (hereinafter AIR EUROPA), regarding unauthorized access
to contact information and bank cards that affect 489,000 interested parties and
a volume of 1,500,000 records.
However, on 02/28/2020, it was agreed to open new actions of
research to AIR EUROPA and incorporate into them the documentation that made up the
previous actions in file E / 02564/2019, which were declared expired.
The security breach notification was made on 11/28/2018 and 01/22/2019
as an initial and complete notice.
Subsequently, on 01/22/2019 another notification is made to correct information
provided, as stated by AIR EUROPA, to discrepancies between the acknowledgment of receipt
issued by the electronic headquarters of this Agency and the data actually entered
in the online form. The three notifications contain, among others, the following
information:
 That on 11/27/2018 an attempt was made repeatedly to notify in a manner
initial to this Agency through the form enabled for this purpose at headquarters
electronic but the online notification procedure made it impossible to
presentation by said means, proceeding to the presentation in a
initial and face-to-face on 11/28/2018.
 Responsible for the treatment: AIR EUROPA whose data has been included in the
Investigated Entities section.
 Gap detection date: *** DATE.1
 Means of detecting the breach: AIR EUROPA receives a notification by
part of Banco Popular regarding a potential security incident, which
determines the activation of the incident response plan by AIR
EUROPE, on 10/17/2018.
 Start date of the gap: 05/12/2018
 Gap resolved as of 11/17/2018.
 Justification for late notification: N / A
 Summary of the incident: the security incident has involved access not
authorized to bank card information, numbering, date of
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 2
2/35
expiration date and CVV that could have been used for the commission of
fraudulent operations. Although all those identified were canceled
before it is established that there has been any damage to the
interested.
In some cases (approximately 2,500) the identity of the holders of the
bank cards has also been compromised.
 Typology: Confidentiality breach (unauthorized access).
 Means by which the breach has materialized: Hacking and malware.
 Context: External (intentional action)
 That before the breach the following preventive measures were applied:
Network security:
Our own human team with more than 10 years of experience in management and
network, LAN and WAN management.
The company has designed and provided training to employees on the use of
the tools made available to you in accordance with current legislation.
AIR EUROPA uses 1 .- [………] .
Periodically (XXX) an evaluation program of the
vulnerabilities to monitor potential security breaches in
known vulnerabilities.
In addition to the firewall systems that allow managing and blocking
unauthorized access, there is a 2 .- [………].
To protect the user's browsing, there is a 3 .- [………].
Information protection and access controls:
Access to information systems requires identification and
authentication of all users 4 .- [………] (XX).
The XX is connected with the system 5 .- [………] .
There is a password renewal policy by which they are forced to
change the same every XXX .
The policy of 6 .- [………] .
The management policies for access permissions to applications 7 .- [………]
allowing to apply the principle of least privilege.
Prevention:
AIR EUROPA began a few months ago a process aimed at preparing a
Security Master Plan in order to have a broader scenario of
threats and define a more effective strategist. 8 .- [………].
 That the categories of data affected are basic data and information on
bank cards such as number, expiration date and CVV.
 That there are no special categories of data affected.
 That the approximate number of data records affected is 1,500,000
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 3
3/35
 That the profile of the affected subjects are customers, the number being
approximately 489,000 people affected.
 That the nature of the potential impact on the subjects is fraud.
 That the possible consequences is the disclosure to third parties / diffusion in
internet and that the data can be exploited for other purposes.
 Who classifies the severity of the consequences as “Medium”.
 That the measures taken to solve the gap and minimize the impact were:
o Conducting a preliminary investigation.
o Hiring a forensic company *** COMPANY.1 for the
provision of support and help in the analysis of the incident.
o Hiring of a company specializing in analysis and resolution of
incidents *** COMPANY. 2.
o Monitoring of tasks and planning of improvements and actions to be implemented
in systems in order to "close doors" and reduce risk.
o Review of all the security measures and reinforcement of the
themselves.
o Chronology of the actions followed described in documents
attachments.
 That the interested parties will not be informed for the following reasons:
o There is only evidence of 11 requests for information per
part of clients in relation to this event and is responding to
all of them. The existence of others affected is unknown.
o That technical protection measures have been adopted and
appropriate organizational arrangements that ensure that the
probability that no risk to rights will materialize and
freedoms of the interested parties affected by the security breach.
o That they understand that at this time it is more burdensome for the
general interests and those of the interested parties make a communication
public since they do not have contact information for all
affected people.
 Attached documents are provided that contain, among others, the following
manifestations:
o That immediately after knowledge of the breach, a
the company specialized in security breaches and forensic analysis and
*** COMPANY. 3.
o The company *** EMPRESA.2 was hired for the purpose of analyzing the
scope, together with *** COMPANY.3 , and apply the measures
necessary to correct the incident.
o That the extent of the gap is not yet fully known.
The security incident has involved unauthorized access. I know
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 4
4/35
makes this notification in a preliminary way to provide the
information that is available so far.
o That a series of technical measures were adopted that were
carried out putting the focus first on activities of
containment and then in preventive activities.
o That after having analyzed the information that AIR EUROPA creates
have been compromised, it is highly unlikely that only
Spanish interested parties have been affected. However, AIR
EUROPE is currently not in a position to identify the
specific nationalities of all affected stakeholders.
o Chronology of the actions followed:
 *** DATE . 1 . AIR EUROPA receives a notification from
VISA (Banco Popular) related to a potential incident of
security which determines the activation of the Response Plan
before Incidents (PRI) on October 17, 2018.
 10/18/2018. As part of the PRI, the company is contacted
*** COMPANY.3 for the provision of support and help in the
forensic analysis of the incident whose recruitment took place on 22
October 2018.
 10/24/2018 to 10/31/2018. Collection of evidence and information
necessary.
 11/05/2018 to 11/08/2018. Analysis of the information collected. The
On November 8, the forensic analyst confirms the existence of a
gap.
 11/08/2018. *** COMPANY.2 is contacted with the aim of
reinforce internal security teams and work
jointly with *** COMPANY . 3 .
 11/09/2018. The works of *** COMPANY.2 begin to go
"Closing doors" and reduce the risk progressively.
 11/14/2018. The revision tasks of the set of
security measures and, as appropriate, reinforce them.
By *** COMPANY.2 and the forensic team is identified
that from a server is contacting with an IP not
recognized.
 11/15/2018. AIR EUROPA receives specific instructions from
the forensic team with 8 measures designed to contain the
trouble. With the support of team *** EMPRESA.2 is assigned
top priority to containment tasks.
 11/17/2018. Confirmation by *** COMPANY. 2 and
*** COMPANY.3 that the gap is contained.
 11/23/2018. It is confirmed by *** COMPANY.2 the
carrying out 90% of the containment and protection actions and
that pending tasks are to be completed in the next
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 5
5/35
days. The effectiveness of the measures of
real-time monitoring that continue to be deployed to
guarantee the detection of any intrusion.
SECOND: the Subdirectorate General for Data Inspection proceeded to carry out the
following actions:
On 04/01/2019, AIR EUROPA sends this Agency the following information and
manifestations:
1. An audit report carried out by *** COMPANY.4 and dated to
12/20/2018 with the following statements:
In the section "Background to the Incident" it is stated:
“In October 2018, GLOBALIA was informed by the companies of
credit cards that a large number of credit cards,
some 4,000 had been used to commit fraud. The data
stolen included personal and financial data of the clients of
GLOBALIA who made reservations and modifications on AirEuropa.com.
The data did not include travel or passport data. "
Manifestations in the rest of the audit document:
to. “ T he first confirmed access to the GLOBALIA network by the
The attacker took place on May 12, 2018. "
b. “ After this initial access, the attacker compromised a series of
GLOBALIA and IRIS systems believe that the attacker continued
accessing GLOBALIA systems and accounts at least until the
August 11, 2018. "
c. “ Although IRIS has not been able to confirm how the attacker managed to exfiltrate
information from the GLOBALIA network or what was exfiltrated, given
of the limitation of records, what IRIS has confirmed is that the
attacker had collected at least 488847 unique credit cards "
d. “From the sample of 4939 unique credit cards already declared
fraudulent, 1,185 were found in the collection above
mentioned."
and. "The attacker viewed and filed in *** FILE.1 at least 2651
unique card numbers, CVVs, expiration dates and names of
Cardholder."
F. “ In total the attacker compromised at least 12 systems and a minimum
of 2 service accounts in support of its operation "
g. “ For the initial access, the attacker took advantage of 9 .- [………] to
get access to the network for the first time "
h. "Any system exposed to the Internet, 10 .- [………] ."
i. “Likewise, subsequent investigations of the accounts
compromised by the attacker, such as the service account
GLOBALIA \ EJP, revealed that it was using a password that did not meet the
complexity and length requirements in line with the best practice of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 6
6/35
sector, which would have made it easier for the attacker to
compromise this account. "
j. “Although IRIS could not confirm the data regarding how the
attacker exfiltrated information due to record limitation, some
research data indicates when it was possible to take
the data and from where. Given that most of the data
sensitive data that were collected by the attacker was found or
transferred to the server *** FILE.1 , and that the server also
had the only viable persistence mechanism, it is likely
the attacker to use *** FILE.1 as a test server from
the one to exfiltrate information. Similarly, a statistical analysis of
Firewall logs revealed that the highest number of connections
to the IP address controlled by the attacker, *** IP.1 , from the systems
of GLOBALIA, took place between May 14 and June 4, with a
peak of May 19-21, indicating that the attacker got down
to the work. Given the volume of activity, it is possible that he also had
data exfiltration occurs during these time frames,
although the fact that the attacker accessed specific files
related to credit cards later, in June, could
indicate that the exfiltration also took place later in the
same month. "
k. “ To maintain access to the network, the attacker used tools
publicly available, of 11 .- [………] in the systems that are
communicated with the IP address controlled by the attacker *** IP.1 . "
l. “No more malicious activity was observed regarding the same attacker or
threat actor after August 11, 2018 "
m. "The IP address controlled by the attacker was blocked on 15
November."
n. “An irregular registry configuration was observed in the systems
analyzed, so that only some systems stored
locally archived log files; for example scripts
executed by Powershell were only recorded in some
systems.
Audit records are important during an incident of
security to reconstruct the attacker's activities ...
Therefore, it is recommended to review the current audit policy and
retention and apply it evenly throughout the environment. If not used
already, it is also recommended to assess the possibility of centralizing
collection of logs on a dedicated platform, such as a
Incident Management and Security Information (SIEM) product,
... "
to. “Although it has not been possible to determine exactly the source of the
infection of systems in scope, one of the most
probable is that 12 .- [………] . "
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 7
7/35
b. "Block and monitor outbound traffic to external IP addresses
suspicious is a good way to detect behavior
abnormal originating from the network.
In this incident we have 13.- [………], communicate with IP addresses
external that were not related to any payment system,
nor were they justified by other business needs. "
to. “During the investigation, IRIS observed various systems with
operation for longer than one year, so the systems
The operating systems did not have patches for such a long period. "
2. A calendar of technical tasks undertaken for the closing of the
breach and the protection improvements implemented that it has had in
consideration, as stated by AIR EUROPA, the measures and
recommendations issued by *** COMPANY.2 after analyzing the incident of
security. This calendar contains tasks between 11/14/2018 and
on 02/13/2019 and are classified into the following groups:
to. XXX XXX update .
b. Firewall rules restriction.
c. *** IP Locking and Logging . 2 .
d. Cleaning local users XXX XXX .
and. Password changes.
 14.- [………].
F. Antivirus.
g. Application 15 .- [………] .
h. Patching vulnerabilities and updating the servers involved
in the incident.
i. Installation XXX XXX .
j. 16 .- [………].
k. Replatform of XXX XXX .
l. Configuration 17 .- [………] .
3. AIR EUROPA states that it has received only 20 communications from
clients due, in their majority, to inconveniences derived from the cancellation
of the card by your bank, without manifesting any type of damage
economic suffered, and through which they request more information. What
only 3 of them stated that they had suffered some kind of damage
economic result of the use, by third parties, of personal data
obtained through attack. AIR EUROPA has responded
attending to the information requirements requested by the interested parties.
4. Provides risk analysis regarding security measures in the
processing of online sales data to AIR EUROPA passengers which
It consists of a one-page document that analyzes 9 risks.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 8
8/35
5. Provides risk analysis carried out regarding the need or not to
notification to this Agency and interested parties. In this analysis it is manifested:
to. The art. 34.3 of the GDPR establishes three exceptions to the obligation to
notify interested parties:
 Regarding 34.3.a):
“ In relation to AIR EUROPA systems, there were no
specific measures, 18 .- [………] . However, the information
accessed by the attackers does not include information
sensitive as special categories of personal data,
postal addresses or telephone numbers,
passport or ID or date of birth. This information
sensitive is not stored together with card information
banking as a security measure. As a result, it is very
difficult to identify unique individuals within the data set. "
 Regarding 34.3.b):
“… Once the incident has been identified by the banking entities,
these and the issuers of the compromised bank cards
proceeded to block and report said blockade to the
interested in such a way that the compromised data remains
disabled ... "
Communication model made by the entity is provided
Bankinter to its clients.
 Regarding 34.3.c):
“ … It is practically impossible to uniquely identify
interested parties from this data set, since there is no
has their contact details.
Therefore, if it is determined that a notification should be made
interested parties, AIR EUROPA would have to carry out a
public communication instead of individual notifications.
From AIR EUROPA it is understood that at this moment it is
more burdensome for the general interests and those of the
interested parties make a public communication, as there is no
no benefit derived from that communication. "
b. That, according to the AEPD analysis methodology, the result
quantitative would not exceed the threshold established for such notification
(30 vs 40) while the qualitative threshold would be exceeded. Without
However, taking the foregoing into account, AIR EUROPA has decided not to
notify interested parties arguing that the incident is not
liable to pose a high risk to the rights and freedoms of
the same.
c. That in those cases in which a high risk could be observed
one or more exceptions from those contained in art. 3. 4
GDPR. In this sense, those provided for in art. 34.3 a) and b).
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 9
9/35
On 11/14/2019, AIR EUROPA sends this Agency the following information and
manifestations:
1. That 100% of the share capital of AIR EUROPA belongs to GLOBALIA
CORPORACIÓN EMPRESARIAL, SA That there is a team at AIR EUROPA
responsible for information systems headed by the figure of the CIO.
At the operational level, the functions related to the supply of
infrastructure and administration of information systems and
communications are provided by GLOBALIA SISTEMAS Y
COMUNICACIONES SLU, a company 100% owned by GLOBALIA
CORPORACIÓN EMPRESARIAL, SA
2. Provide a signed copy of the assistance and management contract in the systems area
of information and communications dated 10/31/2009 between AIR EUROPA
LINEAS AÉREAS, SAU and GLOBALIA SISTEMAS Y COMUNICACIONES,
SLU where it manifests itself, among others:
to. That GLOBALIA SISTEMAS will assist AIR EUROPA in the areas of
information and telecommunications systems.
b. That the service to be provided by GLOBALIA SISTEMAS will have a
comprehensive, in a way that allows AIR EUROPA the total outsourcing of
services in the areas of information systems and
communications.
c. That GLOBALIA SISTEMAS will carry out on its own initiative the steps
and timely tasks for the development of the benefits previously
identified. Notwithstanding the foregoing, GLOBALIA SISTEMAS will submit
to the approval of AIR EUROPA the projects to be developed and will render
accounts of the efforts in the course of organized meetings,
mutual agreement, with a periodicity not exceeding quarterly.
3. Provide a signed copy of novation to the contract for the person in charge of the treatment
personal data dated 10/31/2019, according to which, GLOBALIA SISTEMAS
Y COMUNICACIONES, SLU is in charge of the treatment and AIR EUROPA
LINEAS AÉREAS, SAU is responsible for the treatment.
4. Provide a copy of the Cybersecurity Incident Response Plan of
GLOBALIA with an effective date of 07/05/2019 in its first version
As indicated by the version control of the document and the cover of the document.
5. That the forensic report of *** COMPANY.3 is a report that is required by
regulates banks on behalf of payment institutions that are members of the
PCI Council (as would be the case of VISA) to entities affected by a
incident, in order to evaluate the 19 .- [………].
6. That the forensic report of *** COMPANY.3 has a very specific purpose and
is oriented within the framework of identifying the volume of identified cards
as committed, which as a general rule determines the compensation
that the PCI Council may require from the entity affected by the
incident.
Provides forensic report of *** COMPANY.3 dated January 2019 and based on
in the investigation initiated on 10/25/2018 which contains the following
manifestations, among others:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 10
10/35
to. “ The investigation carried out by *** EMPRESA.3 identified evidence
findings of violation in AIR EUROPA "
b. “The investigation of *** EMPRESA.3 identified more than 2.7 million
unique card numbers that had been pulled from the credit card systems
databases by the attacker. Although some of the data from the
cards were 20 .- [………] , the attacker managed to use
21 .- [………] tools to obtain clear text data. "
c. “The intrusion probably had its origin in insecure systems
available through the internet. *** COMPANY.3 identified several
devices that had not been patched regularly ... "
d. Summary of possible causes and list of attack vectors:
22 .- [………]
to. There is evidence of violation of the data environment of the owners of the
cards.
b. “ The attack began when the attacker accessed XXX XXX from a
server not properly segmented at XXX XXX ”.
c. “The attacker had a systematic connection to an external host. 2. 3.-,
*** COMPANY.3 [………] . However, he did visualize how the attacker
created multiple files and later compressed them into a single
archive. 24 .- [………]. "
d. Possible exposure of data types, among others; name of the holder of
card, cardholder address, expiration date.
and. That the total number of cards exposed is 2722692, not being that
the number of cards that are at risk.
2. That, in relation to the reason for not detecting the gap until the
*** DATE. 1 even though the attack started on 05/12/2018, AIR EUROPA
states that the breach occurred as a result of an APT, an attack
directed and sophisticated, planned and executed in a professional and
treacherous.
It also states that:
“The attack suffered by the Company is a type of“ attack […] designed to
last over time and manage to evade all security measures of the
most common platforms ” as described by the INCIBE in an article
published on its website on June 16, 2016 and signed by AAA . Is,
therefore, a type of stealth attack that seeks as the ultimate goal to filter
sensitive information of an organization and erase traces upon completion,
which makes them extremely difficult to detect "
1. It states that the key dates of the project to prepare the Master Plan
Security (PDS) are:
to. July 2019: definition of the preliminary scope of business services
that will be evaluated for the development of the PDS.
b. September 11, 2019: launch meeting.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 11
11/35
c. January 31, 2019: project closure.
d. February 3, 2020: entry into force of the PDS.
2. Provide a document with the title “Critical Updates Procedure and
security ” and states that this procedure has been applied in a
usual since before the incident.
to. This document states 25 .- [………].
"26 .- [………]"
b. In this document it is stated in section 27 .- [………].
c. In this document it is manifested in the 28 .- [………]. "
3. Provides the AIR EUROPA Information Security Manual dated
of last modification of the document on 10/31/2013 being the object of this
document respond to the obligation established in article 9 of the Law
Organic 15/1999.
4. It states that “it is relevant to state, as important information for the purposes
to ratify the inexistence of relevant effective damages, that the number of
claims received by users of the Company that could
be related to the incident has been very small (2 claims in
total without request for compensation). This confirms the analysis that
attackers have not been able to obtain sensitive or relevant information and that, with
the information they may have stolen, the existence of numerous
technical and organizational security measures throughout the process chain
(including the entities involved in payment services) has made
that information could not have been used to cause serious harm. "
On 06/04/2020 AIR EUROPA sends this Agency the impact assessment
of the treatment of "Sale to customers through alternative channels".
THIRD: On 06/23/2020, the Director of the Spanish Protection Agency
of Data agreed to initiate a sanctioning procedure for the complained party, in accordance with
provided in articles 63 and 64 of Law 39/2015, of October 1, on the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of articles 32.1 and 33 of the RGPD, typified
in accordance with the provisions of article 83.4.a) of the aforementioned RGPD.
FOURTH: Once the aforementioned start-up agreement has been notified, the defendant submitted to the AEPD
writing requesting a copy of the file and extension of the term granted for the
presentation of allegations, which was granted in five more days.
On 07/16/2020, the defendant submitted a brief of allegations in which, in summary,
stated that it was not true that the security breach had not been reported
Rather, once there were well-founded indications that the cyberattack suffered had
affected to a considerable number of data, it was notified; that he
claimed at all times has responded to the requirements formulated by the
AEPD; the inadmissibility of the violation of article 33 of the RGPD since the
notification was made; the lack of motivation and responsibility appreciated by the
AEPD; that in the resolutions issued by the AEPD regarding security breaches
less sophisticated than the one analyzed were most of them always archived
that technical security measures will be accredited prior to the incident and
they subsequently adopted palliative measures, as is the case in the present case; its
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 12
12/35
disagreement with the graduation of the sanction in the event of a possible infraction of the article
32.1 of the RGPD due to the non-concurrence of aggravating factors and the existence of mitigating
they have not been considered in the initiation agreement.
FIFTH: On 11/23/2020, the instructor of the procedure agreed to open the
a period of practice tests, practicing the following:
To consider reproduced for evidentiary purposes all the documents obtained and
generated by the Inspection Services and the Report of previous actions of
Inspection that are part of the file E / 01909/2020.
To consider reproduced for evidentiary purposes, the allegations to the initiation agreement
PS / 00179/2020 presented by the complained party and the documentation that
accompanies.
Request the defendant in reference to the date before the start of the breach
produced:
- Description (including name of servers and databases
included in them) the different systems environments from the point of view of
security, where they store customer data and their bank cards,
including at least the data of postal address, telephone numbers,
passport numbers, ID, date of birth, name of the holder of the
card, PAN of the card, expiration date of the card and its CVV code.
Likewise, indication of the types of data that are stored within each
environment / server / database and provide documentation that accredits the
applied security measures aimed at isolating the different environments
each.
- For each of the environments, servers and databases identified in
the previous section, provide a screenshot where it is displayed, for 50
records, all the data stored together with the explanation of its
meaning.
Taking into account the Risk Analysis document delivered to this
Agency with name "Documento_3__PIA_Venta_on_line.pdf", and the measures
applied before the start of the breach, contribution of the following
Information and documentation in force prior to the start of the breach:
• Reason why they were not included in the risk analysis 29 .- [………].
• Reason why they were not adopting 30 .- [………] :
31 .- [………].
32 .- [………]
On 12/02/2020, the complained party filed before the AEPD a written extension of the
period granted for the provision of evidence that was granted in five days
plus.
On 12/16/2020, the respondent responded to the requested information, which
content of the work in the file.
SIXTH: On 02/05/2021 a Proposal for Resolution was issued to the effect that
The Director of the Spanish Data Protection Agency will sanction the
claimed, for infringement of articles 32.1 and 33 of the RGPD, typified in article
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 13
13/35
83.4 of the RGPD, with fines of € 500,000 (five hundred thousand euros) and € 100,000 (one hundred thousand
euros), respectively.
On 02/10/2021, the claimed filed before the AEPD a written extension of the
period granted for the presentation of allegations, which was granted in two days
plus.
On 02/25/2021 the claimed present writing in which he alleged in synthesis: the
importance for the complained party supposes both the incident produced and the protection
of the personal data of all its clients; the helplessness caused by
failure to consider the evidence presented at the last request for
information from the AEPD; the express challenge of the entire report of the
Foregenix company; the inadmissibility of the sanction imposed for the alleged infringement
of article 33 of the RGPD and, alternatively, its prescription; disagreement with the
imputation of infringement of article 32 of the RGPD in relation to the measures
appropriate technical and organizational techniques to ensure an adequate level of security for the
risk and inappropriateness of the use of forensic reports as evidence that Air
Europe did not have adequate security measures; lack of proportionality
in the analysis of the aggravating circumstances taken into account by the AEPD for the
graduation of the sanction imposed as a consequence of the alleged infraction of the
Article 32.1 of the RGPD and the existence of extenuating circumstances that have not been
considered when establishing the amount of the sanction and the disparity of
criteria in relation to previous similar sanctioning procedures.
SEVENTH: Of the actions carried out in this procedure and of the
documentation in the file, the following have been accredited:
PROVEN FACTS
FIRST: On 11/29/2018 the AEPD receives a written document from the complained party stating that
On *** DATE.1 he had received notification from Banco Popular regarding an incident of
causing the activation of the incident response plan on the
10/17/1018.
SECOND: On 01/18/2019 the defendant provided complete notification through the
form enabled in the electronic headquarters of the AEPD, providing documents
annexes related to preventive measures applied prior to the incident;
