AEPD (Spain) - PS/00179/2020: Difference between revisions
(→Facts) |
(→Facts) |
||
Line 50: | Line 50: | ||
}} | }} | ||
The Spanish DPA (AEPD) fined Air Europa Líneas Aéreas S.A. with €600,000 for the infringement of Articles 32(1) and 33 GDPR, due to the lack of appropriate technical and organisational measures and an adequate level of security and due to the delay in the notification of the personal data breach. | The Spanish DPA (AEPD) fined Air Europa Líneas Aéreas S.A. with €600,000 for the infringement of Articles 32(1) and 33 GDPR, due to the lack of appropriate technical and organisational measures and of an adequate level of security and due to the delay in the notification of the personal data breach. | ||
==English Summary== | ==English Summary== | ||
===Facts=== | ===Facts=== | ||
Air Europa notified a data breach to the AEPD related to the unauthorized access to contact and bank cards information that affected to 489,000 data subjects and to 1,500,000 records. The unauthorized access was carried out via hacking and malware. One of the problems that were found in a posterior audit was the use of a weak password, among other vulnerabilities, some of which were technical. | Air Europa notified a data breach to the AEPD related to the unauthorized access to contact and bank cards information that affected to 489,000 data subjects and to 1,500,000 records. The unauthorized access was carried out via hacking and malware. One of the problems that were found in a posterior audit was the use of a weak password, among other vulnerabilities, some of which were technical, like the lack of a multi-factorial authentication system. | ||
The bank cards data included the numbering, expiry date and CVV. These data of around 4,000 bank cards was used to commit fraud. However, Air Europa classified the breach as medium risk and decided not to inform the affected data subject, arguing that it would be impossible to identify all of the data subjects and that a public notification was not necessary because there was not a serious risk for the rights of the affected data subjects. | The bank cards data included the numbering, expiry date and CVV. These data of around 4,000 bank cards was used to commit fraud. However, Air Europa classified the breach as medium risk and decided not to inform the affected data subject, arguing that it would be impossible to identify all of the data subjects and that a public notification was not necessary because there was not a serious risk for the rights of the affected data subjects. | ||
Additionally, the notification of the data breach was notified to the AEPD more than one month after Air Europa had knowledge of its existence (the data breach was notified by a banking institution to Air Europa on 17th October 2018; Air Europa notified the AEPD on 27th November 2018). | |||
===Dispute=== | ===Dispute=== | ||
Line 63: | Line 65: | ||
===Holding=== | ===Holding=== | ||
The AEPD, based on the posterior audits on the breach, concluded that there had been a lack of appropriate technical and organisational measures that derived in an inadequate level of security, and there had been therefore an infringement of Article 32(1) GDPR. | |||
The AEPD remarks that the level of security for the protection of the data was not adequate by design and by default. They support this with the fact that Air Europa was not able to detect the data breach themselves, but they only had notice when they were notified by a banking institution. | |||
The AEPD sanctioned Air Europa with a fine of €600,000: | The AEPD sanctioned Air Europa with a fine of €600,000: | ||
*Due to infringement of Article 32(1), for the lack of appropriate technical and organisational measures and an adequate level of security, the fine was €500,000. | *Due to infringement of Article 32(1), for the lack of appropriate technical and organisational measures and of an adequate level of security, the fine was €500,000. | ||
*Due to infringement of Article 33, for the delay of more than one month in the notification of the personal data breach, the fine was €100,000. | *Due to infringement of Article 33, for the delay of more than one month in the notification of the personal data breach, the fine was €100,000. | ||
Revision as of 11:45, 23 March 2021
AEPD - PS/00179/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 32(1) GDPR Article 33 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 18.03.2021 |
Fine: | 600 EUR |
Parties: | Air Europa Líneas Aéreas S.A. |
National Case Number/Name: | PS/00179/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | n/a |
The Spanish DPA (AEPD) fined Air Europa Líneas Aéreas S.A. with €600,000 for the infringement of Articles 32(1) and 33 GDPR, due to the lack of appropriate technical and organisational measures and of an adequate level of security and due to the delay in the notification of the personal data breach.
English Summary
Facts
Air Europa notified a data breach to the AEPD related to the unauthorized access to contact and bank cards information that affected to 489,000 data subjects and to 1,500,000 records. The unauthorized access was carried out via hacking and malware. One of the problems that were found in a posterior audit was the use of a weak password, among other vulnerabilities, some of which were technical, like the lack of a multi-factorial authentication system.
The bank cards data included the numbering, expiry date and CVV. These data of around 4,000 bank cards was used to commit fraud. However, Air Europa classified the breach as medium risk and decided not to inform the affected data subject, arguing that it would be impossible to identify all of the data subjects and that a public notification was not necessary because there was not a serious risk for the rights of the affected data subjects.
Additionally, the notification of the data breach was notified to the AEPD more than one month after Air Europa had knowledge of its existence (the data breach was notified by a banking institution to Air Europa on 17th October 2018; Air Europa notified the AEPD on 27th November 2018).
Dispute
Holding
The AEPD, based on the posterior audits on the breach, concluded that there had been a lack of appropriate technical and organisational measures that derived in an inadequate level of security, and there had been therefore an infringement of Article 32(1) GDPR.
The AEPD remarks that the level of security for the protection of the data was not adequate by design and by default. They support this with the fact that Air Europa was not able to detect the data breach themselves, but they only had notice when they were notified by a banking institution.
The AEPD sanctioned Air Europa with a fine of €600,000:
- Due to infringement of Article 32(1), for the lack of appropriate technical and organisational measures and of an adequate level of security, the fine was €500,000.