Containment measures and additional information and Justification for not informing the
stakeholders affected by the incident.
THIRD: The complained party on 04/01/2019 has provided: Forensic technical report
prepared by *** EMPRESA.2 in relation to the incidence communicated to the AEPD in
the one that analyzes the incidence produced and recommendations; pointing out that “In
October 2018, GLOBALIA was informed by the credit card companies
credit that a large number of credit cards, about 4,000, had been
used to commit fraud. The stolen data included personal data and
financial statements of GLOBALIA clients who made reservations and modifications in
AirEuropa.com. The data did not include travel or passport data ” and that “ The first
confirmed access to the GLOBALIA network by the attacker took place through
33 .- [………] for an unknown account on May 12, 2018. " Report
prepared by the technical team of the claimed one, which identifies the technical tasks
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 14
14/35
connections to close the gap and the protection improvements implemented,
following IBM's recommendations; risk analysis regarding the measures
security in the processing of online sales data to Air Europa passengers;
the risk analysis carried out by the Company regarding the need or not to
notification to the AEPD and interested parties about the security breach
experienced.
FOURTH: The defendant on 11/14/2019 has provided a forensic report on
*** COMPANY January 3, 2019 based on research conducted and analysis
possible causes, noting, among others, that “The investigation carried out by
*** COMPANY.3 identified conclusive evidence of violation in AIR EUROPA ”; copy
of the contract for assistance and management of information and communications systems
10/31/2009 between GLOBALIA SISTEMAS Y COMUNICACIONES, SLU and the claimed
in which they hold the condition of responsible and in charge of the treatment
respectively; copies the Cybersecurity Incident Response Plan of
GLOBALIA of 07/05/2019 and Information Security Manual dated
10/31/2013
FIFTH: On 06/04/2020 the complainant has provided an Impact Assessment of the
treatment of "Sales to customers through alternative channels" .
SIXTH: The defendant has provided documents related to
measures it had in place prior to the declared security incident.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.
II
Article 58 of the RGPD, Powers , states:
"two. Each supervisory authority shall have all of the following powers
corrective measures listed below:
(…)
i) impose an administrative fine in accordance with article 83, in addition or in
instead of the measures mentioned in this section, according to the
circumstances of each particular case;
(…) "
The RGPD establishes in article 5 of the principles that must govern the
treatment of personal data and mentions among them that of "integrity and
confidentiality ”.
The article notes that:
"1. The personal data will be:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 15
15/35
(…)
f) treated in such a way as to guarantee adequate security of the
personal data, including protection against unauthorized processing or
illicit and against its loss, destruction or accidental damage, through the application
appropriate technical or organizational measures ('integrity and
confidentiality »)”.
(…)
On the other hand, article 4 of the RGPD, Definitions , establishes in its sections
7, 8 and 12:
“(…)
7) "controller" or "controller": the natural or legal person,
public authority, service or other body that, alone or together with others, determines the
purposes and means of the treatment; whether the law of the Union or of the Member States
determines the purposes and means of the treatment, the person responsible for the treatment or
Specific criteria for their appointment may be established by Union law.
or of the Member States;
8) "processor" or "processor": the natural or legal person,
public authority, service or other body that processes personal data on behalf of the
responsible for the treatment;
(…)
12) "violation of the security of personal data": any violation of the
security that causes accidental or unlawful destruction, loss or alteration of
personal data transmitted, stored or otherwise processed, or the
unauthorized communication or access to such data;
(…) "
Likewise, article 24, Responsibility of the person responsible for the treatment,
states that:
"1. Taking into account the nature, scope, context and purposes of the
treatment as well as risks of varying probability and severity to the rights
and freedoms of natural persons, the data controller will apply measures
appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the
treatment is in accordance with this Regulation. These measures will be reviewed and
will update when necessary.
2. When they are provided in relation to the treatment activities,
the measures mentioned in section 1 shall include the application, by the
responsible for the treatment, of the appropriate data protection policies.
3. Adherence to codes of conduct approved in accordance with article 40 or to a
certification mechanism approved under article 42 may be used
as elements to demonstrate compliance with the obligations by the
responsible for the treatment ”.
And article 25, Data protection by design and by default, states that;
"1. Taking into account the state of the art, the cost of the application and the
nature, scope, context and purposes of the treatment, as well as the risks of various
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 16
16/35
probability and seriousness that the treatment entails for the rights and freedoms of
natural persons, the data controller will apply, both at the time of
determine the means of treatment as at the time of the treatment itself,
appropriate technical and organizational measures, such as pseudonymisation, designed
to effectively apply data protection principles, such as the
data minimization, and integrate the necessary guarantees in the treatment, in order to
comply with the requirements of this Regulation and protect the rights of
interested.
2. The person responsible for the treatment will apply the technical and organizational measures
appropriate in order to ensure that, by default, they are only processed
the personal data that are necessary for each of the specific purposes of the
treatment. This obligation will apply to the amount of personal data collected, to
the extension of its treatment, its conservation period and its accessibility. Such
measures will ensure in particular that, by default, personal data is not
accessible, without the intervention of the person, to an undetermined number of people
physical.
3. An approved certification mechanism may be used in accordance with the
Article 42 as an element that proves compliance with the obligations
established in sections 1 and 2 of this article ”.
Therefore, to correct a security violation, the person responsible for the
treatment must be able to recognize it and the consequence of such a violation is that the
data controller cannot guarantee compliance with the principles
relating to the processing of personal data, as established in article 5
of the GDPR.
The security of personal data is regulated in articles 32, 33 and
34 of the GDPR.
III
The GDPR defines personal data security breaches as
those incidents that cause the destruction, loss or accidental alteration or
illicit personal data, as well as the communication or unauthorized access to
themselves.
Since last 05/25/2018, the obligation to notify the Agency of gaps
or security breaches that could affect personal data is applicable to
any person responsible for the processing of personal data, which underlines the
importance of all entities knowing how to manage them.
Therefore, as soon as the controller has
knowledge that a data security breach has occurred
personal must, without undue delay and, if possible, no later than 72 hours
after you have been aware of it, report the breach of security
personal data to the competent control authority, unless the
responsible can demonstrate, in accordance with the principle of proactive responsibility, the
improbability that the breach of the security of personal data involves a
risk to the rights and freedoms of natural persons.
The person responsible for the treatment must inform the interested party without delay
undue violation of the security of personal data in case it can
pose a high risk to your rights and freedoms, and allow you to take the necessary
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 17
17/35
necessary precautions. The communication must describe the nature of the violation
of the security of personal data and the recommendations so that the person
physical damage mitigates the potential adverse effects resulting from the violation.
Said communications to the interested parties must be made as soon as
reasonably possible and in close cooperation with the supervisory authority,
following their guidance or those of other competent authorities, such as the
police authorities. Thus, for example, the need to mitigate a risk of damage and
immediate damages would justify a quick communication with the interested parties,
whereas longer communication may be justified by the need to
apply appropriate measures to prevent data security breaches
personal continous or similar.
In article 33 of the RGPD establishes the way in which a
violation of the security of personal data to the supervisory authority.
In this same sense, it is pointed out in Recitals 85 and 86 of the RGPD:
( 85) If adequate measures are not taken in time, violations of the
security of personal data may entail physical damages,
material or immaterial for natural persons, such as loss of control over their
personal data or restriction of your rights, discrimination, usurpation of
identity, financial loss, unauthorized reversal of pseudonymization, damage
for reputation, loss of confidentiality of data subject to professional secrecy,
or any other significant economic or social damage to the natural person in
question. Therefore, as soon as the controller has
knowledge that a data security breach has occurred
personal data, the controller must, without undue delay and, if possible, at the latest
72 hours after you have had proof of it, notify the violation of the
security of personal data to the competent control authority, unless
the person in charge can demonstrate, in accordance with the principle of proactive responsibility,
the improbability that the breach of the security of personal data involves
a risk to the rights and freedoms of natural persons. If said
notification is not possible within 72 hours, it must be accompanied by a
indication of the reasons for the delay, being able to provide information in phases without
further undue delay.
(86) The data controller must inform the data subject without delay
undue violation of the security of personal data in case it can
pose a high risk to your rights and freedoms, and allow you to take the necessary
necessary precautions. The communication must describe the nature of the violation
of the security of personal data and the recommendations so that the person
physical damage mitigates the potential adverse effects resulting from the violation.
Said communications to the interested parties must be made as soon as
reasonably possible and in close cooperation with the supervisory authority,
following their guidance or those of other competent authorities, such as the
police authorities. Thus, for example, the need to mitigate a risk of damage and
immediate damages would justify a quick communication with the interested parties,
whereas longer communication may be justified by the need to
apply appropriate measures to prevent data security breaches
continuous personal or similar.
IV
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 18
18/35
In the first place, the defendant is accused of violating article 32.1 of the
GDPR, which states:
"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the treatment, as well as risks of
variable probability and severity for people's rights and freedoms
physical, the person in charge and the person in charge of the treatment will apply technical measures and
appropriate organizational arrangements to ensure a level of security appropriate to the risk,
that in your case include, among others:
a) pseudonymisation and encryption of personal data;
b) the ability to guarantee confidentiality, integrity, availability and
permanent resilience of treatment systems and services;
c) the ability to restore availability and access to data
personnel quickly in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of effectiveness
of the technical and organizational measures to guarantee the safety of the
treatment.
2. When evaluating the adequacy of the security level, particularly the
take into account the risks presented by the data processing, in particular as
consequence of accidental or illegal destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to such data.
3. Adherence to a code of conduct approved in accordance with article 40 or to a
certification mechanism approved under article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the
this article.
4. The person in charge and the person in charge of the treatment will take measures to
ensure that any person acting under the authority of the controller or
of the person in charge and have access to personal data can only process said
data following instructions of the person in charge, unless it is obliged to do so
by virtue of the law of the Union or of the Member States ”.
Recital (83) points out that:
“(83) In order to maintain security and prevent the treatment from violating the
provided in this Regulation, the person in charge or the person in charge must evaluate
the risks inherent to the treatment and apply measures to mitigate them, such as the
encryption. These measures must guarantee an adequate level of security, including the
confidentiality, taking into account the state of the art and the cost of its application
with respect to the risks and the nature of the personal data that must
protect yourself. When assessing risk in relation to data security, you should
take into account the risks arising from the processing of personal data,
such as accidental or illegal destruction, loss or alteration of personal data
transmitted, preserved or otherwise processed, or communication or access does not
authorized to said data, susceptible in particular to cause damages
physical, material or immaterial ”.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 19
19/35
Of the actions carried out and documentation provided to the file, it has been
verified that the security measures that the investigated entity had in
relation to the data that was being processed, they were not the most appropriate for
guarantee the security and confidentiality of personal data at the time of
the incident or bankruptcy occurs.
As recital 39 also points out :
“… Personal data must be treated in a way that guarantees a
adequate security and confidentiality of personal data, including for
prevent unauthorized access or use of such data and the equipment used in the
treatment".
It should be noted that security measures are key when it comes to
guarantee the fundamental right to data protection since it is not possible
ensure the fundamental right to data protection if it is not possible to guarantee the
confidentiality, integrity and availability of personal data. For
To guarantee these three safety factors, measures are necessary both of a nature
technical and organizational in nature.
Therefore, information security risk analyzes must
focus on the ability to ensure confidentiality, integrity, availability
of the treatment systems and services, as also contemplated in said
Article.
One of the requirements established by the RGPD for responsible and
processors who carry out data processing activities
personal is the need to carry out a risk analysis of the security of
the information in order to establish the security and control measures aimed at
comply with the principles of protection by design and by default that guarantee the
rights and freedoms of people.
It is necessary to point out that in the instant case, in light of the reports
issued by the companies *** COMPANY.2 and
*** COMPANY.3
they credit
serious vulnerabilities of the complainant's systems, compromising the
confidentiality and integrity of the information security causing an access
unauthorized that led to and caused an illegal transmission of data.
As stated in the Report of *** COMPANY.2 of 12/20/2018, “In October
2018, GLOBALIA was informed by the credit card companies that a
large number of credit cards, about 4,000, had been used to commit
fraud. The stolen data included personal and financial data of the clients of
GLOBALIA who made reservations and modifications on AirEuropa.com. The data does not
included travel or passport data ” that “ The first confirmed access to the network of
GLOBALIA by the attacker took place 34 .- [………] for an account
unknown on May 12, 2018 ” and continues that after the initial access,
using 35 .- [………], the hacker compromised a series of GLOBALIA systems
continuing access until at least 08/11/2018; that it has been confirmed that
the attacker had collected 488,847 unique credit cards; that compromised the
minus 12 systems and a minimum of 2 service accounts in support of your operation;
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 20
20/35
that the entire system exposed to the Internet should have Authentication executed
Multifactorial; that subsequent investigations of accounts compromised by the
attacker revealed 36 .- [………] , which would have made the attacker find it more
easy to compromise this account; that the attacker was likely to use *** FILE.1
as a test server from which to exfiltrate information; than an analysis
statistic from firewall logs revealed that the highest number of connections
to the IP address controlled by the attacker, took place between May 14 and May 4
June; that the attacker used publicly available tools, 37 .- [………] with the
IP address controlled by the attacker; that a configuration of registers was observed
irregular in the systems analyzed, so that only some systems
they stored locally archived log files.
The aforementioned company made a series of recommendations: review the policy
audit and retention and 38 .- [………] ; that although it has not been possible to determine
exactly the source of the infection of the systems in scope, one of the hypotheses
the most probable is 39 .- [………] observed various systems with a functioning
longer than one year, so 40 .- [………] .
Likewise, the Report of *** COMPANY.3 , a company hired on 10/22/2018
by the claimed and specialized in security breaches and forensic analysis, from January
of 2019 points out: that it had identified conclusive evidence of the violation of
security; the identification of 2.7 million cards that had been drawn from the
database systems getting the attacker to use tools of
decryption present in systems; that access 41 .- [………]; a summary of the
possible causes that motivated the attack ( 42 .- [………]; the existence of
evidence of violation of the cardholder data environment; that the attack
started when 43 was accessed .- [………] ; that the attacker had one with an external host and
that 44 .- [………] ; the possible exposure of certain types of data (name of the
cardholder, cardholder address, expiration date).
Therefore, it follows from the foregoing that the security measures
technical and organizational techniques implemented by the claimed entity were not appropriate
to ensure a level of security appropriate to the risk and to prevent unauthorized access
authorized to customer data.
It should be noted that given the technological and digital evolution suffered by the
personal data processing activities, must be addressed from the point of view
in view of a continuous risk management, defining from the design the measures
of control and security necessary for the treatment to take place respecting
the privacy requirements associated with the risk levels to which they may be
exposed and periodically and continuously evaluating the effectiveness of the measures
control systems implemented.
This also implies the protection of personal data from the design and
by default, that is, the person in charge must apply, both at the time of
establish the means of treatment as at the time of treatment itself,
all those technical and organizational measures suitable and designed to apply,
effectively, the principles of data protection and integrate, in the treatment,
the guarantees necessary to comply with the requirements indicated by the RGPD;
In addition, the person in charge must apply the aforementioned measures to guarantee that,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 21
21/35
By default, only the personal data necessary for each specific purpose is processed
treatment.
The complainant has stated that the interpretation of the AEPD by the fact that
suffering a security breach would automatically imply the breach of the
Article 32.1 of the RGPD without providing any motivation regarding the reason for the
which security measures are insufficient.
However, it should be noted that such a statement cannot be accepted
since according to the Report prepared by *** EMPRESA.2 shows 45.-
[………] , although it may not be enough for the representative of the defendant
access to about 4,000 credit cards for the purpose of committing fraud; that he
attacker would have collected at least 488,847 unique credit cards; what
view and file in *** FILE.1 at least 2651 unique card numbers,
CVVs, expiration dates and cardholder names; than the number
approximate number of records affected were 1,500,000, etc.
Thus, it appears in the antecedents of this proposal and extracted from the
cited report: “ In October 2018, GLOBALIA was informed by the companies of
credit cards of which a large number of credit cards, about 4000,
they had been used to commit fraud. The stolen data included data
personal and financial information of the clients of the defendant who made reservations and
modifications on AirEuropa.com. The data did not include travel or
passport ”that “ The first confirmed access to the network of the claimed by the
attacker took place through the CITRIX access gateway by using
valid credentials for an unknown account on May 12, 2018 ” and
continues by stating that “After this initial access, the attacker compromised a series
of the complainant's systems considering that the attacker continued to access the
GLOBALIA systems and accounts at least until August 11, 2018 "
Intrusion or unauthorized access 46 .- [………] and that the entity itself could not
detect and that you had to be notified by Banco Popular (VISA) when checking
access to customer cards, as evidenced in by the claimed in
the information sent on 04/01/2019 providing the risk analysis carried out
regarding the need or not to notify this Agency and those interested in the
which states: “… once the incident has been identified by the banking entities, these and
the issuers of the compromised bank cards proceeded to block and
inform the interested parties of said blocking so that the compromised data
be rendered useless ... ".
For more information, the Forensic Report of *** COMPANY.3 , put in
interdicted by the representation of the defendant also indicates the existence of
evidence of cardholder data breach, that the data exposed was the
relating to the cardholder's name, address, expiration date and
that their total number was 2722692, etc.
The claimed person in the risk analysis carried out after the incident suffered
points out “In relation to AIR EUROPA systems, there were no specific measures,
47 .- [………] , to protect the data accessed by the attackers ... "
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 22
22/35
The consequence of this lack of adequate security measures was the
access to unauthorized personal data, bank card information,
numbering, expiration date and CVV that could be used for
fraudulent operations as reported by Banco Popular to the defendant on
*** DATE . 1 .
That mere possibility supposes a risk that has to be analyzed and valued at the time
to process personal data and that increases the demand for the degree of protection in
relation to the security and safeguarding of the integrity and confidentiality of
themselves.
This risk must be taken into account by the person responsible for the treatment and in
its function to establish the measures that might have prevented the
loss of control of the data and, therefore, by the owners of the data that
they were provided to him as has been credited.
In accordance with the aforementioned, the action of the defendant implies the violation
of article 32.1 of the RGPD, offense typified in its article 83.4.a).
V
The complainant has alleged the non-applicability of the RGPD since when
the first access on 05/12/2018, the security requirements were met on that date
required by the applicable legislation at the time of the incident, the LOPD and its
Regulation.
However, such allegation cannot be accepted; the facts object of the
This claim is subject to the provisions of Regulation (EU)
2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the
Protection of Natural Persons with regard to Data Processing
Personal Data and the Free Circulation of this Data, whose date of full application was
on 05/25/2018.
Access to personal data of those affected by bankruptcy started before
of the date of full application of Regulation (EU) 2016/679 -what happens on
05/25 / 2018- and when Organic Law 15/1999 for the Protection of
Personal Data, LOPD. However, the conduct of the defendant in which
the infringement is specified, security breach motivated by the adoption of measures
inadequate technical and organizational techniques, has been maintained over time, at least until
the adoption of measures as a result of the communication from Banco Popular to the
claimed and the hiring of forensic companies that caused the implementation
of measures in order to stop the security incident.
It is true that the first access occurs, as the complainant points out, the
05/12/2018 date on which the previous LOPD was in force and that the RGPD is not applicable
full application until 05/25/2018; however, it is no less so than the offense
continued to be produced and extended in time until the adoption of those
adequate measures to end bankruptcy in the systems of the
claimed; do not forget that technical and organizational security measures
must be implemented to prevent, among others, unauthorized access to data
of a personal nature and that these measures must be adequate.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 23
23/35
And although the accesses continued until August 2018, ceasing from
On this date, the measures implemented continued to be inadequate until the
others were implemented due to the communication of the incident and the adoption of
those new ones due to the intervention of the contracted companies.
The offense for which the claimed person is responsible participates in the
nature of the so-called permanent offenses, in which the consummation
is projected in time beyond the initial event and extends, violating the
data protection regulations, during the entire period of time in which the
data are subject to treatment. In the present case, despite the fact that on the date on which
the offending conduct was initiated, the applicable norm was the LOPD, the norm that
The result of application is the one that was in force when the offense ceases
be consummated with the application of those appropriate and pertinent measures in order to
that access to personal data could not occur.
The Supreme Court has ruled on the rule to be applied in
those cases in which the infractions are prolonged in time and there have been
a regulatory change while the offense was being committed. The STS of 04/17/2002 (Rec.
466/2000) applied a provision that was not in force at the initial time of
commission of the offense, but in subsequent offenses, in which the conduct continued
offending. The Judgment examined an assumption that related to the sanction imposed
to a Judge for breach of her duty of abstention in some Proceedings
Previous. The sanctioned alleged the non-validity of article 417.8 of the LOPJ when
the events occurred. The STS considered that the offense had been committed
from the date of the initiation of the Preliminary Proceedings until the moment in which the
Judge was suspended in the exercise of her functions so that rule was of
app. In the same sense, the SAN of 09/16/2008 (Rec. 488/2006) is pronounced
SAW
The defendant has alleged that the absence of a response makes him helpless
to the tests presented at the request of the AEPD dated 11/23/2020 and not
have assessed them, noting, in addition, that it is very harmful to him that
the AEPD has not taken into consideration a single of the allegations made
nor has it taken into account a single one of the documents provided in the answer
to the request issued by the AEPD during this evidentiary phase.
The alleged cause of helplessness is surprising; it should be noted that if it was not done
reference to them was due to the fact that the answer offered was only
consolidate and reinforce the reports provided by IBM and Foregenix that the
measures implanted at the time and moment of the bankruptcy that occurred were not the
adequate for data security.
Measures that must be established by the person responsible for the treatment
taking into account the risk analysis carried out and, depending on it, apply
those most appropriate technical and organizational measures.
Thus, in the first place, a series of network diagrams of the environment of
payments, but the place where each type of data was stored, where
each type of specific data was stored.
In his statements, the defendant pointed out that the character data
personnel of those affected (postal addresses, telephone, passport, ID, date
birth, etc.), were stored independently of the information related to
to bank cards and that, therefore, the aforementioned data was not compromised.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 24
24/35
However, it is not proven that the data relating to the owner of the data and
therefore those related to the cards were filed separately; the report itself
*** COMPANY.2 audit report indicates that “The attacker viewed and filed in
*** FILE.1 (…) at least 2651 unique card numbers, CVVs, dates of
expiration date and names of the cardholder ”. And in the same report it is also
states that “The stolen data included personal and financial data of the
GLOBALIA customers who made reservations and modifications to *** URL.1 . The
data did not include travel or passport data ” (underlining corresponds to the
AEPD).
And the one claimed in her response dated 12/16/2020 stated that
“As can be seen, neither the databases of the environment that are the subject of this
research, nor the potential compromise of data, included information that was not
the one already indicated; that is, unique card numbers, CVVs, expiration dates, and
names of the cardholder ” . That is, it was implicitly recognizing that
the name of the owner was included in the data within the potential commitment of
data, which should have been relevant when establishing the need to give
to diligently know the notification of the security incident to the AEPD, given
the importance of data that could or could not be or could not be accessed.
Regarding risk analysis, the latest document presented by the
claimed is dated 06/04/2020 on the occasion of the EIPD, more complete than the
presented on 04/01/2019. The one contributed in the first place does not determine what level of
risk is or is not acceptable for the treatment carried out, nor do they determine its
calculation, nor does it break down mitigating measures, etc., compared to the last
presented (where if measures such as double authentication and
strong passwords that are implemented in Risk Analysis).
The defendant alleges that when the security incident began there was no
applied the RGPD and that the measures proposed in the Risk Analysis in that
were in accordance with the existing recommendations at the time.
However, it should be noted that in relation to two types of measures,
48 .- [………] to which the defendant refers recommends “49 .- [………] ”, that is, what
same that already established the reports of the acting companies and that appears
reflected in the report of previous actions and, in terms of length and complexity
password, in the same previous report (that of CNN) it is pointed out and recommended
50 .- [………] .
Regarding 51 .- [………] , it states that it was completely updated to
date of the incident and present a supporting document. However, 52 .- [………].
As for 53 .- [………] as a measure implemented at the time of the incident
According to the complainant, it is due to the fact that in the CCN report referred to
above states that the length of passwords must be at least 8
with different types of characters and that these recommendations were already met
01/17/2018 following their recommendations and provide a screenshot with the
password policy where it appears that “passwords must meet the requirements
complexity ”,“ enabled ”,“ minimum password length ” and “ 8 characters ”.
However, it is not appreciated, credited or justified what kind of complexity
enabled is referring and in any case, in the report of *** COMPANY.2 it is
points out that “subsequent investigations of the accounts compromised by the
attacker, such as the service account *** SERVICE.1 , revealed that it was using a
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 25
25/35
password that did not meet the complexity and length requirements in line with the
industry best practice, which would have made the attacker more
easy to compromise this account. "
Regarding the 54 .- [………] they indicate that they were XXXXXXXX presenting
the network diagram.
However, the report of *** COMPANY . January 3, 2019 made reference to
to the server 55 .- [………] , “The attack began when the attacker accessed 56.-
[………] ” and “ Although there were XXXXX and XXXXX , the attacker was able to “pivot” the entry 57.-
[………] "
Finally, regarding the blocking of external IPs that have no relation
with any payment system, he pointed out that “It was not technically possible to limit the
IP's of the various authorization centers. Therefore, outgoing connections (not like this
the starters) were not, nor could they be restricted. "
However, neither is it credited nor is any information given as to why
was it technically possible or why it was not possible to limit the IPs.
VII
The defendant alleges in relation to the report provided by *** COMPANY.3 that
it is not an expert report, nor an objective technical report, 58 .- [………] , with the
in order to calculate the amount of compensation that this regulatory environment requires from companies
associated entities in certain situations and that there is an incompatibility
absolute between the purposes of that report and those to be pursued in a
disciplinary administrative file.
However, such a claim cannot be accepted either: in the first place, because
the defendant has not provided any proof of his partiality, which may have
provoked its challenge, without having been accredited in the test procedure
any of it.
And secondly, because the Report issued by the aforementioned company states:
1.This investigation is carried out in strict compliance with all the
applicable requirements set forth in Section 2.3 of the Requirements relating to the
qualification of PCI forensic investigators, including, without limitation, the
requirements set forth in said section relating to independence, professional opinion,
integrity, objectivity, impartiality and professional skepticism.
2. This Preliminary Incident Response PFI Report identifies,
describes, represents and characterizes all objective tests that the PFI Company
and its Employees collected, generated, discovered, analyzed and / or considered
your sole discretion relevant to this investigation in the course of conducting the
herself.
3.The opinions, conclusions and findings contained in this Report
Preliminary Incident Response PFI (a) accurately reflects and is based on
exclusively on the objective tests described above, (b) reflect only
the opinions, conclusions and findings of the PFI Company and its Employees,
acting at their sole discretion, and (c) have not been influenced, directed, controlled,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 26
26/35
modified, provided or submitted to the prior approval of the Entity object
of Research or of any contractor, representative, professional advisor, agent or
affiliate of the same or any other person or entity other than the PFI Company and
its Employees (the underlining corresponds to the AEPD).
VIII
Second, the defendant is accused of violating Article 33 of the
RGPD, Notification of a violation of the security of personal data to the
supervisory authority, which establishes:
"1. In case of violation of the security of personal data, the
responsible for the treatment will notify the competent control authority of
in accordance with Article 55 without undue delay and, if possible, no later than 72
hours after you have had a record of it, unless it is unlikely
that said violation of security constitutes a risk to the rights and
freedoms of natural persons. If the notification to the supervisory authority does not have
place within 72 hours, must be accompanied by an indication of the reasons for
procrastination.
2. The person in charge of the treatment will notify the person in charge without undue delay
of the treatment the violations of the security of the personal data of which
have knowledge.
3. The notification referred to in paragraph 1 must, as a minimum:
a) describe the nature of the data security breach
personal, including, where possible, categories and number
approximate number of affected stakeholders, and the categories and approximate number
of records of personal data affected;
b) communicate the name and contact details of the delegate of protection of
data or another point of contact where more information can be obtained;
c) describe the possible consequences of the violation of the security of the
personal information;
d) describe the measures adopted or proposed by the person responsible for the
treatment to remedy the data security breach
personal data, including, if applicable, the measures adopted to mitigate the
possible negative effects.
4. If it is not possible to provide the information simultaneously, and to the extent
where it is not, the information will be provided gradually without undue delay.
5. The controller will document any violation of the
security of personal data, including facts related to it, its
effects and corrective measures taken. Such documentation will allow the
control authority to verify compliance with the provisions of this article ”.
Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27
April 2016, regarding the protection of natural persons with regard to the
processing of personal data and the free circulation of these data and by which
repeals Directive 95/46 / EC (General Data Protection Regulation), (as
successive RGPD) defines personal data security breaches as
those incidents that cause the destruction, loss or accidental alteration or
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 27
27/35
illicit personal data, as well as the communication or unauthorized access to
themselves.
Since last 05/25/2018, the obligation to notify the Agency of gaps
or security breaches that could affect personal data is applicable to
any person responsible for the processing of personal data, which underlines the
importance of all entities knowing how to manage them.
In this sense, recital 87 establishes that:
“It must be verified if all the appropriate technological protection has been applied and
the appropriate organizational measures have been taken to determine immediately whether
there has been a breach of personal data security and to report
without delay to the supervisory authority and the interested party. It must be verified that the
notification has been made without undue delay taking into account, in particular, the
nature and seriousness of the violation of the security of personal data and its
consequences and adverse effects for the interested party. Such notification may
result in an intervention of the supervisory authority in accordance with the
functions and powers established by this Regulation ”.
Regardless of the internal actions that were carried out
carried out by the respondent to manage the breach or security incident once the
was made aware of it, the RGPD establishes that in the event of a breach of the
security of personal data, the data controller will notify the
competent supervisory authority without undue delay and, if possible, at the latest
72 hours after you are aware of it, unless unlikely
that said security breach constitutes a risk to the rights and
freedoms of natural persons.
The GDPR also establishes the cases in which a security breach is
must communicate to the affected party, specifically when it is likely that the breach of
security of personal data entails a high risk for the rights and
freedoms of natural persons.
Both the notification to the competent control authority and the
Communication to the data subject are obligations of the data controller, although
You can delegate their execution to other figures.
Therefore, what underlies this obligation is a broader duty and that
urges the person in charge to implement an incident management procedure
security that affect personal data adapted to the characteristics of the
treatment.
Therefore, a key element of any policy regarding
Data security is being able, to the extent possible, to prevent a breach and,
when despite everything, react quickly.
The RGPD indicates that breaches are those incidents that cause the
destruction, loss or accidental or illegal alteration of personal data, as well as the
unauthorized communication or access to them.
In the case examined, the documentation provided in the file is
provide clear indications of the existence of a provoked security incident and
suffered in the entity's systems, classified as a breach involving access
unauthorized user data, specifically information related to data
personal, bank cards, numbering, expiration date and CVV that could be
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 28
28/35
have been used for the commission of fraudulent operations and that in accordance with
with what is indicated in the previous foundation, it would violate article 32.1 of the RGPD,
Security of the treatment , of which the claimed by the
communication received from financial institutions causing the activation of the
incident responses (PRI) the next day.
The defendant adopted the decision to notify this supervisory authority of the
security bankruptcy detected on 11/27/2018, through the form enabled in
electronic office but the online procedure made it impossible to present it, so
It had to be done the next day, 11/28/2018 in person.
It is true, as the representation of the defendant states that there was
notification of the bankruptcy, although it was carried out extemporaneously 41 days
after it was known clearly infringing the provisions of article 33
of the RGPD that establishes the obligation to notify the supervisory authority without delay
undue and, no later than 72 hours after you have had proof of it.
The defendant justifies the late notification made because there was no
sufficient knowledge of the nature or extent suffered and that would have affected
personal information.
However, such allegation cannot be admitted since the person responsible for the
treatment had clear evidence that such a violation had occurred and there was no room for
doubts that he was aware of this as a result of the Bank's notification
Popular the *** DATE.1 that I cause as previously indicated the activation
of the incident response plan the next day. This is how it appears in the IBM report
“In October 2018, GLOBALIA was informed by the credit card companies
credit that a large number of credit cards, about 4,000, had been
used to commit fraud ”.
In addition, if what the defendant himself points out in his brief of
date 01/22/2019 where he states that the bankruptcy was resolved on 11/17/2018,
Why didn't you notify it before?
Furthermore, in the risk analysis carried out regarding the need or not to
notification to the Agency, in conclusions, it is stated that “Applying the methodology of
analysis of the AEPD to the current incident (Annex 1), both the quantitative result and
the qualitative ones exceed the notification threshold to the AEPD ... "
On the other hand, the investigations and analyzes carried out by the entity do not
classified the incident as high risk for the rights and freedoms of
interested parties, so the bankruptcy, which affected 1,500,000 data records
approximately and approximately 489,000 users, those affected were not notified
since there were only 20 requests for information from
clients responding to all of them. In the conclusions of risk analysis
above, it is stated that “In relation to the notification to interested parties and according to the
AEPD analysis methodology (Annex 1), the quantitative result would not exceed the
threshold established for such notification (30 vs. 40), while the threshold
qualitative, yes, it would be surpassed ”.
In accordance with the preceding paragraphs, the action of the claimed
supposes the violation of 33.1 of the RGPD, an offense typified in its article 83.4.a)
of the same legal text.
IX
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 29
29/35
The violation of articles 32.1 and 33 of the RGPD are typified in
Article 83.4.a) of the aforementioned RGPD in the following terms:
"4. Violations of the following provisions will be sanctioned, in accordance with
with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
a) the obligations of the controller and the processor pursuant to articles 8,
11, 25 to 39, 42 and 43.
(…)
For its part, the LOPDGDD in its article 71, Infractions, states that:
“The acts and conducts referred to in sections 4, constitute offenses.
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those resulting
contrary to the present organic law ”.
And in its article 73, for the purposes of prescription, it qualifies as "Infractions
considered serious ”:
"Based on the provisions of article 83.4 of Regulation (EU) 2016/679
are considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the
following:
(…)
g) The breach, as a consequence of the lack of due diligence,
of the technical and organizational measures that have been implemented in accordance with
required by article 32.1 of Regulation (EU) 2016/679 ”.
r) Failure to comply with the duty to notify the protection authority of
data from a personal data security breach in accordance with the
provided for in article 33 of Regulation (EU) 2016/679.
Accredited facts show the existence of a security breach
in the systems of the claimed allowing their vulnerability causing access not
authorized and illegal to information related to customers in relation to their cards
bank, numbering, expiration date and CVV that could have been used to
the commission of fraudulent operations, which together with the untimely notification
of the aforementioned breach or security incident implies the violation of articles 32.1
and 33 of the GDPR.
X
In order to establish the administrative fine to be imposed, they must
observe the provisions contained in articles 83.1 and 83.2 of the RGPD, which
they point out:
"1. Each supervisory authority will guarantee that the imposition of fines
administrative under this article for the infractions of this
Regulations indicated in paragraphs 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 30
30/35
2. Administrative fines will be imposed, depending on the circumstances
of each individual case, as an additional or substitute title for the measures contemplated
in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
a) the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operation in question
as well as the number of affected stakeholders and the level of damage and
damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the person in charge or in charge of the treatment
to alleviate the damages suffered by the interested parties;
d) the degree of responsibility of the person in charge of the
treatment, taking into account the technical or organizational measures that have
applied by virtue of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the
treatment;
f) the degree of cooperation with the supervisory authority in order to put
remedy the violation and mitigate the possible adverse effects of the violation;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority learned of the infringement, in
particular if the person in charge or the person in charge notified the infraction and, in such case,
what extent;
i) when the measures indicated in article 58, paragraph 2, have been
previously ordered against the person in charge or the person in charge
in relation to the same matter, compliance with said measures;
j) adherence to codes of conduct under Article 40 or to mechanisms
certification approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits obtained or losses avoided, direct
or indirectly, through the infringement.
In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its
Article 76, “Sanctions and corrective measures”, establishes that:
"two. In accordance with the provisions of article 83.2.k) of Regulation (EU)
2016/679 may also be taken into account:
a) The continuing nature of the offense.
b) The linking of the activity of the offender with the performance of treatments
of personal data.
c) The benefits obtained as a result of the commission of the offense.
d) The possibility that the affected person's conduct could have led to the
commission of the offense.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 31
31/35
e) The existence of a merger process by absorption after the commission
of the infringement, which cannot be attributed to the absorbing entity.
f) Affecting the rights of minors.
g) Have, when not mandatory, a delegate for the protection of
data.
h) The submission by the person in charge or in charge, with the character
voluntary, to alternative dispute resolution mechanisms, in those
cases in which there are controversies between those and any
interested."
In accordance with the provisions transcribed for the purpose of setting the amount of the
sanction to be imposed in the present case for the infractions typified in article
83.4.a) of the RGPD for which AIR EUROPA is responsible, they are considered
concurrent the following factors:
- In relation to the violation of article 32.1 of the RGPD typified in the
Article 83.4 of the aforementioned Regulation:
The nature and severity of the offense given its not merely local scope
of the declared security breach, but quite the opposite since they have been able to
see compromised personal data not only of nationals but also foreigners,
without forgetting the high number of people, clients, potentially affected by the
itself (489,000) and the number of records affected (1,500,000); in the IBM report
of 12/20/2018 it was stated that “GLOBALIA was informed by the companies of the
credit cards that a large number of credit cards, about 4,000, had
been used to commit fraud ”,“ Although IRIS has not been able to confirm how it managed to
the attacker exfiltrating information from the GLOBALIA network or what was exfiltrated, having
account of the limitation of records, what IRIS has confirmed is that the attacker
had collected at least 488847 unique credit cards "and in the report of
*** COMPANY.3 provided by the complainant on 11/14/2019 stated that “The
*** COMPANY.3 investigation identified more than 2.7 million card numbers
the only ones that had been extracted from the database systems by the attacker ”;
the category of data affected by the infringement, without forgetting the damages
suffered by some of the customers.
The degree of responsibility of the person responsible for the treatment, taking into account
the technical or organizational measures applied and that were violated. Thus ,
*** COMPANY.2 points out that “…, the attacker took advantage of 59 .- [………] to get
access the network for the first time ”, that “ Every system exposed to the Internet, 60.- [………]
“…, Subsequent investigations of the accounts compromised by the attacker,
*** SERVICE.1 , revealed that it was using a password that did not meet the requirements of
complexity and length in line with industry best practice, which would have
made it easier for the attacker to compromise this account. "
*** EMPRESA.3 in its report states that “ The intrusion probably had
its origin in insecure systems available through the internet. *** COMPANY.3
identified several devices that had not been patched regularly… ”,
But the claimed entity itself has indicated that "In relation to the systems
of AIR EUROPA, there were no specific measures, such as encryption or tokenization,
to protect the data accessed by attackers. However, the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 32
32/35
Information accessed by the attackers does not include sensitive information such as
special categories of personal data, postal addresses or phone numbers
telephone, passport or ID number or date of birth. This sensitive information
is not stored together with bank card information as a measure of
security. As a result, it is very difficult to identify unique individuals within the
data set."
The categories of personal data that have been affected
as a consequence of the infringement, since the identification data must be joined
banking and financial, consequence of access to cards, with a purpose
clearly fraudulent. In the audit report carried out by *** COMPANY. 2 of
12/20/2018 it is stated that “In October 2018, GLOBALIA was informed by the
credit card companies that a large number of credit cards,
some 4,000 had been used to commit fraud. The stolen data included
personal and financial data of GLOBALIA clients who made reservations and
modifications in *** URL.1 ” (the underlining corresponds to the AEPD).
The way in which the infringement has been known as it was due to
a communication from BANCO POPULAR, and as indicated in the previous paragraph by
credit card companies, without the respondent having had proof of the
intrusion and access committed that began on 05/12/2018.
The continuing nature of the offense in the sense interpreted by the
National High Court as a permanent offense, since since the
security incident until the breach was detected a period of
time of several months.
The activity of the allegedly infringing entity is linked to the
data processing of both clients and third parties; the aforementioned is known
relationship since the entity by its activity is in permanent contact with
clients and third parties dealing with a large volume of data, which imposes a greater
duty of care.
The business volume of the claimed as it is one of the company
leader within the Spanish market, in its air transport business object; the
claimed is part of the business holding Globalia Corporación Empresarial SA
and of which a large number of companies are part, having had income
annual of
€ 2,367,061,000 (2018) and € 2,130,517,000 (2019) and a result of
exploitation of € 82,921,000 (2018 and 93,984,000 (2019) as stated on the page
corporate group website and according to the latest BORME publication on 12/30/2020 a
share capital of € 17,923,050.
For all these reasons, a sanction amount is established for violation of the
Article 32.1 of the RGPD of 500,000 euros.
In relation to the circumstances of the responsibility, the complainant has
alleged that the application of the
mitigating circumstances, considering that if the offense is understood to have been committed
of article 32.1, the following extenuating circumstances should apply: the
the low severity of the incident and the low level of damage caused; measures
taken by the person responsible to alleviate the damages suffered; The cooperation
with the control authority and the lack of benefits obtained.
However, such a claim cannot be accepted; the circumstances
Aggravating factors that have been taken into account are those that concur in the present case.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 33
33/35
Regarding the seriousness of the offense, it already concurs as an aggravating
grading of the sanction for infraction of article 32.1: "The nature and gravity of
the breach given its non-merely local scope of the security breach
declared, but quite the opposite since data has been compromised
personal character not only of nationals but foreigners, without forgetting the high
number of people, clients, potentially affected by it (489,000) and the
number of records affected (1,500,000); in the report of *** COMPANY. 2 of
12/20/2018 it was stated that ... "
In addition, it is striking that the offense is classified as low severity
committed when the LOPDGDD itself in its article 73 considers it for the purposes of
prescription as a serious offense and when it is evident and palpable the lack of
diligence in the application of appropriate technical measures and
organizational, lasting from 05/12/2018 date of first access until
Appropriate measures were implemented at the request of the contracted companies.
Regarding the low level of damages caused as a consequence of the
offense, it is not predicable to the present case where there are also injured parties, but
Even if there were not, we are faced with the infringement of a fundamental right
and the high degree of intrusion into the privacy of customers must be taken into account
this being enough damage for them.
Even more striking is the request that the
adoption of measures taken by the person responsible to alleviate damages and
cooperation with the supervisory authority, when they are nothing but legal obligations
that must be required of any person responsible and in charge of the treatment and, more
when, as indicated above, the lack of diligence in the
application of the same to prevent unauthorized access, although it is true that their
non-compliance could lead to its application as aggravating factors.
And as for the absence of benefits, it is inappropriate; the GDPR is
refers to the benefits obtained as a result of the commission of the offense,
not that the absence of benefits should be considered as mitigating.
Therefore, evaluating the concurrent circumstances and taking into
consideration especially those that operate as aggravating factors and that have been analyzed
above, the penalty imposed by
infringement of article 32.1 of the RGPD, given the seriousness of the events that occurred
- In relation to the violation of article 33 of the RGPD typified in article
83.4 of the aforementioned Regulation:
The serious lack of diligence in complying with the obligations imposed
by data protection regulations, making an extemporaneous notification of
the security bankruptcy to which he was bound.
The way in which the infringement has been known as it was due to
a notification from BANCO POPULAR and by credit card companies, without
the respondent would have had evidence of the intrusion and access committed that
started on 05/12/2018.
The activity of the allegedly infringing entity is linked to the
data processing of both clients and third parties; the aforementioned is known
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 34
34/35
relationship since the entity by its activity is in permanent contact and deals with a
large volume of data, which imposes a greater duty of care.
The business volume of the claimed as it is one of the company
leader within the Spanish market, in its business object.
For all these reasons, a sanction amount is established for violation of the
Article 33 of the RGPD of 100,000 euros.
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been proven,
The Director of the Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE AIR EUROPA LINEAS AÉREAS SA, with CIF *** CIF.1 , for
an infringement of article 32.1 of the RGPD, typified in Article 83.4.a) of the RGPD,
a fine of € 500,000 (five hundred thousand euros).
SECOND: IMPOSE AIR EUROPA LINEAS AÉREAS SA, with CIF *** CIF.1, for
an infraction of article 33 of the RGPD, typified in article 83.4.a) of the RGPD, a
€ 100,000 fine (one hundred thousand euros).
THIRD: NOTIFY this resolution to AIR EUROPA LINEAS AÉREAS SA
FOURTH: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000 , opened in the name of the Agency
Spanish for Data Protection in the banking entity CAIXABANK, SA. In case
Otherwise, it will be collected in the executive period.
Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within one month to
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 35
35/35
counting from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
letter addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es