- Due to infringement of Article 33, for the delay of more than one month in the notification of the personal data breach, the fine was €100,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Page 1 1/35 Procedure Nº: PS / 00179/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On 02/04/2019 the Director of the Spanish Agency for Data Protection agrees to initiate investigative actions in relation to the notification of a security breach made by AIR EUROPA LÍNEAS AÉREAS, SA, with CIF *** CIF.1 (hereinafter AIR EUROPA), regarding unauthorized access to contact information and bank cards that affect 489,000 interested parties and a volume of 1,500,000 records. However, on 02/28/2020, it was agreed to open new actions of research to AIR EUROPA and incorporate into them the documentation that made up the previous actions in file E / 02564/2019, which were declared expired. The security breach notification was made on 11/28/2018 and 01/22/2019 as an initial and complete notice. Subsequently, on 01/22/2019 another notification is made to correct information provided, as stated by AIR EUROPA, to discrepancies between the acknowledgment of receipt issued by the electronic headquarters of this Agency and the data actually entered in the online form. The three notifications contain, among others, the following information: That on 11/27/2018 an attempt was made repeatedly to notify in a manner initial to this Agency through the form enabled for this purpose at headquarters electronic but the online notification procedure made it impossible to presentation by said means, proceeding to the presentation in a initial and face-to-face on 11/28/2018. Responsible for the treatment: AIR EUROPA whose data has been included in the Investigated Entities section. Gap detection date: *** DATE.1 Means of detecting the breach: AIR EUROPA receives a notification by part of Banco Popular regarding a potential security incident, which determines the activation of the incident response plan by AIR EUROPE, on 10/17/2018. Start date of the gap: 05/12/2018 Gap resolved as of 11/17/2018. Justification for late notification: N / A Summary of the incident: the security incident has involved access not authorized to bank card information, numbering, date of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 2 2/35 expiration date and CVV that could have been used for the commission of fraudulent operations. Although all those identified were canceled before it is established that there has been any damage to the interested. In some cases (approximately 2,500) the identity of the holders of the bank cards has also been compromised. Typology: Confidentiality breach (unauthorized access). Means by which the breach has materialized: Hacking and malware. Context: External (intentional action) That before the breach the following preventive measures were applied: Network security: Our own human team with more than 10 years of experience in management and network, LAN and WAN management. The company has designed and provided training to employees on the use of the tools made available to you in accordance with current legislation. AIR EUROPA uses 1 .- [………] . Periodically (XXX) an evaluation program of the vulnerabilities to monitor potential security breaches in known vulnerabilities. In addition to the firewall systems that allow managing and blocking unauthorized access, there is a 2 .- [………]. To protect the user's browsing, there is a 3 .- [………]. Information protection and access controls: Access to information systems requires identification and authentication of all users 4 .- [………] (XX). The XX is connected with the system 5 .- [………] . There is a password renewal policy by which they are forced to change the same every XXX . The policy of 6 .- [………] . The management policies for access permissions to applications 7 .- [………] allowing to apply the principle of least privilege. Prevention: AIR EUROPA began a few months ago a process aimed at preparing a Security Master Plan in order to have a broader scenario of threats and define a more effective strategist. 8 .- [………]. That the categories of data affected are basic data and information on bank cards such as number, expiration date and CVV. That there are no special categories of data affected. That the approximate number of data records affected is 1,500,000 C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 3 3/35 That the profile of the affected subjects are customers, the number being approximately 489,000 people affected. That the nature of the potential impact on the subjects is fraud. That the possible consequences is the disclosure to third parties / diffusion in internet and that the data can be exploited for other purposes. Who classifies the severity of the consequences as “Medium”. That the measures taken to solve the gap and minimize the impact were: o Conducting a preliminary investigation. o Hiring a forensic company *** COMPANY.1 for the provision of support and help in the analysis of the incident. o Hiring of a company specializing in analysis and resolution of incidents *** COMPANY. 2. o Monitoring of tasks and planning of improvements and actions to be implemented in systems in order to "close doors" and reduce risk. o Review of all the security measures and reinforcement of the themselves. o Chronology of the actions followed described in documents attachments. That the interested parties will not be informed for the following reasons: o There is only evidence of 11 requests for information per part of clients in relation to this event and is responding to all of them. The existence of others affected is unknown. o That technical protection measures have been adopted and appropriate organizational arrangements that ensure that the probability that no risk to rights will materialize and freedoms of the interested parties affected by the security breach. o That they understand that at this time it is more burdensome for the general interests and those of the interested parties make a communication public since they do not have contact information for all affected people. Attached documents are provided that contain, among others, the following manifestations: o That immediately after knowledge of the breach, a the company specialized in security breaches and forensic analysis and *** COMPANY. 3. o The company *** EMPRESA.2 was hired for the purpose of analyzing the scope, together with *** COMPANY.3 , and apply the measures necessary to correct the incident. o That the extent of the gap is not yet fully known. The security incident has involved unauthorized access. I know C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 4 4/35 makes this notification in a preliminary way to provide the information that is available so far. o That a series of technical measures were adopted that were carried out putting the focus first on activities of containment and then in preventive activities. o That after having analyzed the information that AIR EUROPA creates have been compromised, it is highly unlikely that only Spanish interested parties have been affected. However, AIR EUROPE is currently not in a position to identify the specific nationalities of all affected stakeholders. o Chronology of the actions followed: *** DATE . 1 . AIR EUROPA receives a notification from VISA (Banco Popular) related to a potential incident of security which determines the activation of the Response Plan before Incidents (PRI) on October 17, 2018. 10/18/2018. As part of the PRI, the company is contacted *** COMPANY.3 for the provision of support and help in the forensic analysis of the incident whose recruitment took place on 22 October 2018. 10/24/2018 to 10/31/2018. Collection of evidence and information necessary. 11/05/2018 to 11/08/2018. Analysis of the information collected. The On November 8, the forensic analyst confirms the existence of a gap. 11/08/2018. *** COMPANY.2 is contacted with the aim of reinforce internal security teams and work jointly with *** COMPANY . 3 . 11/09/2018. The works of *** COMPANY.2 begin to go "Closing doors" and reduce the risk progressively. 11/14/2018. The revision tasks of the set of security measures and, as appropriate, reinforce them. By *** COMPANY.2 and the forensic team is identified that from a server is contacting with an IP not recognized. 11/15/2018. AIR EUROPA receives specific instructions from the forensic team with 8 measures designed to contain the trouble. With the support of team *** EMPRESA.2 is assigned top priority to containment tasks. 11/17/2018. Confirmation by *** COMPANY. 2 and *** COMPANY.3 that the gap is contained. 11/23/2018. It is confirmed by *** COMPANY.2 the carrying out 90% of the containment and protection actions and that pending tasks are to be completed in the next C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 5 5/35 days. The effectiveness of the measures of real-time monitoring that continue to be deployed to guarantee the detection of any intrusion. SECOND: the Subdirectorate General for Data Inspection proceeded to carry out the following actions: On 04/01/2019, AIR EUROPA sends this Agency the following information and manifestations: 1. An audit report carried out by *** COMPANY.4 and dated to 12/20/2018 with the following statements: In the section "Background to the Incident" it is stated: “In October 2018, GLOBALIA was informed by the companies of credit cards that a large number of credit cards, some 4,000 had been used to commit fraud. The data stolen included personal and financial data of the clients of GLOBALIA who made reservations and modifications on AirEuropa.com. The data did not include travel or passport data. " Manifestations in the rest of the audit document: to. “ T he first confirmed access to the GLOBALIA network by the The attacker took place on May 12, 2018. " b. “ After this initial access, the attacker compromised a series of GLOBALIA and IRIS systems believe that the attacker continued accessing GLOBALIA systems and accounts at least until the August 11, 2018. " c. “ Although IRIS has not been able to confirm how the attacker managed to exfiltrate information from the GLOBALIA network or what was exfiltrated, given of the limitation of records, what IRIS has confirmed is that the attacker had collected at least 488847 unique credit cards " d. “From the sample of 4939 unique credit cards already declared fraudulent, 1,185 were found in the collection above mentioned." and. "The attacker viewed and filed in *** FILE.1 at least 2651 unique card numbers, CVVs, expiration dates and names of Cardholder." F. “ In total the attacker compromised at least 12 systems and a minimum of 2 service accounts in support of its operation " g. “ For the initial access, the attacker took advantage of 9 .- [………] to get access to the network for the first time " h. "Any system exposed to the Internet, 10 .