</pre>
</pre>

Latest revision as of 14:07, 13 December 2023

AEPD - PS/00179/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 32(1) GDPR
Article 33 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 18.03.2021
Fine: 600000 EUR
Parties: Air Europa Líneas Aéreas S.A.
National Case Number/Name: PS/00179/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) fined Air Europa Líneas Aéreas S.A. €600,000 for the infringement of Articles 32(1) and 33 GDPR, due to the lack of appropriate technical and organisational measures and of an adequate level of security and due to the delay in the notification of a personal data breach.

English Summary

Facts

Air Europa notified a data breach to the AEPD related to the unauthorized access to contact and bank cards information that affected to 489,000 data subjects and to 1,500,000 records. The unauthorized access was carried out via hacking and malware. One of the problems that were found in a posterior audit was the use of a weak password, among other vulnerabilities, some of which were technical, like the lack of a multi-factorial authentication system.

The bank cards data included the numbering, expiry date and CVV. These data of around 4,000 bank cards was used to commit fraud. However, Air Europa classified the breach as medium risk and decided not to inform the affected data subject, arguing that it would be impossible to identify all of the data subjects and that a public notification was not necessary because there was not a serious risk for the rights of the affected data subjects.

Additionally, the AEPD was notified of the data breach more than one month after Air Europa had knowledge of its existence (the data breach was notified by a banking institution to Air Europa on 17th October 2018; Air Europa notified the AEPD on 27th November 2018).

Dispute

Were the technical and organisational measures adopted by Air Europa enough to ensure an adequate level of protection for the data that they process?

Was the notification of the data breach delayed?

Holding

The AEPD, based on the posterior audits on the breach, concluded that there had been a lack of appropriate technical and organisational measures that derived in an inadequate level of security, and there had been therefore an infringement of Article 32(1) GDPR.

The AEPD remarks that the level of security for the protection of the data was not adequate by design and by default. They support this with the fact that Air Europa was not able to detect the data breach themselves, but they only had notice when they were notified by a banking institution.

The AEPD sanctioned Air Europa with a fine of €600,000:

  • Due to infringement of Article 32(1), for the lack of appropriate technical and organisational measures and of an adequate level of security, the fine was €500,000.
  • Due to infringement of Article 33, for the delay of more than one month in the notification of the personal data breach, the fine was €100,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


Page 1
1/35
 Procedure Nº: PS / 00179/2020
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: On 02/04/2019 the Director of the Spanish Agency for
Data Protection agrees to initiate investigative actions in relation to the
notification of a security breach made by AIR EUROPA LÍNEAS AÉREAS,
SA, with CIF *** CIF.1 (hereinafter AIR EUROPA), regarding unauthorized access
to contact information and bank cards that affect 489,000 interested parties and
a volume of 1,500,000 records.
However, on 02/28/2020, it was agreed to open new actions of
research to AIR EUROPA and incorporate into them the documentation that made up the
previous actions in file E / 02564/2019, which were declared expired.
The security breach notification was made on 11/28/2018 and 01/22/2019
as an initial and complete notice.
Subsequently, on 01/22/2019 another notification is made to correct information
provided, as stated by AIR EUROPA, to discrepancies between the acknowledgment of receipt
issued by the electronic headquarters of this Agency and the data actually entered
in the online form. The three notifications contain, among others, the following
information:
 That on 11/27/2018 an attempt was made repeatedly to notify in a manner
initial to this Agency through the form enabled for this purpose at headquarters
electronic but the online notification procedure made it impossible to
presentation by said means, proceeding to the presentation in a
initial and face-to-face on 11/28/2018.
 Responsible for the treatment: AIR EUROPA whose data has been included in the
Investigated Entities section.
 Gap detection date: *** DATE.1
 Means of detecting the breach: AIR EUROPA receives a notification by
part of Banco Popular regarding a potential security incident, which
determines the activation of the incident response plan by AIR
EUROPE, on 10/17/2018.
 Start date of the gap: 05/12/2018
 Gap resolved as of 11/17/2018.
 Justification for late notification: N / A
 Summary of the incident: the security incident has involved access not
authorized to bank card information, numbering, date of
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 2
2/35
expiration date and CVV that could have been used for the commission of
fraudulent operations. Although all those identified were canceled
before it is established that there has been any damage to the
interested.
In some cases (approximately 2,500) the identity of the holders of the
bank cards has also been compromised.
 Typology: Confidentiality breach (unauthorized access).
 Means by which the breach has materialized: Hacking and malware.
 Context: External (intentional action)
 That before the breach the following preventive measures were applied:
Network security:
Our own human team with more than 10 years of experience in management and
network, LAN and WAN management.
The company has designed and provided training to employees on the use of
the tools made available to you in accordance with current legislation.
AIR EUROPA uses 1 .- [………] .
Periodically (XXX) an evaluation program of the
vulnerabilities to monitor potential security breaches in
known vulnerabilities.
In addition to the firewall systems that allow managing and blocking
unauthorized access, there is a 2 .- [………].
To protect the user's browsing, there is a 3 .- [………].
Information protection and access controls:
Access to information systems requires identification and
authentication of all users 4 .- [………] (XX).
The XX is connected with the system 5 .- [………] .
There is a password renewal policy by which they are forced to
change the same every XXX .
The policy of 6 .- [………] .
The management policies for access permissions to applications 7 .- [………]
allowing to apply the principle of least privilege.
Prevention:
AIR EUROPA began a few months ago a process aimed at preparing a
Security Master Plan in order to have a broader scenario of
threats and define a more effective strategist. 8 .- [………].
 That the categories of data affected are basic data and information on
bank cards such as number, expiration date and CVV.
 That there are no special categories of data affected.
 That the approximate number of data records affected is 1,500,000
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 3
3/35
 That the profile of the affected subjects are customers, the number being
approximately 489,000 people affected.
 That the nature of the potential impact on the subjects is fraud.
 That the possible consequences is the disclosure to third parties / diffusion in
internet and that the data can be exploited for other purposes.
 Who classifies the severity of the consequences as “Medium”.
 That the measures taken to solve the gap and minimize the impact were:
o Conducting a preliminary investigation.
o Hiring a forensic company *** COMPANY.1 for the
provision of support and help in the analysis of the incident.
o Hiring of a company specializing in analysis and resolution of
incidents *** COMPANY. 2.
o Monitoring of tasks and planning of improvements and actions to be implemented
in systems in order to "close doors" and reduce risk.
o Review of all the security measures and reinforcement of the
themselves.
o Chronology of the actions followed described in documents
attachments.
 That the interested parties will not be informed for the following reasons:
o There is only evidence of 11 requests for information per
part of clients in relation to this event and is responding to
all of them. The existence of others affected is unknown.
o That technical protection measures have been adopted and
appropriate organizational arrangements that ensure that the
probability that no risk to rights will materialize and
freedoms of the interested parties affected by the security breach.
o That they understand that at this time it is more burdensome for the
general interests and those of the interested parties make a communication
public since they do not have contact information for all
affected people.
 Attached documents are provided that contain, among others, the following
manifestations:
o That immediately after knowledge of the breach, a
the company specialized in security breaches and forensic analysis and
*** COMPANY. 3.
o The company *** EMPRESA.2 was hired for the purpose of analyzing the
scope, together with *** COMPANY.3 , and apply the measures
necessary to correct the incident.
o That the extent of the gap is not yet fully known.
The security incident has involved unauthorized access. I know
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 4
4/35
makes this notification in a preliminary way to provide the
information that is available so far.
o That a series of technical measures were adopted that were
carried out putting the focus first on activities of
containment and then in preventive activities.
o That after having analyzed the information that AIR EUROPA creates
have been compromised, it is highly unlikely that only
Spanish interested parties have been affected. However, AIR
EUROPE is currently not in a position to identify the
specific nationalities of all affected stakeholders.
o Chronology of the actions followed:
 *** DATE . 1 . AIR EUROPA receives a notification from
VISA (Banco Popular) related to a potential incident of
security which determines the activation of the Response Plan
before Incidents (PRI) on October 17, 2018.
 10/18/2018. As part of the PRI, the company is contacted
*** COMPANY.3 for the provision of support and help in the
forensic analysis of the incident whose recruitment took place on 22
October 2018.
 10/24/2018 to 10/31/2018. Collection of evidence and information
necessary.
 11/05/2018 to 11/08/2018. Analysis of the information collected. The
On November 8, the forensic analyst confirms the existence of a
gap.
 11/08/2018. *** COMPANY.2 is contacted with the aim of
reinforce internal security teams and work
jointly with *** COMPANY . 3 .
 11/09/2018. The works of *** COMPANY.2 begin to go
"Closing doors" and reduce the risk progressively.
 11/14/2018. The revision tasks of the set of
security measures and, as appropriate, reinforce them.
By *** COMPANY.2 and the forensic team is identified
that from a server is contacting with an IP not
recognized.
 11/15/2018. AIR EUROPA receives specific instructions from
the forensic team with 8 measures designed to contain the
trouble. With the support of team *** EMPRESA.2 is assigned
top priority to containment tasks.
 11/17/2018. Confirmation by *** COMPANY. 2 and
*** COMPANY.3 that the gap is contained.
 11/23/2018. It is confirmed by *** COMPANY.2 the
carrying out 90% of the containment and protection actions and
that pending tasks are to be completed in the next
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 5
5/35
days. The effectiveness of the measures of
real-time monitoring that continue to be deployed to
guarantee the detection of any intrusion.
SECOND: the Subdirectorate General for Data Inspection proceeded to carry out the
following actions:
On 04/01/2019, AIR EUROPA sends this Agency the following information and
manifestations:
1. An audit report carried out by *** COMPANY.4 and dated to
12/20/2018 with the following statements:
In the section "Background to the Incident" it is stated:
“In October 2018, GLOBALIA was informed by the companies of
credit cards that a large number of credit cards,
some 4,000 had been used to commit fraud. The data
stolen included personal and financial data of the clients of
GLOBALIA who made reservations and modifications on AirEuropa.com.
The data did not include travel or passport data. "
Manifestations in the rest of the audit document:
to. “ T he first confirmed access to the GLOBALIA network by the
The attacker took place on May 12, 2018. "
b. “ After this initial access, the attacker compromised a series of
GLOBALIA and IRIS systems believe that the attacker continued
accessing GLOBALIA systems and accounts at least until the
August 11, 2018. "
c. “ Although IRIS has not been able to confirm how the attacker managed to exfiltrate
information from the GLOBALIA network or what was exfiltrated, given
of the limitation of records, what IRIS has confirmed is that the
attacker had collected at least 488847 unique credit cards "
d. “From the sample of 4939 unique credit cards already declared
fraudulent, 1,185 were found in the collection above
mentioned."
and. "The attacker viewed and filed in *** FILE.1 at least 2651
unique card numbers, CVVs, expiration dates and names of
Cardholder."
F. “ In total the attacker compromised at least 12 systems and a minimum
of 2 service accounts in support of its operation "
g. “ For the initial access, the attacker took advantage of 9 .- [………] to
get access to the network for the first time "
h. "Any system exposed to the Internet, 10 .- [………] ."
i. “Likewise, subsequent investigations of the accounts
compromised by the attacker, such as the service account
GLOBALIA \ EJP, revealed that it was using a password that did not meet the
complexity and length requirements in line with the best practice of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 6
6/35
sector, which would have made it easier for the attacker to
compromise this account. "
j. “Although IRIS could not confirm the data regarding how the
attacker exfiltrated information due to record limitation, some
research data indicates when it was possible to take
the data and from where. Given that most of the data
sensitive data that were collected by the attacker was found or
transferred to the server *** FILE.1 , and that the server also
had the only viable persistence mechanism, it is likely
the attacker to use *** FILE.1 as a test server from
the one to exfiltrate information. Similarly, a statistical analysis of
Firewall logs revealed that the highest number of connections
to the IP address controlled by the attacker, *** IP.1 , from the systems
of GLOBALIA, took place between May 14 and June 4, with a
peak of May 19-21, indicating that the attacker got down
to the work. Given the volume of activity, it is possible that he also had
data exfiltration occurs during these time frames,
although the fact that the attacker accessed specific files
related to credit cards later, in June, could
indicate that the exfiltration also took place later in the
same month. "
k. “ To maintain access to the network, the attacker used tools
publicly available, of 11 .- [………] in the systems that are
communicated with the IP address controlled by the attacker *** IP.1 . "
l. “No more malicious activity was observed regarding the same attacker or
threat actor after August 11, 2018 "
m. "The IP address controlled by the attacker was blocked on 15
November."
n. “An irregular registry configuration was observed in the systems
analyzed, so that only some systems stored
locally archived log files; for example scripts
executed by Powershell were only recorded in some
systems.
Audit records are important during an incident of
security to reconstruct the attacker's activities ...
Therefore, it is recommended to review the current audit policy and
retention and apply it evenly throughout the environment. If not used
already, it is also recommended to assess the possibility of centralizing
collection of logs on a dedicated platform, such as a
Incident Management and Security Information (SIEM) product,
... "
to. “Although it has not been possible to determine exactly the source of the
infection of systems in scope, one of the most
probable is that 12 .- [………] . "
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 7
7/35
b. "Block and monitor outbound traffic to external IP addresses
suspicious is a good way to detect behavior
abnormal originating from the network.
In this incident we have 13.- [………], communicate with IP addresses
external that were not related to any payment system,
nor were they justified by other business needs. "
to. “During the investigation, IRIS observed various systems with
operation for longer than one year, so the systems
The operating systems did not have patches for such a long period. "
2. A calendar of technical tasks undertaken for the closing of the
breach and the protection improvements implemented that it has had in
consideration, as stated by AIR EUROPA, the measures and
recommendations issued by *** COMPANY.2 after analyzing the incident of
security. This calendar contains tasks between 11/14/2018 and
on 02/13/2019 and are classified into the following groups:
to. XXX XXX update .
b. Firewall rules restriction.
c. *** IP Locking and Logging . 2 .
d. Cleaning local users XXX XXX .
and. Password changes.
 14.- [………].
F. Antivirus.
g. Application 15 .- [………] .
h. Patching vulnerabilities and updating the servers involved
in the incident.
i. Installation XXX XXX .
j. 16 .- [………].
k. Replatform of XXX XXX .
l. Configuration 17 .- [………] .
3. AIR EUROPA states that it has received only 20 communications from
clients due, in their majority, to inconveniences derived from the cancellation
of the card by your bank, without manifesting any type of damage
economic suffered, and through which they request more information. What
only 3 of them stated that they had suffered some kind of damage
economic result of the use, by third parties, of personal data
obtained through attack. AIR EUROPA has responded
attending to the information requirements requested by the interested parties.
4. Provides risk analysis regarding security measures in the
processing of online sales data to AIR EUROPA passengers which
It consists of a one-page document that analyzes 9 risks.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 8
8/35
5. Provides risk analysis carried out regarding the need or not to
notification to this Agency and interested parties. In this analysis it is manifested:
to. The art. 34.3 of the GDPR establishes three exceptions to the obligation to
notify interested parties:
 Regarding 34.3.a):
“ In relation to AIR EUROPA systems, there were no
specific measures, 18 .- [………] . However, the information
accessed by the attackers does not include information
sensitive as special categories of personal data,
postal addresses or telephone numbers,
passport or ID or date of birth. This information
sensitive is not stored together with card information
banking as a security measure. As a result, it is very
difficult to identify unique individuals within the data set. "
 Regarding 34.3.b):
“… Once the incident has been identified by the banking entities,
these and the issuers of the compromised bank cards
proceeded to block and report said blockade to the
interested in such a way that the compromised data remains
disabled ... "
Communication model made by the entity is provided
Bankinter to its clients.
 Regarding 34.3.c):
“ … It is practically impossible to uniquely identify
interested parties from this data set, since there is no
has their contact details.
Therefore, if it is determined that a notification should be made
interested parties, AIR EUROPA would have to carry out a
public communication instead of individual notifications.
From AIR EUROPA it is understood that at this moment it is
more burdensome for the general interests and those of the
interested parties make a public communication, as there is no
no benefit derived from that communication. "
b. That, according to the AEPD analysis methodology, the result
quantitative would not exceed the threshold established for such notification
(30 vs 40) while the qualitative threshold would be exceeded. Without
However, taking the foregoing into account, AIR EUROPA has decided not to
notify interested parties arguing that the incident is not
liable to pose a high risk to the rights and freedoms of
the same.
c. That in those cases in which a high risk could be observed
one or more exceptions from those contained in art. 3. 4
GDPR. In this sense, those provided for in art. 34.3 a) and b).
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 9
9/35
On 11/14/2019, AIR EUROPA sends this Agency the following information and
manifestations:
1. That 100% of the share capital of AIR EUROPA belongs to GLOBALIA
CORPORACIÓN EMPRESARIAL, SA That there is a team at AIR EUROPA
responsible for information systems headed by the figure of the CIO.
At the operational level, the functions related to the supply of
infrastructure and administration of information systems and
communications are provided by GLOBALIA SISTEMAS Y
COMUNICACIONES SLU, a company 100% owned by GLOBALIA
CORPORACIÓN EMPRESARIAL, SA
2. Provide a signed copy of the assistance and management contract in the systems area
of information and communications dated 10/31/2009 between AIR EUROPA
LINEAS AÉREAS, SAU and GLOBALIA SISTEMAS Y COMUNICACIONES,
SLU where it manifests itself, among others:
to. That GLOBALIA SISTEMAS will assist AIR EUROPA in the areas of
information and telecommunications systems.
b. That the service to be provided by GLOBALIA SISTEMAS will have a
comprehensive, in a way that allows AIR EUROPA the total outsourcing of
services in the areas of information systems and
communications.
c. That GLOBALIA SISTEMAS will carry out on its own initiative the steps
and timely tasks for the development of the benefits previously
identified. Notwithstanding the foregoing, GLOBALIA SISTEMAS will submit
to the approval of AIR EUROPA the projects to be developed and will render
accounts of the efforts in the course of organized meetings,
mutual agreement, with a periodicity not exceeding quarterly.
3. Provide a signed copy of novation to the contract for the person in charge of the treatment
personal data dated 10/31/2019, according to which, GLOBALIA SISTEMAS
Y COMUNICACIONES, SLU is in charge of the treatment and AIR EUROPA
LINEAS AÉREAS, SAU is responsible for the treatment.
4. Provide a copy of the Cybersecurity Incident Response Plan of
GLOBALIA with an effective date of 07/05/2019 in its first version
As indicated by the version control of the document and the cover of the document.
5. That the forensic report of *** COMPANY.3 is a report that is required by
regulates banks on behalf of payment institutions that are members of the
PCI Council (as would be the case of VISA) to entities affected by a
incident, in order to evaluate the 19 .- [………].
6. That the forensic report of *** COMPANY.3 has a very specific purpose and
is oriented within the framework of identifying the volume of identified cards
as committed, which as a general rule determines the compensation
that the PCI Council may require from the entity affected by the
incident.
Provides forensic report of *** COMPANY.3 dated January 2019 and based on
in the investigation initiated on 10/25/2018 which contains the following
manifestations, among others:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 10
10/35
to. “ The investigation carried out by *** EMPRESA.3 identified evidence
findings of violation in AIR EUROPA "
b. “The investigation of *** EMPRESA.3 identified more than 2.7 million
unique card numbers that had been pulled from the credit card systems
databases by the attacker. Although some of the data from the
cards were 20 .- [………] , the attacker managed to use
21 .- [………] tools to obtain clear text data. "
c. “The intrusion probably had its origin in insecure systems
available through the internet. *** COMPANY.3 identified several
devices that had not been patched regularly ... "
d. Summary of possible causes and list of attack vectors:
22 .- [………]
to. There is evidence of violation of the data environment of the owners of the
cards.
b. “ The attack began when the attacker accessed XXX XXX from a
server not properly segmented at XXX XXX ”.
c. “The attacker had a systematic connection to an external host. 2. 3.-,
*** COMPANY.3 [………] . However, he did visualize how the attacker
created multiple files and later compressed them into a single
archive. 24 .- [………]. "
d. Possible exposure of data types, among others; name of the holder of
card, cardholder address, expiration date.
and. That the total number of cards exposed is 2722692, not being that
the number of cards that are at risk.
2. That, in relation to the reason for not detecting the gap until the
*** DATE. 1 even though the attack started on 05/12/2018, AIR EUROPA
states that the breach occurred as a result of an APT, an attack
directed and sophisticated, planned and executed in a professional and
treacherous.
It also states that:
“The attack suffered by the Company is a type of“ attack […] designed to
last over time and manage to evade all security measures of the
most common platforms ” as described by the INCIBE in an article
published on its website on June 16, 2016 and signed by AAA . Is,
therefore, a type of stealth attack that seeks as the ultimate goal to filter
sensitive information of an organization and erase traces upon completion,
which makes them extremely difficult to detect "
1. It states that the key dates of the project to prepare the Master Plan
Security (PDS) are:
to. July 2019: definition of the preliminary scope of business services
that will be evaluated for the development of the PDS.
b. September 11, 2019: launch meeting.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 11
11/35
c. January 31, 2019: project closure.