- [………] ." i. “Likewise, subsequent investigations of the accounts compromised by the attacker, such as the service account GLOBALIA \ EJP, revealed that it was using a password that did not meet the complexity and length requirements in line with the best practice of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 6 6/35 sector, which would have made it easier for the attacker to compromise this account. " j. “Although IRIS could not confirm the data regarding how the attacker exfiltrated information due to record limitation, some research data indicates when it was possible to take the data and from where. Given that most of the data sensitive data that were collected by the attacker was found or transferred to the server *** FILE.1 , and that the server also had the only viable persistence mechanism, it is likely the attacker to use *** FILE.1 as a test server from the one to exfiltrate information. Similarly, a statistical analysis of Firewall logs revealed that the highest number of connections to the IP address controlled by the attacker, *** IP.1 , from the systems of GLOBALIA, took place between May 14 and June 4, with a peak of May 19-21, indicating that the attacker got down to the work. Given the volume of activity, it is possible that he also had data exfiltration occurs during these time frames, although the fact that the attacker accessed specific files related to credit cards later, in June, could indicate that the exfiltration also took place later in the same month. " k. “ To maintain access to the network, the attacker used tools publicly available, of 11 .- [………] in the systems that are communicated with the IP address controlled by the attacker *** IP.1 . " l. “No more malicious activity was observed regarding the same attacker or threat actor after August 11, 2018 " m. "The IP address controlled by the attacker was blocked on 15 November." n. “An irregular registry configuration was observed in the systems analyzed, so that only some systems stored locally archived log files; for example scripts executed by Powershell were only recorded in some systems. Audit records are important during an incident of security to reconstruct the attacker's activities ... Therefore, it is recommended to review the current audit policy and retention and apply it evenly throughout the environment. If not used already, it is also recommended to assess the possibility of centralizing collection of logs on a dedicated platform, such as a Incident Management and Security Information (SIEM) product, ... " to. “Although it has not been possible to determine exactly the source of the infection of systems in scope, one of the most probable is that 12 .- [………] . " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 7 7/35 b. "Block and monitor outbound traffic to external IP addresses suspicious is a good way to detect behavior abnormal originating from the network. In this incident we have 13.- [………], communicate with IP addresses external that were not related to any payment system, nor were they justified by other business needs. " to. “During the investigation, IRIS observed various systems with operation for longer than one year, so the systems The operating systems did not have patches for such a long period. " 2. A calendar of technical tasks undertaken for the closing of the breach and the protection improvements implemented that it has had in consideration, as stated by AIR EUROPA, the measures and recommendations issued by *** COMPANY.2 after analyzing the incident of security. This calendar contains tasks between 11/14/2018 and on 02/13/2019 and are classified into the following groups: to. XXX XXX update . b. Firewall rules restriction. c. *** IP Locking and Logging . 2 . d. Cleaning local users XXX XXX . and. Password changes. 14.- [………]. F. Antivirus. g. Application 15 .- [………] . h. Patching vulnerabilities and updating the servers involved in the incident. i. Installation XXX XXX . j. 16 .- [………]. k. Replatform of XXX XXX . l. Configuration 17 .- [………] . 3. AIR EUROPA states that it has received only 20 communications from clients due, in their majority, to inconveniences derived from the cancellation of the card by your bank, without manifesting any type of damage economic suffered, and through which they request more information. What only 3 of them stated that they had suffered some kind of damage economic result of the use, by third parties, of personal data obtained through attack. AIR EUROPA has responded attending to the information requirements requested by the interested parties. 4. Provides risk analysis regarding security measures in the processing of online sales data to AIR EUROPA passengers which It consists of a one-page document that analyzes 9 risks. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 8 8/35 5. Provides risk analysis carried out regarding the need or not to notification to this Agency and interested parties. In this analysis it is manifested: to. The art. 34.3 of the GDPR establishes three exceptions to the obligation to notify interested parties: Regarding 34.3.a): “ In relation to AIR EUROPA systems, there were no specific measures, 18 .- [………] . However, the information accessed by the attackers does not include information sensitive as special categories of personal data, postal addresses or telephone numbers, passport or ID or date of birth. This information sensitive is not stored together with card information banking as a security measure. As a result, it is very difficult to identify unique individuals within the data set. " Regarding 34.3.b): “… Once the incident has been identified by the banking entities, these and the issuers of the compromised bank cards proceeded to block and report said blockade to the interested in such a way that the compromised data remains disabled ... " Communication model made by the entity is provided Bankinter to its clients. Regarding 34.3.c): “ … It is practically impossible to uniquely identify interested parties from this data set, since there is no has their contact details. Therefore, if it is determined that a notification should be made interested parties, AIR EUROPA would have to carry out a public communication instead of individual notifications. From AIR EUROPA it is understood that at this moment it is more burdensome for the general interests and those of the interested parties make a public communication, as there is no no benefit derived from that communication. " b. That, according to the AEPD analysis methodology, the result quantitative would not exceed the threshold established for such notification (30 vs 40) while the qualitative threshold would be exceeded. Without However, taking the foregoing into account, AIR EUROPA has decided not to notify interested parties arguing that the incident is not liable to pose a high risk to the rights and freedoms of the same. c. That in those cases in which a high risk could be observed one or more exceptions from those contained in art. 3. 4 GDPR. In this sense, those provided for in art. 34.3 a) and b). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 9 9/35 On 11/14/2019, AIR EUROPA sends this Agency the following information and manifestations: 1. That 100% of the share capital of AIR EUROPA belongs to GLOBALIA CORPORACIÓN EMPRESARIAL, SA That there is a team at AIR EUROPA responsible for information systems headed by the figure of the CIO. At the operational level, the functions related to the supply of infrastructure and administration of information systems and communications are provided by GLOBALIA SISTEMAS Y COMUNICACIONES SLU, a company 100% owned by GLOBALIA CORPORACIÓN EMPRESARIAL, SA 2. Provide a signed copy of the assistance and management contract in the systems area of information and communications dated 10/31/2009 between AIR EUROPA LINEAS AÉREAS, SAU and GLOBALIA SISTEMAS Y COMUNICACIONES, SLU where it manifests itself, among others: to. That GLOBALIA SISTEMAS will assist AIR EUROPA in the areas of information and telecommunications systems. b. That the service to be provided by GLOBALIA SISTEMAS will have a comprehensive, in a way that allows AIR EUROPA the total outsourcing of services in the areas of information systems and communications. c. That GLOBALIA SISTEMAS will carry out on its own initiative the steps and timely tasks for the development of the benefits previously identified. Notwithstanding the foregoing, GLOBALIA SISTEMAS will submit to the approval of AIR EUROPA the projects to be developed and will render accounts of the efforts in the course of organized meetings, mutual agreement, with a periodicity not exceeding quarterly. 3. Provide a signed copy of novation to the contract for the person in charge of the treatment personal data dated 10/31/2019, according to which, GLOBALIA SISTEMAS Y COMUNICACIONES, SLU is in charge of the treatment and AIR EUROPA LINEAS AÉREAS, SAU is responsible for the treatment. 4. Provide a copy of the Cybersecurity Incident Response Plan of GLOBALIA with an effective date of 07/05/2019 in its first version As indicated by the version control of the document and the cover of the document. 5. That the forensic report of *** COMPANY.3 is a report that is required by regulates banks on behalf of payment institutions that are members of the PCI Council (as would be the case of VISA) to entities affected by a incident, in order to evaluate the 19 .- [………]. 6. That the forensic report of *** COMPANY.3 has a very specific purpose and is oriented within the framework of identifying the volume of identified cards as committed, which as a general rule determines the compensation that the PCI Council may require from the entity affected by the incident. Provides forensic report of *** COMPANY.3 dated January 2019 and based on in the investigation initiated on 10/25/2018 which contains the following manifestations, among others: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 10 10/35 to. “ The investigation carried out by *** EMPRESA.3 identified evidence findings of violation in AIR EUROPA " b. “The investigation of *** EMPRESA.3 identified more than 2.7 million unique card numbers that had been pulled from the credit card systems databases by the attacker. Although some of the data from the cards were 20 .- [………] , the attacker managed to use 21 .- [………] tools to obtain clear text data. " c. “The intrusion probably had its origin in insecure systems available through the internet. *** COMPANY.3 identified several devices that had not been patched regularly ... " d. Summary of possible causes and list of attack vectors: 22 .- [………] to. There is evidence of violation of the data environment of the owners of the cards. b. “ The attack began when the attacker accessed XXX XXX from a server not properly segmented at XXX XXX ”. c. “The attacker had a systematic connection to an external host. 2. 3.-, *** COMPANY.3 [………] . However, he did visualize how the attacker created multiple files and later compressed them into a single archive. 24 .- [………]. " d. Possible exposure of data types, among others; name of the holder of card, cardholder address, expiration date. and. That the total number of cards exposed is 2722692, not being that the number of cards that are at risk. 2. That, in relation to the reason for not detecting the gap until the *** DATE. 1 even though the attack started on 05/12/2018, AIR EUROPA states that the breach occurred as a result of an APT, an attack directed and sophisticated, planned and executed in a professional and treacherous. It also states that: “The attack suffered by the Company is a type of“ attack […] designed to last over time and manage to evade all security measures of the most common platforms ” as described by the INCIBE in an article published on its website on June 16, 2016 and signed by AAA . Is, therefore, a type of stealth attack that seeks as the ultimate goal to filter sensitive information of an organization and erase traces upon completion, which makes them extremely difficult to detect " 1. It states that the key dates of the project to prepare the Master Plan Security (PDS) are: to. July 2019: definition of the preliminary scope of business services that will be evaluated for the development of the PDS. b. September 11, 2019: launch meeting. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 11 11/35 c. January 31, 2019: project closure. d. February 3, 2020: entry into force of the PDS. 2. Provide a document with the title “Critical Updates Procedure and security ” and states that this procedure has been applied in a usual since before the incident. to. This document states 25 .- [………]. "26 .- [………]" b. In this document it is stated in section 27 .- [………]. c. In this document it is manifested in the 28 .- [………]. " 3. Provides the AIR EUROPA Information Security Manual dated of last modification of the document on 10/31/2013 being the object of this document respond to the obligation established in article 9 of the Law Organic 15/1999. 4. It states that “it is relevant to state, as important information for the purposes to ratify the inexistence of relevant effective damages, that the number of claims received by users of the Company that could be related to the incident has been very small (2 claims in total without request for compensation). This confirms the analysis that attackers have not been able to obtain sensitive or relevant information and that, with the information they may have stolen, the existence of numerous technical and organizational security measures throughout the process chain (including the entities involved in payment services) has made that information could not have been used to cause serious harm. " On 06/04/2020 AIR EUROPA sends this Agency the impact assessment of the treatment of "Sale to customers through alternative channels". THIRD: On 06/23/2020, the Director of the Spanish Protection Agency of Data agreed to initiate a sanctioning procedure for the complained party, in accordance with provided in articles 63 and 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of articles 32.1 and 33 of the RGPD, typified in accordance with the provisions of article 83.4.a) of the aforementioned RGPD. FOURTH: Once the aforementioned start-up agreement has been notified, the defendant submitted to the AEPD writing requesting a copy of the file and extension of the term granted for the presentation of allegations, which was granted in five more days. On 07/16/2020, the defendant submitted a brief of allegations in which, in summary, stated that it was not true that the security breach had not been reported Rather, once there were well-founded indications that the cyberattack suffered had affected to a considerable number of data, it was notified; that he claimed at all times has responded to the requirements formulated by the AEPD; the inadmissibility of the violation of article 33 of the RGPD since the notification was made; the lack of motivation and responsibility appreciated by the AEPD; that in the resolutions issued by the AEPD regarding security breaches less sophisticated than the one analyzed were most of them always archived that technical security measures will be accredited prior to the incident and they subsequently adopted palliative measures, as is the case in the present case; its C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 12 12/35 disagreement with the graduation of the sanction in the event of a possible infraction of the article 32.1 of the RGPD due to the non-concurrence of aggravating factors and the existence of mitigating they have not been considered in the initiation agreement. FIFTH: On 11/23/2020, the instructor of the procedure agreed to open the a period of practice tests, practicing the following: To consider reproduced for evidentiary purposes all the documents obtained and generated by the Inspection Services and the Report of previous actions of Inspection that are part of the file E / 01909/2020. To consider reproduced for evidentiary purposes, the allegations to the initiation agreement PS / 00179/2020 presented by the complained party and the documentation that accompanies. Request the defendant in reference to the date before the start of the breach produced: - Description (including name of servers and databases included in them) the different systems environments from the point of view of security, where they store customer data and their bank cards, including at least the data of postal address, telephone numbers, passport numbers, ID, date of birth, name of the holder of the card, PAN of the card, expiration date of the card and its CVV code. Likewise, indication of the types of data that are stored within each environment / server / database and provide documentation that accredits the applied security measures aimed at isolating the different environments each. - For each of the environments, servers and databases identified in the previous section, provide a screenshot where it is displayed, for 50 records, all the data stored together with the explanation of its meaning. Taking into account the Risk Analysis document delivered to this Agency with name "Documento_3__PIA_Venta_on_line.pdf", and the measures applied before the start of the breach, contribution of the following Information and documentation in force prior to the start of the breach: • Reason why they were not included in the risk analysis 29 .- [………]. • Reason why they were not adopting 30 .- [………] : 31 .- [………]. 32 .- [………] On 12/02/2020, the complained party filed before the AEPD a written extension of the period granted for the provision of evidence that was granted in five days plus. On 12/16/2020, the respondent responded to the requested information, which content of the work in the file. SIXTH: On 02/05/2021 a Proposal for Resolution was issued to the effect that The Director of the Spanish Data Protection Agency will sanction the claimed, for infringement of articles 32.1 and 33 of the RGPD, typified in article C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 13 13/35 83.4 of the RGPD, with fines of € 500,000 (five hundred thousand euros) and € 100,000 (one hundred thousand euros), respectively. On 02/10/2021, the claimed filed before the AEPD a written extension of the period granted for the presentation of allegations, which was granted in two days plus. On 02/25/2021 the claimed present writing in which he alleged in synthesis: the importance for the complained party supposes both the incident produced and the protection of the personal data of all its clients; the helplessness caused by failure to consider the evidence presented at the last request for information from the AEPD; the express challenge of the entire report of the Foregenix company; the inadmissibility of the sanction imposed for the alleged infringement of article 33 of the RGPD and, alternatively, its prescription; disagreement with the imputation of infringement of article 32 of the RGPD in relation to the measures appropriate technical and organizational techniques to ensure an adequate level of security for the risk and inappropriateness of the use of forensic reports as evidence that Air Europe did not have adequate security measures; lack of proportionality in the analysis of the aggravating circumstances taken into account by the AEPD for the graduation of the sanction imposed as a consequence of the alleged infraction of the Article 32.1 of the RGPD and the existence of extenuating circumstances that have not been considered when establishing the amount of the sanction and the disparity of criteria in relation to previous similar sanctioning procedures. SEVENTH: Of the actions carried out in this procedure and of the documentation in the file, the following have been accredited: PROVEN FACTS FIRST: On 11/29/2018 the AEPD receives a written document from the complained party stating that On *** DATE.1 he had received notification from Banco Popular regarding an incident of causing the activation of the incident response plan on the 10/17/1018. SECOND: On 01/18/2019 the defendant provided complete notification through the form enabled in the electronic headquarters of the AEPD, providing documents annexes related to preventive measures applied prior to the incident; Containment measures and additional information and Justification for not informing the stakeholders affected by the incident. THIRD: The complained party on 04/01/2019 has provided: Forensic technical report prepared by *** EMPRESA.2 in relation to the incidence communicated to the AEPD in the one that analyzes the incidence produced and recommendations; pointing out that “In October 2018, GLOBALIA was informed by the credit card companies credit that a large number of credit cards, about 4,000, had been used to commit fraud. The stolen data included personal data and financial statements of GLOBALIA clients who made reservations and modifications in AirEuropa.com. The data did not include travel or passport data ” and that “ The first confirmed access to the GLOBALIA network by the attacker took place through 33 .- [………] for an unknown account on May 12, 2018. " Report prepared by the technical team of the claimed one, which identifies the technical tasks C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 14 14/35 connections to close the gap and the protection improvements implemented, following IBM's recommendations; risk analysis regarding the measures security in the processing of online sales data to Air Europa passengers; the risk analysis carried out by the Company regarding the need or not to notification to the AEPD and interested parties about the security breach experienced. FOURTH: The defendant on 11/14/2019 has provided a forensic report on *** COMPANY January 3, 2019 based on research conducted and analysis possible causes, noting, among others, that “The investigation carried out by *** COMPANY.3 identified conclusive evidence of violation in AIR EUROPA ”; copy of the contract for assistance and management of information and communications systems 10/31/2009 between GLOBALIA SISTEMAS Y COMUNICACIONES, SLU and the claimed in which they hold the condition of responsible and in charge of the treatment respectively; copies the Cybersecurity Incident Response Plan of GLOBALIA of 07/05/2019 and Information Security Manual dated 10/31/2013 FIFTH: On 06/04/2020 the complainant has provided an Impact Assessment of the treatment of "Sales to customers through alternative channels" . SIXTH: The defendant has provided documents related to measures it had in place prior to the declared security incident. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II Article 58 of the RGPD, Powers , states: "two. Each supervisory authority shall have all of the following powers corrective measures listed below: (…) i) impose an administrative fine in accordance with article 83, in addition or in instead of the measures mentioned in this section, according to the circumstances of each particular case; (…) " The RGPD establishes in article 5 of the principles that must govern the treatment of personal data and mentions among them that of "integrity and confidentiality ”. The article notes that: "1. The personal data will be: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 15 15/35 (…) f) treated in such a way as to guarantee adequate security of the personal data, including protection against unauthorized processing or illicit and against its loss, destruction or accidental damage, through the application appropriate technical or organizational measures ('integrity and confidentiality »)”. (…) On the other hand, article 4 of the RGPD, Definitions , establishes in its sections 7, 8 and 12: “(…) 7) "controller" or "controller": the natural or legal person, public authority, service or other body that, alone or together with others, determines the purposes and means of the treatment; whether the law of the Union or of the Member States determines the purposes and means of the treatment, the person responsible for the treatment or Specific criteria for their appointment may be established by Union law. or of the Member States; 8) "processor" or "processor": the natural or legal person, public authority, service or other body that processes personal data on behalf of the responsible for the treatment; (…) 12) "violation of the security of personal data": any violation of the security that causes accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorized communication or access to such data; (…) " Likewise, article 24, Responsibility of the person responsible for the treatment, states that: "1. Taking into account the nature, scope, context and purposes of the treatment as well as risks of varying probability and severity to the rights and freedoms of natural persons, the data controller will apply measures appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the treatment is in accordance with this Regulation. These measures will be reviewed and will update when necessary. 2. When they are provided in relation to the treatment activities, the measures mentioned in section 1 shall include the application, by the responsible for the treatment, of the appropriate data protection policies. 3. Adherence to codes of conduct approved in accordance with article 40 or to a certification mechanism approved under article 42 may be used as elements to demonstrate compliance with the obligations by the responsible for the treatment ”. And article 25, Data protection by design and by default, states that; "1. Taking into account the state of the art, the cost of the application and the nature, scope, context and purposes of the treatment, as well as the risks of various C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 16 16/35 probability and seriousness that the treatment entails for the rights and freedoms of natural persons, the data controller will apply, both at the time of determine the means of treatment as at the time of the treatment itself, appropriate technical and organizational measures, such as pseudonymisation, designed to effectively apply data protection principles, such as the data minimization, and integrate the necessary guarantees in the treatment, in order to comply with the requirements of this Regulation and protect the rights of interested. 2. The person responsible for the treatment will apply the technical and organizational measures appropriate in order to ensure that, by default, they are only processed the personal data that are necessary for each of the specific purposes of the treatment. This obligation will apply to the amount of personal data collected, to the extension of its treatment, its conservation period and its accessibility. Such measures will ensure in particular that, by default, personal data is not accessible, without the intervention of the person, to an undetermined number of people physical. 3. An approved certification mechanism may be used in accordance with the Article 42 as an element that proves compliance with the obligations established in sections 1 and 2 of this article ”. Therefore, to correct a security violation, the person responsible for the treatment must be able to recognize it and the consequence of such a violation is that the data controller cannot guarantee compliance with the principles relating to the processing of personal data, as established in article 5 of the GDPR. The security of personal data is regulated in articles 32, 33 and 34 of the GDPR. III The GDPR defines personal data security breaches as those incidents that cause the destruction, loss or accidental alteration or illicit personal data, as well as the communication or unauthorized access to themselves. Since last 05/25/2018, the obligation to notify the Agency of gaps or security breaches that could affect personal data is applicable to any person responsible for the processing of personal data, which underlines the importance of all entities knowing how to manage them. Therefore, as soon as the controller has knowledge that a data security breach has occurred personal must, without undue delay and, if possible, no later than 72 hours after you have been aware of it, report the breach of security personal data to the competent control authority, unless the responsible can demonstrate, in accordance with the principle of proactive responsibility, the improbability that the breach of the security of personal data involves a risk to the rights and freedoms of natural persons. The person responsible for the treatment must inform the interested party without delay undue violation of the security of personal data in case it can pose a high risk to your rights and freedoms, and allow you to take the necessary C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 17 17/35 necessary precautions. The communication must describe the nature of the violation of the security of personal data and the recommendations so that the person physical damage mitigates the potential adverse effects resulting from the violation. Said communications to the interested parties must be made as soon as reasonably possible and in close cooperation with the supervisory authority, following their guidance or those of other competent authorities, such as the police authorities. Thus, for example, the need to mitigate a risk of damage and immediate damages would justify a quick communication with the interested parties, whereas longer communication may be justified by the need to apply appropriate measures to prevent data security breaches personal continous or similar. In article 33 of the RGPD establishes the way in which a violation of the security of personal data to the supervisory authority. In this same sense, it is pointed out in Recitals 85 and 86 of the RGPD: ( 85) If adequate measures are not taken in time, violations of the security of personal data may entail physical damages, material or immaterial for natural persons, such as loss of control over their personal data or restriction of your rights, discrimination, usurpation of identity, financial loss, unauthorized reversal of pseudonymization, damage for reputation, loss of confidentiality of data subject to professional secrecy, or any other significant economic or social damage to the natural person in question. Therefore, as soon as the controller has knowledge that a data security breach has occurred personal data, the controller must, without undue delay and, if possible, at the latest 72 hours after you have had proof of it, notify the violation of the security of personal data to the competent control authority, unless the person in charge can demonstrate, in accordance with the principle of proactive responsibility, the improbability that the breach of the security of personal data involves a risk to the rights and freedoms of natural persons. If said notification is not possible within 72 hours, it must be accompanied by a indication of the reasons for the delay, being able to provide information in phases without further undue delay. (86) The data controller must inform the data subject without delay undue violation of the security of personal data in case it can pose a high risk to your rights and freedoms, and allow you to take the necessary necessary precautions. The communication must describe the nature of the violation of the security of personal data and the recommendations so that the person physical damage mitigates the potential adverse effects resulting from the violation. Said communications to the interested parties must be made as soon as reasonably possible and in close cooperation with the supervisory authority, following their guidance or those of other competent authorities, such as the police authorities. Thus, for example, the need to mitigate a risk of damage and immediate damages would justify a quick communication with the interested parties, whereas longer communication may be justified by the need to apply appropriate measures to prevent data security breaches continuous personal or similar. IV C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 18 18/35 In the first place, the defendant is accused of violating article 32.1 of the GDPR, which states: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the treatment, as well as risks of variable probability and severity for people's rights and freedoms physical, the person in charge and the person in charge of the treatment will apply technical measures and appropriate organizational arrangements to ensure a level of security appropriate to the risk, that in your case include, among others: a) pseudonymisation and encryption of personal data; b) the ability to guarantee confidentiality, integrity, availability and permanent resilience of treatment systems and services; c) the ability to restore availability and access to data personnel quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of effectiveness of the technical and organizational measures to guarantee the safety of the treatment. 2. When evaluating the adequacy of the security level, particularly the take into account the risks presented by the data processing, in particular as consequence of accidental or illegal destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to such data. 3. Adherence to a code of conduct approved in accordance with article 40 or to a certification mechanism approved under article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the this article. 