d. February 3, 2020: entry into force of the PDS.
2. Provide a document with the title “Critical Updates Procedure and
security ” and states that this procedure has been applied in a
usual since before the incident.
to. This document states 25 .- [………].
"26 .- [………]"
b. In this document it is stated in section 27 .- [………].
c. In this document it is manifested in the 28 .- [………]. "
3. Provides the AIR EUROPA Information Security Manual dated
of last modification of the document on 10/31/2013 being the object of this
document respond to the obligation established in article 9 of the Law
Organic 15/1999.
4. It states that “it is relevant to state, as important information for the purposes
to ratify the inexistence of relevant effective damages, that the number of
claims received by users of the Company that could
be related to the incident has been very small (2 claims in
total without request for compensation). This confirms the analysis that
attackers have not been able to obtain sensitive or relevant information and that, with
the information they may have stolen, the existence of numerous
technical and organizational security measures throughout the process chain
(including the entities involved in payment services) has made
that information could not have been used to cause serious harm. "
On 06/04/2020 AIR EUROPA sends this Agency the impact assessment
of the treatment of "Sale to customers through alternative channels".
THIRD: On 06/23/2020, the Director of the Spanish Protection Agency
of Data agreed to initiate a sanctioning procedure for the complained party, in accordance with
provided in articles 63 and 64 of Law 39/2015, of October 1, on the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of articles 32.1 and 33 of the RGPD, typified
in accordance with the provisions of article 83.4.a) of the aforementioned RGPD.
FOURTH: Once the aforementioned start-up agreement has been notified, the defendant submitted to the AEPD
writing requesting a copy of the file and extension of the term granted for the
presentation of allegations, which was granted in five more days.
On 07/16/2020, the defendant submitted a brief of allegations in which, in summary,
stated that it was not true that the security breach had not been reported
Rather, once there were well-founded indications that the cyberattack suffered had
affected to a considerable number of data, it was notified; that he
claimed at all times has responded to the requirements formulated by the
AEPD; the inadmissibility of the violation of article 33 of the RGPD since the
notification was made; the lack of motivation and responsibility appreciated by the
AEPD; that in the resolutions issued by the AEPD regarding security breaches
less sophisticated than the one analyzed were most of them always archived
that technical security measures will be accredited prior to the incident and
they subsequently adopted palliative measures, as is the case in the present case; its
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 12
12/35
disagreement with the graduation of the sanction in the event of a possible infraction of the article
32.1 of the RGPD due to the non-concurrence of aggravating factors and the existence of mitigating
they have not been considered in the initiation agreement.
FIFTH: On 11/23/2020, the instructor of the procedure agreed to open the
a period of practice tests, practicing the following:
To consider reproduced for evidentiary purposes all the documents obtained and
generated by the Inspection Services and the Report of previous actions of
Inspection that are part of the file E / 01909/2020.
To consider reproduced for evidentiary purposes, the allegations to the initiation agreement
PS / 00179/2020 presented by the complained party and the documentation that
accompanies.
Request the defendant in reference to the date before the start of the breach
produced:
- Description (including name of servers and databases
included in them) the different systems environments from the point of view of
security, where they store customer data and their bank cards,
including at least the data of postal address, telephone numbers,
passport numbers, ID, date of birth, name of the holder of the
card, PAN of the card, expiration date of the card and its CVV code.
Likewise, indication of the types of data that are stored within each
environment / server / database and provide documentation that accredits the
applied security measures aimed at isolating the different environments
each.
- For each of the environments, servers and databases identified in
the previous section, provide a screenshot where it is displayed, for 50
records, all the data stored together with the explanation of its
meaning.
Taking into account the Risk Analysis document delivered to this
Agency with name "Documento_3__PIA_Venta_on_line.pdf", and the measures
applied before the start of the breach, contribution of the following
Information and documentation in force prior to the start of the breach:
• Reason why they were not included in the risk analysis 29 .- [………].
• Reason why they were not adopting 30 .- [………] :
31 .- [………].
32 .- [………]
On 12/02/2020, the complained party filed before the AEPD a written extension of the
period granted for the provision of evidence that was granted in five days
plus.
On 12/16/2020, the respondent responded to the requested information, which
content of the work in the file.
SIXTH: On 02/05/2021 a Proposal for Resolution was issued to the effect that
The Director of the Spanish Data Protection Agency will sanction the
claimed, for infringement of articles 32.1 and 33 of the RGPD, typified in article
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 13
13/35
83.4 of the RGPD, with fines of € 500,000 (five hundred thousand euros) and € 100,000 (one hundred thousand
euros), respectively.
On 02/10/2021, the claimed filed before the AEPD a written extension of the
period granted for the presentation of allegations, which was granted in two days
plus.
On 02/25/2021 the claimed present writing in which he alleged in synthesis: the
importance for the complained party supposes both the incident produced and the protection
of the personal data of all its clients; the helplessness caused by
failure to consider the evidence presented at the last request for
information from the AEPD; the express challenge of the entire report of the
Foregenix company; the inadmissibility of the sanction imposed for the alleged infringement
of article 33 of the RGPD and, alternatively, its prescription; disagreement with the
imputation of infringement of article 32 of the RGPD in relation to the measures
appropriate technical and organizational techniques to ensure an adequate level of security for the
risk and inappropriateness of the use of forensic reports as evidence that Air
Europe did not have adequate security measures; lack of proportionality
in the analysis of the aggravating circumstances taken into account by the AEPD for the
graduation of the sanction imposed as a consequence of the alleged infraction of the
Article 32.1 of the RGPD and the existence of extenuating circumstances that have not been
considered when establishing the amount of the sanction and the disparity of
criteria in relation to previous similar sanctioning procedures.
SEVENTH: Of the actions carried out in this procedure and of the
documentation in the file, the following have been accredited:
PROVEN FACTS
FIRST: On 11/29/2018 the AEPD receives a written document from the complained party stating that
On *** DATE.1 he had received notification from Banco Popular regarding an incident of
causing the activation of the incident response plan on the
10/17/1018.
SECOND: On 01/18/2019 the defendant provided complete notification through the
form enabled in the electronic headquarters of the AEPD, providing documents
annexes related to preventive measures applied prior to the incident;
Containment measures and additional information and Justification for not informing the
stakeholders affected by the incident.
THIRD: The complained party on 04/01/2019 has provided: Forensic technical report
prepared by *** EMPRESA.2 in relation to the incidence communicated to the AEPD in
the one that analyzes the incidence produced and recommendations; pointing out that “In
October 2018, GLOBALIA was informed by the credit card companies
credit that a large number of credit cards, about 4,000, had been
used to commit fraud. The stolen data included personal data and
financial statements of GLOBALIA clients who made reservations and modifications in
AirEuropa.com. The data did not include travel or passport data ” and that “ The first
confirmed access to the GLOBALIA network by the attacker took place through
33 .- [………] for an unknown account on May 12, 2018. " Report
prepared by the technical team of the claimed one, which identifies the technical tasks
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 14
14/35
connections to close the gap and the protection improvements implemented,
following IBM's recommendations; risk analysis regarding the measures
security in the processing of online sales data to Air Europa passengers;
the risk analysis carried out by the Company regarding the need or not to
notification to the AEPD and interested parties about the security breach
experienced.
FOURTH: The defendant on 11/14/2019 has provided a forensic report on
*** COMPANY January 3, 2019 based on research conducted and analysis
possible causes, noting, among others, that “The investigation carried out by
*** COMPANY.3 identified conclusive evidence of violation in AIR EUROPA ”; copy
of the contract for assistance and management of information and communications systems
10/31/2009 between GLOBALIA SISTEMAS Y COMUNICACIONES, SLU and the claimed
in which they hold the condition of responsible and in charge of the treatment
respectively; copies the Cybersecurity Incident Response Plan of
GLOBALIA of 07/05/2019 and Information Security Manual dated
10/31/2013
FIFTH: On 06/04/2020 the complainant has provided an Impact Assessment of the
treatment of "Sales to customers through alternative channels" .
SIXTH: The defendant has provided documents related to
measures it had in place prior to the declared security incident.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.
II
Article 58 of the RGPD, Powers , states:
"two. Each supervisory authority shall have all of the following powers
corrective measures listed below:
(…)
i) impose an administrative fine in accordance with article 83, in addition or in
instead of the measures mentioned in this section, according to the
circumstances of each particular case;
(…) "
The RGPD establishes in article 5 of the principles that must govern the
treatment of personal data and mentions among them that of "integrity and
confidentiality ”.
The article notes that:
"1. The personal data will be:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 15
15/35
(…)
f) treated in such a way as to guarantee adequate security of the
personal data, including protection against unauthorized processing or
illicit and against its loss, destruction or accidental damage, through the application
appropriate technical or organizational measures ('integrity and
confidentiality »)”.
(…)
On the other hand, article 4 of the RGPD, Definitions , establishes in its sections
7, 8 and 12:
“(…)
7) "controller" or "controller": the natural or legal person,
public authority, service or other body that, alone or together with others, determines the
purposes and means of the treatment; whether the law of the Union or of the Member States
determines the purposes and means of the treatment, the person responsible for the treatment or
Specific criteria for their appointment may be established by Union law.
or of the Member States;
8) "processor" or "processor": the natural or legal person,
public authority, service or other body that processes personal data on behalf of the
responsible for the treatment;
(…)
12) "violation of the security of personal data": any violation of the
security that causes accidental or unlawful destruction, loss or alteration of
personal data transmitted, stored or otherwise processed, or the
unauthorized communication or access to such data;
(…) "
Likewise, article 24, Responsibility of the person responsible for the treatment,
states that:
"1. Taking into account the nature, scope, context and purposes of the
treatment as well as risks of varying probability and severity to the rights
and freedoms of natural persons, the data controller will apply measures
appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the
treatment is in accordance with this Regulation. These measures will be reviewed and
will update when necessary.
2. When they are provided in relation to the treatment activities,
the measures mentioned in section 1 shall include the application, by the
responsible for the treatment, of the appropriate data protection policies.
3. Adherence to codes of conduct approved in accordance with article 40 or to a
certification mechanism approved under article 42 may be used
as elements to demonstrate compliance with the obligations by the
responsible for the treatment ”.
And article 25, Data protection by design and by default, states that;
"1. Taking into account the state of the art, the cost of the application and the
nature, scope, context and purposes of the treatment, as well as the risks of various
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 16
16/35
probability and seriousness that the treatment entails for the rights and freedoms of
natural persons, the data controller will apply, both at the time of
determine the means of treatment as at the time of the treatment itself,
appropriate technical and organizational measures, such as pseudonymisation, designed
to effectively apply data protection principles, such as the
data minimization, and integrate the necessary guarantees in the treatment, in order to
comply with the requirements of this Regulation and protect the rights of
interested.
2. The person responsible for the treatment will apply the technical and organizational measures
appropriate in order to ensure that, by default, they are only processed
the personal data that are necessary for each of the specific purposes of the
treatment. This obligation will apply to the amount of personal data collected, to
the extension of its treatment, its conservation period and its accessibility. Such
measures will ensure in particular that, by default, personal data is not
accessible, without the intervention of the person, to an undetermined number of people
physical.
3. An approved certification mechanism may be used in accordance with the
Article 42 as an element that proves compliance with the obligations
established in sections 1 and 2 of this article ”.
Therefore, to correct a security violation, the person responsible for the
treatment must be able to recognize it and the consequence of such a violation is that the
data controller cannot guarantee compliance with the principles
relating to the processing of personal data, as established in article 5
of the GDPR.
The security of personal data is regulated in articles 32, 33 and
34 of the GDPR.
III
The GDPR defines personal data security breaches as
those incidents that cause the destruction, loss or accidental alteration or
illicit personal data, as well as the communication or unauthorized access to
themselves.
Since last 05/25/2018, the obligation to notify the Agency of gaps
or security breaches that could affect personal data is applicable to
any person responsible for the processing of personal data, which underlines the
importance of all entities knowing how to manage them.
Therefore, as soon as the controller has
knowledge that a data security breach has occurred
personal must, without undue delay and, if possible, no later than 72 hours
after you have been aware of it, report the breach of security
personal data to the competent control authority, unless the
responsible can demonstrate, in accordance with the principle of proactive responsibility, the
improbability that the breach of the security of personal data involves a
risk to the rights and freedoms of natural persons.
The person responsible for the treatment must inform the interested party without delay
undue violation of the security of personal data in case it can
pose a high risk to your rights and freedoms, and allow you to take the necessary
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 17
17/35
necessary precautions. The communication must describe the nature of the violation
of the security of personal data and the recommendations so that the person
physical damage mitigates the potential adverse effects resulting from the violation.
Said communications to the interested parties must be made as soon as
reasonably possible and in close cooperation with the supervisory authority,
following their guidance or those of other competent authorities, such as the
police authorities. Thus, for example, the need to mitigate a risk of damage and
immediate damages would justify a quick communication with the interested parties,
whereas longer communication may be justified by the need to
apply appropriate measures to prevent data security breaches
personal continous or similar.
In article 33 of the RGPD establishes the way in which a
violation of the security of personal data to the supervisory authority.
In this same sense, it is pointed out in Recitals 85 and 86 of the RGPD:
( 85) If adequate measures are not taken in time, violations of the
security of personal data may entail physical damages,
material or immaterial for natural persons, such as loss of control over their
personal data or restriction of your rights, discrimination, usurpation of
identity, financial loss, unauthorized reversal of pseudonymization, damage
for reputation, loss of confidentiality of data subject to professional secrecy,
or any other significant economic or social damage to the natural person in
question. Therefore, as soon as the controller has
knowledge that a data security breach has occurred
personal data, the controller must, without undue delay and, if possible, at the latest
72 hours after you have had proof of it, notify the violation of the
security of personal data to the competent control authority, unless
the person in charge can demonstrate, in accordance with the principle of proactive responsibility,
the improbability that the breach of the security of personal data involves
a risk to the rights and freedoms of natural persons. If said
notification is not possible within 72 hours, it must be accompanied by a
indication of the reasons for the delay, being able to provide information in phases without
further undue delay.
(86) The data controller must inform the data subject without delay
undue violation of the security of personal data in case it can
pose a high risk to your rights and freedoms, and allow you to take the necessary
necessary precautions. The communication must describe the nature of the violation
of the security of personal data and the recommendations so that the person
physical damage mitigates the potential adverse effects resulting from the violation.
Said communications to the interested parties must be made as soon as
reasonably possible and in close cooperation with the supervisory authority,
following their guidance or those of other competent authorities, such as the
police authorities. Thus, for example, the need to mitigate a risk of damage and
immediate damages would justify a quick communication with the interested parties,
whereas longer communication may be justified by the need to
apply appropriate measures to prevent data security breaches
continuous personal or similar.
IV
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 18
18/35
In the first place, the defendant is accused of violating article 32.1 of the
GDPR, which states:
"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the treatment, as well as risks of
variable probability and severity for people's rights and freedoms
physical, the person in charge and the person in charge of the treatment will apply technical measures and
appropriate organizational arrangements to ensure a level of security appropriate to the risk,
that in your case include, among others:
a) pseudonymisation and encryption of personal data;
b) the ability to guarantee confidentiality, integrity, availability and
permanent resilience of treatment systems and services;
c) the ability to restore availability and access to data
personnel quickly in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of effectiveness
of the technical and organizational measures to guarantee the safety of the
treatment.
2. When evaluating the adequacy of the security level, particularly the
take into account the risks presented by the data processing, in particular as
consequence of accidental or illegal destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to such data.
3. Adherence to a code of conduct approved in accordance with article 40 or to a
certification mechanism approved under article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the
this article.
4. The person in charge and the person in charge of the treatment will take measures to
ensure that any person acting under the authority of the controller or
of the person in charge and have access to personal data can only process said
data following instructions of the person in charge, unless it is obliged to do so
by virtue of the law of the Union or of the Member States ”.
Recital (83) points out that:
“(83) In order to maintain security and prevent the treatment from violating the
provided in this Regulation, the person in charge or the person in charge must evaluate
the risks inherent to the treatment and apply measures to mitigate them, such as the
encryption. These measures must guarantee an adequate level of security, including the
confidentiality, taking into account the state of the art and the cost of its application
with respect to the risks and the nature of the personal data that must
protect yourself. When assessing risk in relation to data security, you should
take into account the risks arising from the processing of personal data,
such as accidental or illegal destruction, loss or alteration of personal data
transmitted, preserved or otherwise processed, or communication or access does not
authorized to said data, susceptible in particular to cause damages
physical, material or immaterial ”.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 19
19/35
Of the actions carried out and documentation provided to the file, it has been
verified that the security measures that the investigated entity had in
relation to the data that was being processed, they were not the most appropriate for
guarantee the security and confidentiality of personal data at the time of
the incident or bankruptcy occurs.
As recital 39 also points out :
“… Personal data must be treated in a way that guarantees a
adequate security and confidentiality of personal data, including for