4. The person in charge and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the controller or of the person in charge and have access to personal data can only process said data following instructions of the person in charge, unless it is obliged to do so by virtue of the law of the Union or of the Member States ”. Recital (83) points out that: “(83) In order to maintain security and prevent the treatment from violating the provided in this Regulation, the person in charge or the person in charge must evaluate the risks inherent to the treatment and apply measures to mitigate them, such as the encryption. These measures must guarantee an adequate level of security, including the confidentiality, taking into account the state of the art and the cost of its application with respect to the risks and the nature of the personal data that must protect yourself. When assessing risk in relation to data security, you should take into account the risks arising from the processing of personal data, such as accidental or illegal destruction, loss or alteration of personal data transmitted, preserved or otherwise processed, or communication or access does not authorized to said data, susceptible in particular to cause damages physical, material or immaterial ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 19 19/35 Of the actions carried out and documentation provided to the file, it has been verified that the security measures that the investigated entity had in relation to the data that was being processed, they were not the most appropriate for guarantee the security and confidentiality of personal data at the time of the incident or bankruptcy occurs. As recital 39 also points out : “… Personal data must be treated in a way that guarantees a adequate security and confidentiality of personal data, including for prevent unauthorized access or use of such data and the equipment used in the treatment". It should be noted that security measures are key when it comes to guarantee the fundamental right to data protection since it is not possible ensure the fundamental right to data protection if it is not possible to guarantee the confidentiality, integrity and availability of personal data. For To guarantee these three safety factors, measures are necessary both of a nature technical and organizational in nature. Therefore, information security risk analyzes must focus on the ability to ensure confidentiality, integrity, availability of the treatment systems and services, as also contemplated in said Article. One of the requirements established by the RGPD for responsible and processors who carry out data processing activities personal is the need to carry out a risk analysis of the security of the information in order to establish the security and control measures aimed at comply with the principles of protection by design and by default that guarantee the rights and freedoms of people. It is necessary to point out that in the instant case, in light of the reports issued by the companies *** COMPANY.2 and *** COMPANY.3 they credit serious vulnerabilities of the complainant's systems, compromising the confidentiality and integrity of the information security causing an access unauthorized that led to and caused an illegal transmission of data. As stated in the Report of *** COMPANY.2 of 12/20/2018, “In October 2018, GLOBALIA was informed by the credit card companies that a large number of credit cards, about 4,000, had been used to commit fraud. The stolen data included personal and financial data of the clients of GLOBALIA who made reservations and modifications on AirEuropa.com. The data does not included travel or passport data ” that “ The first confirmed access to the network of GLOBALIA by the attacker took place 34 .- [………] for an account unknown on May 12, 2018 ” and continues that after the initial access, using 35 .- [………], the hacker compromised a series of GLOBALIA systems continuing access until at least 08/11/2018; that it has been confirmed that the attacker had collected 488,847 unique credit cards; that compromised the minus 12 systems and a minimum of 2 service accounts in support of your operation; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 20 20/35 that the entire system exposed to the Internet should have Authentication executed Multifactorial; that subsequent investigations of accounts compromised by the attacker revealed 36 .- [………] , which would have made the attacker find it more easy to compromise this account; that the attacker was likely to use *** FILE.1 as a test server from which to exfiltrate information; than an analysis statistic from firewall logs revealed that the highest number of connections to the IP address controlled by the attacker, took place between May 14 and May 4 June; that the attacker used publicly available tools, 37 .- [………] with the IP address controlled by the attacker; that a configuration of registers was observed irregular in the systems analyzed, so that only some systems they stored locally archived log files. The aforementioned company made a series of recommendations: review the policy audit and retention and 38 .- [………] ; that although it has not been possible to determine exactly the source of the infection of the systems in scope, one of the hypotheses the most probable is 39 .- [………] observed various systems with a functioning longer than one year, so 40 .- [………] . Likewise, the Report of *** COMPANY.3 , a company hired on 10/22/2018 by the claimed and specialized in security breaches and forensic analysis, from January of 2019 points out: that it had identified conclusive evidence of the violation of security; the identification of 2.7 million cards that had been drawn from the database systems getting the attacker to use tools of decryption present in systems; that access 41 .- [………]; a summary of the possible causes that motivated the attack ( 42 .- [………]; the existence of evidence of violation of the cardholder data environment; that the attack started when 43 was accessed .- [………] ; that the attacker had one with an external host and that 44 .- [………] ; the possible exposure of certain types of data (name of the cardholder, cardholder address, expiration date). Therefore, it follows from the foregoing that the security measures technical and organizational techniques implemented by the claimed entity were not appropriate to ensure a level of security appropriate to the risk and to prevent unauthorized access authorized to customer data. It should be noted that given the technological and digital evolution suffered by the personal data processing activities, must be addressed from the point of view in view of a continuous risk management, defining from the design the measures of control and security necessary for the treatment to take place respecting the privacy requirements associated with the risk levels to which they may be exposed and periodically and continuously evaluating the effectiveness of the measures control systems implemented. This also implies the protection of personal data from the design and by default, that is, the person in charge must apply, both at the time of establish the means of treatment as at the time of treatment itself, all those technical and organizational measures suitable and designed to apply, effectively, the principles of data protection and integrate, in the treatment, the guarantees necessary to comply with the requirements indicated by the RGPD; In addition, the person in charge must apply the aforementioned measures to guarantee that, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 21 21/35 By default, only the personal data necessary for each specific purpose is processed treatment. The complainant has stated that the interpretation of the AEPD by the fact that suffering a security breach would automatically imply the breach of the Article 32.1 of the RGPD without providing any motivation regarding the reason for the which security measures are insufficient. However, it should be noted that such a statement cannot be accepted since according to the Report prepared by *** EMPRESA.2 shows 45.- [………] , although it may not be enough for the representative of the defendant access to about 4,000 credit cards for the purpose of committing fraud; that he attacker would have collected at least 488,847 unique credit cards; what view and file in *** FILE.1 at least 2651 unique card numbers, CVVs, expiration dates and cardholder names; than the number approximate number of records affected were 1,500,000, etc. Thus, it appears in the antecedents of this proposal and extracted from the cited report: “ In October 2018, GLOBALIA was informed by the companies of credit cards of which a large number of credit cards, about 4000, they had been used to commit fraud. The stolen data included data personal and financial information of the clients of the defendant who made reservations and modifications on AirEuropa.com. The data did not include travel or passport ”that “ The first confirmed access to the network of the claimed by the attacker took place through the CITRIX access gateway by using valid credentials for an unknown account on May 12, 2018 ” and continues by stating that “After this initial access, the attacker compromised a series of the complainant's systems considering that the attacker continued to access the GLOBALIA systems and accounts at least until August 11, 2018 " Intrusion or unauthorized access 46 .- [………] and that the entity itself could not detect and that you had to be notified by Banco Popular (VISA) when checking access to customer cards, as evidenced in by the claimed in the information sent on 04/01/2019 providing the risk analysis carried out regarding the need or not to notify this Agency and those interested in the which states: “… once the incident has been identified by the banking entities, these and the issuers of the compromised bank cards proceeded to block and inform the interested parties of said blocking so that the compromised data be rendered useless ... ". For more information, the Forensic Report of *** COMPANY.3 , put in interdicted by the representation of the defendant also indicates the existence of evidence of cardholder data breach, that the data exposed was the relating to the cardholder's name, address, expiration date and that their total number was 2722692, etc. The claimed person in the risk analysis carried out after the incident suffered points out “In relation to AIR EUROPA systems, there were no specific measures, 47 .- [………] , to protect the data accessed by the attackers ... " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 22 22/35 The consequence of this lack of adequate security measures was the access to unauthorized personal data, bank card information, numbering, expiration date and CVV that could be used for fraudulent operations as reported by Banco Popular to the defendant on *** DATE . 