prevent unauthorized access or use of such data and the equipment used in the
treatment".
It should be noted that security measures are key when it comes to
guarantee the fundamental right to data protection since it is not possible
ensure the fundamental right to data protection if it is not possible to guarantee the
confidentiality, integrity and availability of personal data. For
To guarantee these three safety factors, measures are necessary both of a nature
technical and organizational in nature.
Therefore, information security risk analyzes must
focus on the ability to ensure confidentiality, integrity, availability
of the treatment systems and services, as also contemplated in said
Article.
One of the requirements established by the RGPD for responsible and
processors who carry out data processing activities
personal is the need to carry out a risk analysis of the security of
the information in order to establish the security and control measures aimed at
comply with the principles of protection by design and by default that guarantee the
rights and freedoms of people.
It is necessary to point out that in the instant case, in light of the reports
issued by the companies *** COMPANY.2 and
*** COMPANY.3
they credit
serious vulnerabilities of the complainant's systems, compromising the
confidentiality and integrity of the information security causing an access
unauthorized that led to and caused an illegal transmission of data.
As stated in the Report of *** COMPANY.2 of 12/20/2018, “In October
2018, GLOBALIA was informed by the credit card companies that a
large number of credit cards, about 4,000, had been used to commit
fraud. The stolen data included personal and financial data of the clients of
GLOBALIA who made reservations and modifications on AirEuropa.com. The data does not
included travel or passport data ” that “ The first confirmed access to the network of
GLOBALIA by the attacker took place 34 .- [………] for an account
unknown on May 12, 2018 ” and continues that after the initial access,
using 35 .- [………], the hacker compromised a series of GLOBALIA systems
continuing access until at least 08/11/2018; that it has been confirmed that
the attacker had collected 488,847 unique credit cards; that compromised the
minus 12 systems and a minimum of 2 service accounts in support of your operation;
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 20
20/35
that the entire system exposed to the Internet should have Authentication executed
Multifactorial; that subsequent investigations of accounts compromised by the
attacker revealed 36 .- [………] , which would have made the attacker find it more
easy to compromise this account; that the attacker was likely to use *** FILE.1
as a test server from which to exfiltrate information; than an analysis
statistic from firewall logs revealed that the highest number of connections
to the IP address controlled by the attacker, took place between May 14 and May 4
June; that the attacker used publicly available tools, 37 .- [………] with the
IP address controlled by the attacker; that a configuration of registers was observed
irregular in the systems analyzed, so that only some systems
they stored locally archived log files.
The aforementioned company made a series of recommendations: review the policy
audit and retention and 38 .- [………] ; that although it has not been possible to determine
exactly the source of the infection of the systems in scope, one of the hypotheses
the most probable is 39 .- [………] observed various systems with a functioning
longer than one year, so 40 .- [………] .
Likewise, the Report of *** COMPANY.3 , a company hired on 10/22/2018
by the claimed and specialized in security breaches and forensic analysis, from January
of 2019 points out: that it had identified conclusive evidence of the violation of
security; the identification of 2.7 million cards that had been drawn from the
database systems getting the attacker to use tools of
decryption present in systems; that access 41 .- [………]; a summary of the
possible causes that motivated the attack ( 42 .- [………]; the existence of
evidence of violation of the cardholder data environment; that the attack
started when 43 was accessed .- [………] ; that the attacker had one with an external host and
that 44 .- [………] ; the possible exposure of certain types of data (name of the
cardholder, cardholder address, expiration date).
Therefore, it follows from the foregoing that the security measures
technical and organizational techniques implemented by the claimed entity were not appropriate
to ensure a level of security appropriate to the risk and to prevent unauthorized access
authorized to customer data.
It should be noted that given the technological and digital evolution suffered by the
personal data processing activities, must be addressed from the point of view
in view of a continuous risk management, defining from the design the measures
of control and security necessary for the treatment to take place respecting
the privacy requirements associated with the risk levels to which they may be
exposed and periodically and continuously evaluating the effectiveness of the measures
control systems implemented.
This also implies the protection of personal data from the design and
by default, that is, the person in charge must apply, both at the time of
establish the means of treatment as at the time of treatment itself,
all those technical and organizational measures suitable and designed to apply,
effectively, the principles of data protection and integrate, in the treatment,
the guarantees necessary to comply with the requirements indicated by the RGPD;
In addition, the person in charge must apply the aforementioned measures to guarantee that,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 21
21/35
By default, only the personal data necessary for each specific purpose is processed
treatment.
The complainant has stated that the interpretation of the AEPD by the fact that
suffering a security breach would automatically imply the breach of the
Article 32.1 of the RGPD without providing any motivation regarding the reason for the
which security measures are insufficient.
However, it should be noted that such a statement cannot be accepted
since according to the Report prepared by *** EMPRESA.2 shows 45.-
[………] , although it may not be enough for the representative of the defendant
access to about 4,000 credit cards for the purpose of committing fraud; that he
attacker would have collected at least 488,847 unique credit cards; what
view and file in *** FILE.1 at least 2651 unique card numbers,
CVVs, expiration dates and cardholder names; than the number
approximate number of records affected were 1,500,000, etc.
Thus, it appears in the antecedents of this proposal and extracted from the
cited report: “ In October 2018, GLOBALIA was informed by the companies of
credit cards of which a large number of credit cards, about 4000,
they had been used to commit fraud. The stolen data included data
personal and financial information of the clients of the defendant who made reservations and
modifications on AirEuropa.com. The data did not include travel or
passport ”that “ The first confirmed access to the network of the claimed by the
attacker took place through the CITRIX access gateway by using
valid credentials for an unknown account on May 12, 2018 ” and
continues by stating that “After this initial access, the attacker compromised a series
of the complainant's systems considering that the attacker continued to access the
GLOBALIA systems and accounts at least until August 11, 2018 "
Intrusion or unauthorized access 46 .- [………] and that the entity itself could not
detect and that you had to be notified by Banco Popular (VISA) when checking
access to customer cards, as evidenced in by the claimed in
the information sent on 04/01/2019 providing the risk analysis carried out
regarding the need or not to notify this Agency and those interested in the
which states: “… once the incident has been identified by the banking entities, these and
the issuers of the compromised bank cards proceeded to block and
inform the interested parties of said blocking so that the compromised data
be rendered useless ... ".
For more information, the Forensic Report of *** COMPANY.3 , put in
interdicted by the representation of the defendant also indicates the existence of
evidence of cardholder data breach, that the data exposed was the
relating to the cardholder's name, address, expiration date and
that their total number was 2722692, etc.
The claimed person in the risk analysis carried out after the incident suffered
points out “In relation to AIR EUROPA systems, there were no specific measures,
47 .- [………] , to protect the data accessed by the attackers ... "
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 22
22/35
The consequence of this lack of adequate security measures was the
access to unauthorized personal data, bank card information,
numbering, expiration date and CVV that could be used for
fraudulent operations as reported by Banco Popular to the defendant on
*** DATE . 1 .
That mere possibility supposes a risk that has to be analyzed and valued at the time
to process personal data and that increases the demand for the degree of protection in
relation to the security and safeguarding of the integrity and confidentiality of
themselves.
This risk must be taken into account by the person responsible for the treatment and in
its function to establish the measures that might have prevented the
loss of control of the data and, therefore, by the owners of the data that
they were provided to him as has been credited.
In accordance with the aforementioned, the action of the defendant implies the violation
of article 32.1 of the RGPD, offense typified in its article 83.4.a).
V
The complainant has alleged the non-applicability of the RGPD since when
the first access on 05/12/2018, the security requirements were met on that date
required by the applicable legislation at the time of the incident, the LOPD and its
Regulation.
However, such allegation cannot be accepted; the facts object of the
This claim is subject to the provisions of Regulation (EU)
2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the
Protection of Natural Persons with regard to Data Processing
Personal Data and the Free Circulation of this Data, whose date of full application was
on 05/25/2018.
Access to personal data of those affected by bankruptcy started before
of the date of full application of Regulation (EU) 2016/679 -what happens on
05/25 / 2018- and when Organic Law 15/1999 for the Protection of
Personal Data, LOPD. However, the conduct of the defendant in which
the infringement is specified, security breach motivated by the adoption of measures
inadequate technical and organizational techniques, has been maintained over time, at least until
the adoption of measures as a result of the communication from Banco Popular to the
claimed and the hiring of forensic companies that caused the implementation
of measures in order to stop the security incident.
It is true that the first access occurs, as the complainant points out, the
05/12/2018 date on which the previous LOPD was in force and that the RGPD is not applicable
full application until 05/25/2018; however, it is no less so than the offense
continued to be produced and extended in time until the adoption of those
adequate measures to end bankruptcy in the systems of the
claimed; do not forget that technical and organizational security measures
must be implemented to prevent, among others, unauthorized access to data
of a personal nature and that these measures must be adequate.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 23
23/35
And although the accesses continued until August 2018, ceasing from
On this date, the measures implemented continued to be inadequate until the
others were implemented due to the communication of the incident and the adoption of
those new ones due to the intervention of the contracted companies.
The offense for which the claimed person is responsible participates in the
nature of the so-called permanent offenses, in which the consummation
is projected in time beyond the initial event and extends, violating the
data protection regulations, during the entire period of time in which the
data are subject to treatment. In the present case, despite the fact that on the date on which
the offending conduct was initiated, the applicable norm was the LOPD, the norm that
The result of application is the one that was in force when the offense ceases
be consummated with the application of those appropriate and pertinent measures in order to
that access to personal data could not occur.
The Supreme Court has ruled on the rule to be applied in
those cases in which the infractions are prolonged in time and there have been
a regulatory change while the offense was being committed. The STS of 04/17/2002 (Rec.
466/2000) applied a provision that was not in force at the initial time of
commission of the offense, but in subsequent offenses, in which the conduct continued
offending. The Judgment examined an assumption that related to the sanction imposed
to a Judge for breach of her duty of abstention in some Proceedings
Previous. The sanctioned alleged the non-validity of article 417.8 of the LOPJ when
the events occurred. The STS considered that the offense had been committed
from the date of the initiation of the Preliminary Proceedings until the moment in which the
Judge was suspended in the exercise of her functions so that rule was of
app. In the same sense, the SAN of 09/16/2008 (Rec. 488/2006) is pronounced
SAW
The defendant has alleged that the absence of a response makes him helpless
to the tests presented at the request of the AEPD dated 11/23/2020 and not
have assessed them, noting, in addition, that it is very harmful to him that
the AEPD has not taken into consideration a single of the allegations made
nor has it taken into account a single one of the documents provided in the answer
to the request issued by the AEPD during this evidentiary phase.
The alleged cause of helplessness is surprising; it should be noted that if it was not done
reference to them was due to the fact that the answer offered was only
consolidate and reinforce the reports provided by IBM and Foregenix that the
measures implanted at the time and moment of the bankruptcy that occurred were not the
adequate for data security.
Measures that must be established by the person responsible for the treatment
taking into account the risk analysis carried out and, depending on it, apply
those most appropriate technical and organizational measures.
Thus, in the first place, a series of network diagrams of the environment of
payments, but the place where each type of data was stored, where
each type of specific data was stored.
In his statements, the defendant pointed out that the character data
personnel of those affected (postal addresses, telephone, passport, ID, date
birth, etc.), were stored independently of the information related to
to bank cards and that, therefore, the aforementioned data was not compromised.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 24
24/35
However, it is not proven that the data relating to the owner of the data and
therefore those related to the cards were filed separately; the report itself
*** COMPANY.2 audit report indicates that “The attacker viewed and filed in
*** FILE.1 (…) at least 2651 unique card numbers, CVVs, dates of
expiration date and names of the cardholder ”. And in the same report it is also
states that “The stolen data included personal and financial data of the
GLOBALIA customers who made reservations and modifications to *** URL.1 . The
data did not include travel or passport data ” (underlining corresponds to the
AEPD).
And the one claimed in her response dated 12/16/2020 stated that
“As can be seen, neither the databases of the environment that are the subject of this
research, nor the potential compromise of data, included information that was not
the one already indicated; that is, unique card numbers, CVVs, expiration dates, and
names of the cardholder ” . That is, it was implicitly recognizing that
the name of the owner was included in the data within the potential commitment of
data, which should have been relevant when establishing the need to give
to diligently know the notification of the security incident to the AEPD, given
the importance of data that could or could not be or could not be accessed.
Regarding risk analysis, the latest document presented by the
claimed is dated 06/04/2020 on the occasion of the EIPD, more complete than the
presented on 04/01/2019. The one contributed in the first place does not determine what level of
risk is or is not acceptable for the treatment carried out, nor do they determine its
calculation, nor does it break down mitigating measures, etc., compared to the last
presented (where if measures such as double authentication and
strong passwords that are implemented in Risk Analysis).
The defendant alleges that when the security incident began there was no
applied the RGPD and that the measures proposed in the Risk Analysis in that
were in accordance with the existing recommendations at the time.
However, it should be noted that in relation to two types of measures,
48 .- [………] to which the defendant refers recommends “49 .- [………] ”, that is, what
same that already established the reports of the acting companies and that appears
reflected in the report of previous actions and, in terms of length and complexity
password, in the same previous report (that of CNN) it is pointed out and recommended
50 .- [………] .
Regarding 51 .- [………] , it states that it was completely updated to
date of the incident and present a supporting document. However, 52 .- [………].
As for 53 .- [………] as a measure implemented at the time of the incident
According to the complainant, it is due to the fact that in the CCN report referred to
above states that the length of passwords must be at least 8
with different types of characters and that these recommendations were already met
01/17/2018 following their recommendations and provide a screenshot with the
password policy where it appears that “passwords must meet the requirements
complexity ”,“ enabled ”,“ minimum password length ” and “ 8 characters ”.
However, it is not appreciated, credited or justified what kind of complexity
enabled is referring and in any case, in the report of *** COMPANY.2 it is
points out that “subsequent investigations of the accounts compromised by the
attacker, such as the service account *** SERVICE.1 , revealed that it was using a
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 25
25/35
password that did not meet the complexity and length requirements in line with the
industry best practice, which would have made the attacker more
easy to compromise this account. "
Regarding the 54 .- [………] they indicate that they were XXXXXXXX presenting
the network diagram.
However, the report of *** COMPANY . January 3, 2019 made reference to
to the server 55 .- [………] , “The attack began when the attacker accessed 56.-
[………] ” and “ Although there were XXXXX and XXXXX , the attacker was able to “pivot” the entry 57.-
[………] "
Finally, regarding the blocking of external IPs that have no relation
with any payment system, he pointed out that “It was not technically possible to limit the
IP's of the various authorization centers. Therefore, outgoing connections (not like this
the starters) were not, nor could they be restricted. "
However, neither is it credited nor is any information given as to why
was it technically possible or why it was not possible to limit the IPs.
VII
The defendant alleges in relation to the report provided by *** COMPANY.3 that
it is not an expert report, nor an objective technical report, 58 .- [………] , with the
in order to calculate the amount of compensation that this regulatory environment requires from companies
associated entities in certain situations and that there is an incompatibility
absolute between the purposes of that report and those to be pursued in a
disciplinary administrative file.
However, such a claim cannot be accepted either: in the first place, because
the defendant has not provided any proof of his partiality, which may have
provoked its challenge, without having been accredited in the test procedure
any of it.
And secondly, because the Report issued by the aforementioned company states:
1.This investigation is carried out in strict compliance with all the
applicable requirements set forth in Section 2.3 of the Requirements relating to the
qualification of PCI forensic investigators, including, without limitation, the
requirements set forth in said section relating to independence, professional opinion,
integrity, objectivity, impartiality and professional skepticism.
2. This Preliminary Incident Response PFI Report identifies,
describes, represents and characterizes all objective tests that the PFI Company
and its Employees collected, generated, discovered, analyzed and / or considered
your sole discretion relevant to this investigation in the course of conducting the
herself.
3.The opinions, conclusions and findings contained in this Report
Preliminary Incident Response PFI (a) accurately reflects and is based on
exclusively on the objective tests described above, (b) reflect only
the opinions, conclusions and findings of the PFI Company and its Employees,
acting at their sole discretion, and (c) have not been influenced, directed, controlled,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 26
26/35
modified, provided or submitted to the prior approval of the Entity object
of Research or of any contractor, representative, professional advisor, agent or
affiliate of the same or any other person or entity other than the PFI Company and
its Employees (the underlining corresponds to the AEPD).
VIII
Second, the defendant is accused of violating Article 33 of the
RGPD, Notification of a violation of the security of personal data to the
supervisory authority, which establishes:
"1. In case of violation of the security of personal data, the
responsible for the treatment will notify the competent control authority of
in accordance with Article 55 without undue delay and, if possible, no later than 72
hours after you have had a record of it, unless it is unlikely
that said violation of security constitutes a risk to the rights and
freedoms of natural persons. If the notification to the supervisory authority does not have
place within 72 hours, must be accompanied by an indication of the reasons for
procrastination.
2. The person in charge of the treatment will notify the person in charge without undue delay
of the treatment the violations of the security of the personal data of which
have knowledge.
3. The notification referred to in paragraph 1 must, as a minimum:
a) describe the nature of the data security breach
personal, including, where possible, categories and number
approximate number of affected stakeholders, and the categories and approximate number
of records of personal data affected;