1 . That mere possibility supposes a risk that has to be analyzed and valued at the time to process personal data and that increases the demand for the degree of protection in relation to the security and safeguarding of the integrity and confidentiality of themselves. This risk must be taken into account by the person responsible for the treatment and in its function to establish the measures that might have prevented the loss of control of the data and, therefore, by the owners of the data that they were provided to him as has been credited. In accordance with the aforementioned, the action of the defendant implies the violation of article 32.1 of the RGPD, offense typified in its article 83.4.a). V The complainant has alleged the non-applicability of the RGPD since when the first access on 05/12/2018, the security requirements were met on that date required by the applicable legislation at the time of the incident, the LOPD and its Regulation. However, such allegation cannot be accepted; the facts object of the This claim is subject to the provisions of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of Natural Persons with regard to Data Processing Personal Data and the Free Circulation of this Data, whose date of full application was on 05/25/2018. Access to personal data of those affected by bankruptcy started before of the date of full application of Regulation (EU) 2016/679 -what happens on 05/25 / 2018- and when Organic Law 15/1999 for the Protection of Personal Data, LOPD. However, the conduct of the defendant in which the infringement is specified, security breach motivated by the adoption of measures inadequate technical and organizational techniques, has been maintained over time, at least until the adoption of measures as a result of the communication from Banco Popular to the claimed and the hiring of forensic companies that caused the implementation of measures in order to stop the security incident. It is true that the first access occurs, as the complainant points out, the 05/12/2018 date on which the previous LOPD was in force and that the RGPD is not applicable full application until 05/25/2018; however, it is no less so than the offense continued to be produced and extended in time until the adoption of those adequate measures to end bankruptcy in the systems of the claimed; do not forget that technical and organizational security measures must be implemented to prevent, among others, unauthorized access to data of a personal nature and that these measures must be adequate. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 23 23/35 And although the accesses continued until August 2018, ceasing from On this date, the measures implemented continued to be inadequate until the others were implemented due to the communication of the incident and the adoption of those new ones due to the intervention of the contracted companies. The offense for which the claimed person is responsible participates in the nature of the so-called permanent offenses, in which the consummation is projected in time beyond the initial event and extends, violating the data protection regulations, during the entire period of time in which the data are subject to treatment. In the present case, despite the fact that on the date on which the offending conduct was initiated, the applicable norm was the LOPD, the norm that The result of application is the one that was in force when the offense ceases be consummated with the application of those appropriate and pertinent measures in order to that access to personal data could not occur. The Supreme Court has ruled on the rule to be applied in those cases in which the infractions are prolonged in time and there have been a regulatory change while the offense was being committed. The STS of 04/17/2002 (Rec. 466/2000) applied a provision that was not in force at the initial time of commission of the offense, but in subsequent offenses, in which the conduct continued offending. The Judgment examined an assumption that related to the sanction imposed to a Judge for breach of her duty of abstention in some Proceedings Previous. The sanctioned alleged the non-validity of article 417.8 of the LOPJ when the events occurred. The STS considered that the offense had been committed from the date of the initiation of the Preliminary Proceedings until the moment in which the Judge was suspended in the exercise of her functions so that rule was of app. In the same sense, the SAN of 09/16/2008 (Rec. 488/2006) is pronounced SAW The defendant has alleged that the absence of a response makes him helpless to the tests presented at the request of the AEPD dated 11/23/2020 and not have assessed them, noting, in addition, that it is very harmful to him that the AEPD has not taken into consideration a single of the allegations made nor has it taken into account a single one of the documents provided in the answer to the request issued by the AEPD during this evidentiary phase. The alleged cause of helplessness is surprising; it should be noted that if it was not done reference to them was due to the fact that the answer offered was only consolidate and reinforce the reports provided by IBM and Foregenix that the measures implanted at the time and moment of the bankruptcy that occurred were not the adequate for data security. Measures that must be established by the person responsible for the treatment taking into account the risk analysis carried out and, depending on it, apply those most appropriate technical and organizational measures. Thus, in the first place, a series of network diagrams of the environment of payments, but the place where each type of data was stored, where each type of specific data was stored. In his statements, the defendant pointed out that the character data personnel of those affected (postal addresses, telephone, passport, ID, date birth, etc.), were stored independently of the information related to to bank cards and that, therefore, the aforementioned data was not compromised. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 24 24/35 However, it is not proven that the data relating to the owner of the data and therefore those related to the cards were filed separately; the report itself *** COMPANY.2 audit report indicates that “The attacker viewed and filed in *** FILE.1 (…) at least 2651 unique card numbers, CVVs, dates of expiration date and names of the cardholder ”. And in the same report it is also states that “The stolen data included personal and financial data of the GLOBALIA customers who made reservations and modifications to *** URL.1 . The data did not include travel or passport data ” (underlining corresponds to the AEPD). And the one claimed in her response dated 12/16/2020 stated that “As can be seen, neither the databases of the environment that are the subject of this research, nor the potential compromise of data, included information that was not the one already indicated; that is, unique card numbers, CVVs, expiration dates, and names of the cardholder ” . That is, it was implicitly recognizing that the name of the owner was included in the data within the potential commitment of data, which should have been relevant when establishing the need to give to diligently know the notification of the security incident to the AEPD, given the importance of data that could or could not be or could not be accessed. Regarding risk analysis, the latest document presented by the claimed is dated 06/04/2020 on the occasion of the EIPD, more complete than the presented on 04/01/2019. The one contributed in the first place does not determine what level of risk is or is not acceptable for the treatment carried out, nor do they determine its calculation, nor does it break down mitigating measures, etc., compared to the last presented (where if measures such as double authentication and strong passwords that are implemented in Risk Analysis). The defendant alleges that when the security incident began there was no applied the RGPD and that the measures proposed in the Risk Analysis in that were in accordance with the existing recommendations at the time. However, it should be noted that in relation to two types of measures, 48 .- [………] to which the defendant refers recommends “49 .- [………] ”, that is, what same that already established the reports of the acting companies and that appears reflected in the report of previous actions and, in terms of length and complexity password, in the same previous report (that of CNN) it is pointed out and recommended 50 .- [………] . Regarding 51 .- [………] , it states that it was completely updated to date of the incident and present a supporting document. However, 52 .- [………]. As for 53 .- [………] as a measure implemented at the time of the incident According to the complainant, it is due to the fact that in the CCN report referred to above states that the length of passwords must be at least 8 with different types of characters and that these recommendations were already met 01/17/2018 following their recommendations and provide a screenshot with the password policy where it appears that “passwords must meet the requirements complexity ”,“ enabled ”,“ minimum password length ” and “ 8 characters ”. However, it is not appreciated, credited or justified what kind of complexity enabled is referring and in any case, in the report of *** COMPANY.2 it is points out that “subsequent investigations of the accounts compromised by the attacker, such as the service account *** SERVICE.1 , revealed that it was using a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 25 25/35 password that did not meet the complexity and length requirements in line with the industry best practice, which would have made the attacker more easy to compromise this account. " Regarding the 54 .- [………] they indicate that they were XXXXXXXX presenting the network diagram. However, the report of *** COMPANY . January 3, 2019 made reference to to the server 55 .- [………] , “The attack began when the attacker accessed 56.- [………] ” and “ Although there were XXXXX and XXXXX , the attacker was able to “pivot” the entry 57.- [………] " Finally, regarding the blocking of external IPs that have no relation with any payment system, he pointed out that “It was not technically possible to limit the IP's of the various authorization centers. Therefore, outgoing connections (not like this the starters) were not, nor could they be restricted. " However, neither is it credited nor is any information given as to why was it technically possible or why it was not possible to limit the IPs. VII The defendant alleges in relation to the report provided by *** COMPANY.3 that it is not an expert report, nor an objective technical report, 58 .- [………] , with the in order to calculate the amount of compensation that this regulatory environment requires from companies associated entities in certain situations and that there is an incompatibility absolute between the purposes of that report and those to be pursued in a disciplinary administrative file. However, such a claim cannot be accepted either: in the first place, because the defendant has not provided any proof of his partiality, which may have provoked its challenge, without having been accredited in the test procedure any of it. And secondly, because the Report issued by the aforementioned company states: 1.This investigation is carried out in strict compliance with all the applicable requirements set forth in Section 2.3 of the Requirements relating to the qualification of PCI forensic investigators, including, without limitation, the requirements set forth in said section relating to independence, professional opinion, integrity, objectivity, impartiality and professional skepticism. 