b) communicate the name and contact details of the delegate of protection of
data or another point of contact where more information can be obtained;
c) describe the possible consequences of the violation of the security of the
personal information;
d) describe the measures adopted or proposed by the person responsible for the
treatment to remedy the data security breach
personal data, including, if applicable, the measures adopted to mitigate the
possible negative effects.
4. If it is not possible to provide the information simultaneously, and to the extent
where it is not, the information will be provided gradually without undue delay.
5. The controller will document any violation of the
security of personal data, including facts related to it, its
effects and corrective measures taken. Such documentation will allow the
control authority to verify compliance with the provisions of this article ”.
Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27
April 2016, regarding the protection of natural persons with regard to the
processing of personal data and the free circulation of these data and by which
repeals Directive 95/46 / EC (General Data Protection Regulation), (as
successive RGPD) defines personal data security breaches as
those incidents that cause the destruction, loss or accidental alteration or
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 27
27/35
illicit personal data, as well as the communication or unauthorized access to
themselves.
Since last 05/25/2018, the obligation to notify the Agency of gaps
or security breaches that could affect personal data is applicable to
any person responsible for the processing of personal data, which underlines the
importance of all entities knowing how to manage them.
In this sense, recital 87 establishes that:
“It must be verified if all the appropriate technological protection has been applied and
the appropriate organizational measures have been taken to determine immediately whether
there has been a breach of personal data security and to report
without delay to the supervisory authority and the interested party. It must be verified that the
notification has been made without undue delay taking into account, in particular, the
nature and seriousness of the violation of the security of personal data and its
consequences and adverse effects for the interested party. Such notification may
result in an intervention of the supervisory authority in accordance with the
functions and powers established by this Regulation ”.
Regardless of the internal actions that were carried out
carried out by the respondent to manage the breach or security incident once the
was made aware of it, the RGPD establishes that in the event of a breach of the
security of personal data, the data controller will notify the
competent supervisory authority without undue delay and, if possible, at the latest
72 hours after you are aware of it, unless unlikely
that said security breach constitutes a risk to the rights and
freedoms of natural persons.
The GDPR also establishes the cases in which a security breach is
must communicate to the affected party, specifically when it is likely that the breach of
security of personal data entails a high risk for the rights and
freedoms of natural persons.
Both the notification to the competent control authority and the
Communication to the data subject are obligations of the data controller, although
You can delegate their execution to other figures.
Therefore, what underlies this obligation is a broader duty and that
urges the person in charge to implement an incident management procedure
security that affect personal data adapted to the characteristics of the
treatment.
Therefore, a key element of any policy regarding
Data security is being able, to the extent possible, to prevent a breach and,
when despite everything, react quickly.
The RGPD indicates that breaches are those incidents that cause the
destruction, loss or accidental or illegal alteration of personal data, as well as the
unauthorized communication or access to them.
In the case examined, the documentation provided in the file is
provide clear indications of the existence of a provoked security incident and
suffered in the entity's systems, classified as a breach involving access
unauthorized user data, specifically information related to data
personal, bank cards, numbering, expiration date and CVV that could be
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 28
28/35
have been used for the commission of fraudulent operations and that in accordance with
with what is indicated in the previous foundation, it would violate article 32.1 of the RGPD,
Security of the treatment , of which the claimed by the
communication received from financial institutions causing the activation of the
incident responses (PRI) the next day.
The defendant adopted the decision to notify this supervisory authority of the
security bankruptcy detected on 11/27/2018, through the form enabled in
electronic office but the online procedure made it impossible to present it, so
It had to be done the next day, 11/28/2018 in person.
It is true, as the representation of the defendant states that there was
notification of the bankruptcy, although it was carried out extemporaneously 41 days
after it was known clearly infringing the provisions of article 33
of the RGPD that establishes the obligation to notify the supervisory authority without delay
undue and, no later than 72 hours after you have had proof of it.
The defendant justifies the late notification made because there was no
sufficient knowledge of the nature or extent suffered and that would have affected
personal information.
However, such allegation cannot be admitted since the person responsible for the
treatment had clear evidence that such a violation had occurred and there was no room for
doubts that he was aware of this as a result of the Bank's notification
Popular the *** DATE.1 that I cause as previously indicated the activation
of the incident response plan the next day. This is how it appears in the IBM report
“In October 2018, GLOBALIA was informed by the credit card companies
credit that a large number of credit cards, about 4,000, had been
used to commit fraud ”.
In addition, if what the defendant himself points out in his brief of
date 01/22/2019 where he states that the bankruptcy was resolved on 11/17/2018,
Why didn't you notify it before?
Furthermore, in the risk analysis carried out regarding the need or not to
notification to the Agency, in conclusions, it is stated that “Applying the methodology of
analysis of the AEPD to the current incident (Annex 1), both the quantitative result and
the qualitative ones exceed the notification threshold to the AEPD ... "
On the other hand, the investigations and analyzes carried out by the entity do not
classified the incident as high risk for the rights and freedoms of
interested parties, so the bankruptcy, which affected 1,500,000 data records
approximately and approximately 489,000 users, those affected were not notified
since there were only 20 requests for information from
clients responding to all of them. In the conclusions of risk analysis
above, it is stated that “In relation to the notification to interested parties and according to the
AEPD analysis methodology (Annex 1), the quantitative result would not exceed the
threshold established for such notification (30 vs. 40), while the threshold
qualitative, yes, it would be surpassed ”.
In accordance with the preceding paragraphs, the action of the claimed
supposes the violation of 33.1 of the RGPD, an offense typified in its article 83.4.a)
of the same legal text.
IX
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 29
29/35
The violation of articles 32.1 and 33 of the RGPD are typified in
Article 83.4.a) of the aforementioned RGPD in the following terms:
"4. Violations of the following provisions will be sanctioned, in accordance with
with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
a) the obligations of the controller and the processor pursuant to articles 8,
11, 25 to 39, 42 and 43.
(…)
For its part, the LOPDGDD in its article 71, Infractions, states that:
“The acts and conducts referred to in sections 4, constitute offenses.
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those resulting
contrary to the present organic law ”.
And in its article 73, for the purposes of prescription, it qualifies as "Infractions
considered serious ”:
"Based on the provisions of article 83.4 of Regulation (EU) 2016/679
are considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the
following:
(…)
g) The breach, as a consequence of the lack of due diligence,
of the technical and organizational measures that have been implemented in accordance with
required by article 32.1 of Regulation (EU) 2016/679 ”.
r) Failure to comply with the duty to notify the protection authority of
data from a personal data security breach in accordance with the
provided for in article 33 of Regulation (EU) 2016/679.
Accredited facts show the existence of a security breach
in the systems of the claimed allowing their vulnerability causing access not
authorized and illegal to information related to customers in relation to their cards
bank, numbering, expiration date and CVV that could have been used to
the commission of fraudulent operations, which together with the untimely notification
of the aforementioned breach or security incident implies the violation of articles 32.1
and 33 of the GDPR.
X
In order to establish the administrative fine to be imposed, they must
observe the provisions contained in articles 83.1 and 83.2 of the RGPD, which
they point out:
"1. Each supervisory authority will guarantee that the imposition of fines
administrative under this article for the infractions of this
Regulations indicated in paragraphs 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 30
30/35
2. Administrative fines will be imposed, depending on the circumstances
of each individual case, as an additional or substitute title for the measures contemplated
in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
a) the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operation in question
as well as the number of affected stakeholders and the level of damage and
damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the person in charge or in charge of the treatment
to alleviate the damages suffered by the interested parties;
d) the degree of responsibility of the person in charge of the
treatment, taking into account the technical or organizational measures that have
applied by virtue of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the
treatment;
f) the degree of cooperation with the supervisory authority in order to put
remedy the violation and mitigate the possible adverse effects of the violation;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority learned of the infringement, in
particular if the person in charge or the person in charge notified the infraction and, in such case,
what extent;
i) when the measures indicated in article 58, paragraph 2, have been
previously ordered against the person in charge or the person in charge
in relation to the same matter, compliance with said measures;
j) adherence to codes of conduct under Article 40 or to mechanisms
certification approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits obtained or losses avoided, direct
or indirectly, through the infringement.
In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its
Article 76, “Sanctions and corrective measures”, establishes that:
"two. In accordance with the provisions of article 83.2.k) of Regulation (EU)
2016/679 may also be taken into account:
a) The continuing nature of the offense.
b) The linking of the activity of the offender with the performance of treatments
of personal data.
c) The benefits obtained as a result of the commission of the offense.
d) The possibility that the affected person's conduct could have led to the
commission of the offense.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 31
31/35
e) The existence of a merger process by absorption after the commission
of the infringement, which cannot be attributed to the absorbing entity.
f) Affecting the rights of minors.
g) Have, when not mandatory, a delegate for the protection of
data.
h) The submission by the person in charge or in charge, with the character
voluntary, to alternative dispute resolution mechanisms, in those
cases in which there are controversies between those and any
interested."
In accordance with the provisions transcribed for the purpose of setting the amount of the
sanction to be imposed in the present case for the infractions typified in article
83.4.a) of the RGPD for which AIR EUROPA is responsible, they are considered
concurrent the following factors:
- In relation to the violation of article 32.1 of the RGPD typified in the
Article 83.4 of the aforementioned Regulation:
The nature and severity of the offense given its not merely local scope
of the declared security breach, but quite the opposite since they have been able to
see compromised personal data not only of nationals but also foreigners,
without forgetting the high number of people, clients, potentially affected by the
itself (489,000) and the number of records affected (1,500,000); in the IBM report
of 12/20/2018 it was stated that “GLOBALIA was informed by the companies of the
credit cards that a large number of credit cards, about 4,000, had
been used to commit fraud ”,“ Although IRIS has not been able to confirm how it managed to
the attacker exfiltrating information from the GLOBALIA network or what was exfiltrated, having
account of the limitation of records, what IRIS has confirmed is that the attacker
had collected at least 488847 unique credit cards "and in the report of
*** COMPANY.3 provided by the complainant on 11/14/2019 stated that “The
*** COMPANY.3 investigation identified more than 2.7 million card numbers
the only ones that had been extracted from the database systems by the attacker ”;
the category of data affected by the infringement, without forgetting the damages
suffered by some of the customers.
The degree of responsibility of the person responsible for the treatment, taking into account
the technical or organizational measures applied and that were violated. Thus ,
*** COMPANY.2 points out that “…, the attacker took advantage of 59 .- [………] to get
access the network for the first time ”, that “ Every system exposed to the Internet, 60.- [………]
“…, Subsequent investigations of the accounts compromised by the attacker,
*** SERVICE.1 , revealed that it was using a password that did not meet the requirements of
complexity and length in line with industry best practice, which would have
made it easier for the attacker to compromise this account. "
*** EMPRESA.3 in its report states that “ The intrusion probably had
its origin in insecure systems available through the internet. *** COMPANY.3
identified several devices that had not been patched regularly… ”,
But the claimed entity itself has indicated that "In relation to the systems
of AIR EUROPA, there were no specific measures, such as encryption or tokenization,
to protect the data accessed by attackers. However, the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 32
32/35
Information accessed by the attackers does not include sensitive information such as
special categories of personal data, postal addresses or phone numbers
telephone, passport or ID number or date of birth. This sensitive information
is not stored together with bank card information as a measure of
security. As a result, it is very difficult to identify unique individuals within the
data set."
The categories of personal data that have been affected
as a consequence of the infringement, since the identification data must be joined
banking and financial, consequence of access to cards, with a purpose
clearly fraudulent. In the audit report carried out by *** COMPANY. 2 of
12/20/2018 it is stated that “In October 2018, GLOBALIA was informed by the
credit card companies that a large number of credit cards,
some 4,000 had been used to commit fraud. The stolen data included
personal and financial data of GLOBALIA clients who made reservations and
modifications in *** URL.1 ” (the underlining corresponds to the AEPD).
The way in which the infringement has been known as it was due to
a communication from BANCO POPULAR, and as indicated in the previous paragraph by
credit card companies, without the respondent having had proof of the
intrusion and access committed that began on 05/12/2018.
The continuing nature of the offense in the sense interpreted by the
National High Court as a permanent offense, since since the
security incident until the breach was detected a period of
time of several months.
The activity of the allegedly infringing entity is linked to the
data processing of both clients and third parties; the aforementioned is known
relationship since the entity by its activity is in permanent contact with
clients and third parties dealing with a large volume of data, which imposes a greater
duty of care.
The business volume of the claimed as it is one of the company
leader within the Spanish market, in its air transport business object; the
claimed is part of the business holding Globalia Corporación Empresarial SA
and of which a large number of companies are part, having had income
annual of
€ 2,367,061,000 (2018) and € 2,130,517,000 (2019) and a result of
exploitation of € 82,921,000 (2018 and 93,984,000 (2019) as stated on the page
corporate group website and according to the latest BORME publication on 12/30/2020 a
share capital of € 17,923,050.
For all these reasons, a sanction amount is established for violation of the
Article 32.1 of the RGPD of 500,000 euros.
In relation to the circumstances of the responsibility, the complainant has
alleged that the application of the
mitigating circumstances, considering that if the offense is understood to have been committed
of article 32.1, the following extenuating circumstances should apply: the
the low severity of the incident and the low level of damage caused; measures
taken by the person responsible to alleviate the damages suffered; The cooperation
with the control authority and the lack of benefits obtained.
However, such a claim cannot be accepted; the circumstances
Aggravating factors that have been taken into account are those that concur in the present case.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 33
33/35
Regarding the seriousness of the offense, it already concurs as an aggravating
grading of the sanction for infraction of article 32.1: "The nature and gravity of
the breach given its non-merely local scope of the security breach
declared, but quite the opposite since data has been compromised
personal character not only of nationals but foreigners, without forgetting the high
number of people, clients, potentially affected by it (489,000) and the
number of records affected (1,500,000); in the report of *** COMPANY. 2 of
12/20/2018 it was stated that ... "
In addition, it is striking that the offense is classified as low severity
committed when the LOPDGDD itself in its article 73 considers it for the purposes of
prescription as a serious offense and when it is evident and palpable the lack of
diligence in the application of appropriate technical measures and
organizational, lasting from 05/12/2018 date of first access until
Appropriate measures were implemented at the request of the contracted companies.
Regarding the low level of damages caused as a consequence of the
offense, it is not predicable to the present case where there are also injured parties, but
Even if there were not, we are faced with the infringement of a fundamental right
and the high degree of intrusion into the privacy of customers must be taken into account
this being enough damage for them.
Even more striking is the request that the
adoption of measures taken by the person responsible to alleviate damages and
cooperation with the supervisory authority, when they are nothing but legal obligations
that must be required of any person responsible and in charge of the treatment and, more
when, as indicated above, the lack of diligence in the
application of the same to prevent unauthorized access, although it is true that their
non-compliance could lead to its application as aggravating factors.
And as for the absence of benefits, it is inappropriate; the GDPR is
refers to the benefits obtained as a result of the commission of the offense,
not that the absence of benefits should be considered as mitigating.
Therefore, evaluating the concurrent circumstances and taking into
consideration especially those that operate as aggravating factors and that have been analyzed
above, the penalty imposed by
infringement of article 32.1 of the RGPD, given the seriousness of the events that occurred
- In relation to the violation of article 33 of the RGPD typified in article
83.4 of the aforementioned Regulation:
The serious lack of diligence in complying with the obligations imposed
by data protection regulations, making an extemporaneous notification of
the security bankruptcy to which he was bound.
The way in which the infringement has been known as it was due to
a notification from BANCO POPULAR and by credit card companies, without
the respondent would have had evidence of the intrusion and access committed that
started on 05/12/2018.
The activity of the allegedly infringing entity is linked to the
data processing of both clients and third parties; the aforementioned is known
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 34
34/35
relationship since the entity by its activity is in permanent contact and deals with a
large volume of data, which imposes a greater duty of care.
The business volume of the claimed as it is one of the company
leader within the Spanish market, in its business object.
For all these reasons, a sanction amount is established for violation of the
Article 33 of the RGPD of 100,000 euros.
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been proven,
The Director of the Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE AIR EUROPA LINEAS AÉREAS SA, with CIF *** CIF.1 , for
an infringement of article 32.1 of the RGPD, typified in Article 83.4.a) of the RGPD,
a fine of € 500,000 (five hundred thousand euros).
SECOND: IMPOSE AIR EUROPA LINEAS AÉREAS SA, with CIF *** CIF.1, for
an infraction of article 33 of the RGPD, typified in article 83.4.a) of the RGPD, a
€ 100,000 fine (one hundred thousand euros).
THIRD: NOTIFY this resolution to AIR EUROPA LINEAS AÉREAS SA
FOURTH: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000 , opened in the name of the Agency
Spanish for Data Protection in the banking entity CAIXABANK, SA. In case
Otherwise, it will be collected in the executive period.
Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within one month to
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 35
35/35
counting from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
letter addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es