2. This Preliminary Incident Response PFI Report identifies, describes, represents and characterizes all objective tests that the PFI Company and its Employees collected, generated, discovered, analyzed and / or considered your sole discretion relevant to this investigation in the course of conducting the herself. 3.The opinions, conclusions and findings contained in this Report Preliminary Incident Response PFI (a) accurately reflects and is based on exclusively on the objective tests described above, (b) reflect only the opinions, conclusions and findings of the PFI Company and its Employees, acting at their sole discretion, and (c) have not been influenced, directed, controlled, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 26 26/35 modified, provided or submitted to the prior approval of the Entity object of Research or of any contractor, representative, professional advisor, agent or affiliate of the same or any other person or entity other than the PFI Company and its Employees (the underlining corresponds to the AEPD). VIII Second, the defendant is accused of violating Article 33 of the RGPD, Notification of a violation of the security of personal data to the supervisory authority, which establishes: "1. In case of violation of the security of personal data, the responsible for the treatment will notify the competent control authority of in accordance with Article 55 without undue delay and, if possible, no later than 72 hours after you have had a record of it, unless it is unlikely that said violation of security constitutes a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority does not have place within 72 hours, must be accompanied by an indication of the reasons for procrastination. 2. The person in charge of the treatment will notify the person in charge without undue delay of the treatment the violations of the security of the personal data of which have knowledge. 3. The notification referred to in paragraph 1 must, as a minimum: a) describe the nature of the data security breach personal, including, where possible, categories and number approximate number of affected stakeholders, and the categories and approximate number of records of personal data affected; b) communicate the name and contact details of the delegate of protection of data or another point of contact where more information can be obtained; c) describe the possible consequences of the violation of the security of the personal information; d) describe the measures adopted or proposed by the person responsible for the treatment to remedy the data security breach personal data, including, if applicable, the measures adopted to mitigate the possible negative effects. 4. If it is not possible to provide the information simultaneously, and to the extent where it is not, the information will be provided gradually without undue delay. 5. The controller will document any violation of the security of personal data, including facts related to it, its effects and corrective measures taken. Such documentation will allow the control authority to verify compliance with the provisions of this article ”. Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data and by which repeals Directive 95/46 / EC (General Data Protection Regulation), (as successive RGPD) defines personal data security breaches as those incidents that cause the destruction, loss or accidental alteration or C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 27 27/35 illicit personal data, as well as the communication or unauthorized access to themselves. Since last 05/25/2018, the obligation to notify the Agency of gaps or security breaches that could affect personal data is applicable to any person responsible for the processing of personal data, which underlines the importance of all entities knowing how to manage them. In this sense, recital 87 establishes that: “It must be verified if all the appropriate technological protection has been applied and the appropriate organizational measures have been taken to determine immediately whether there has been a breach of personal data security and to report without delay to the supervisory authority and the interested party. It must be verified that the notification has been made without undue delay taking into account, in particular, the nature and seriousness of the violation of the security of personal data and its consequences and adverse effects for the interested party. Such notification may result in an intervention of the supervisory authority in accordance with the functions and powers established by this Regulation ”. Regardless of the internal actions that were carried out carried out by the respondent to manage the breach or security incident once the was made aware of it, the RGPD establishes that in the event of a breach of the security of personal data, the data controller will notify the competent supervisory authority without undue delay and, if possible, at the latest 72 hours after you are aware of it, unless unlikely that said security breach constitutes a risk to the rights and freedoms of natural persons. The GDPR also establishes the cases in which a security breach is must communicate to the affected party, specifically when it is likely that the breach of security of personal data entails a high risk for the rights and freedoms of natural persons. Both the notification to the competent control authority and the Communication to the data subject are obligations of the data controller, although You can delegate their execution to other figures. Therefore, what underlies this obligation is a broader duty and that urges the person in charge to implement an incident management procedure security that affect personal data adapted to the characteristics of the treatment. Therefore, a key element of any policy regarding Data security is being able, to the extent possible, to prevent a breach and, when despite everything, react quickly. The RGPD indicates that breaches are those incidents that cause the destruction, loss or accidental or illegal alteration of personal data, as well as the unauthorized communication or access to them. In the case examined, the documentation provided in the file is provide clear indications of the existence of a provoked security incident and suffered in the entity's systems, classified as a breach involving access unauthorized user data, specifically information related to data personal, bank cards, numbering, expiration date and CVV that could be C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 28 28/35 have been used for the commission of fraudulent operations and that in accordance with with what is indicated in the previous foundation, it would violate article 32.1 of the RGPD, Security of the treatment , of which the claimed by the communication received from financial institutions causing the activation of the incident responses (PRI) the next day. The defendant adopted the decision to notify this supervisory authority of the security bankruptcy detected on 11/27/2018, through the form enabled in electronic office but the online procedure made it impossible to present it, so It had to be done the next day, 11/28/2018 in person. It is true, as the representation of the defendant states that there was notification of the bankruptcy, although it was carried out extemporaneously 41 days after it was known clearly infringing the provisions of article 33 of the RGPD that establishes the obligation to notify the supervisory authority without delay undue and, no later than 72 hours after you have had proof of it. The defendant justifies the late notification made because there was no sufficient knowledge of the nature or extent suffered and that would have affected personal information. However, such allegation cannot be admitted since the person responsible for the treatment had clear evidence that such a violation had occurred and there was no room for doubts that he was aware of this as a result of the Bank's notification Popular the *** DATE.1 that I cause as previously indicated the activation of the incident response plan the next day. This is how it appears in the IBM report “In October 2018, GLOBALIA was informed by the credit card companies credit that a large number of credit cards, about 4,000, had been used to commit fraud ”. In addition, if what the defendant himself points out in his brief of date 01/22/2019 where he states that the bankruptcy was resolved on 11/17/2018, Why didn't you notify it before? Furthermore, in the risk analysis carried out regarding the need or not to notification to the Agency, in conclusions, it is stated that “Applying the methodology of analysis of the AEPD to the current incident (Annex 1), both the quantitative result and the qualitative ones exceed the notification threshold to the AEPD ... " On the other hand, the investigations and analyzes carried out by the entity do not classified the incident as high risk for the rights and freedoms of interested parties, so the bankruptcy, which affected 1,500,000 data records approximately and approximately 489,000 users, those affected were not notified since there were only 20 requests for information from clients responding to all of them. In the conclusions of risk analysis above, it is stated that “In relation to the notification to interested parties and according to the AEPD analysis methodology (Annex 1), the quantitative result would not exceed the threshold established for such notification (30 vs. 40), while the threshold qualitative, yes, it would be surpassed ”. In accordance with the preceding paragraphs, the action of the claimed supposes the violation of 33.1 of the RGPD, an offense typified in its article 83.4.a) of the same legal text. IX C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 29 29/35 The violation of articles 32.1 and 33 of the RGPD are typified in Article 83.4.a) of the aforementioned RGPD in the following terms: "4. Violations of the following provisions will be sanctioned, in accordance with with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the highest amount: a) the obligations of the controller and the processor pursuant to articles 8, 11, 25 to 39, 42 and 43. (…) For its part, the LOPDGDD in its article 71, Infractions, states that: “The acts and conducts referred to in sections 4, constitute offenses. 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those resulting contrary to the present organic law ”. And in its article 73, for the purposes of prescription, it qualifies as "Infractions considered serious ”: "Based on the provisions of article 83.4 of Regulation (EU) 2016/679 are considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) g) The breach, as a consequence of the lack of due diligence, of the technical and organizational measures that have been implemented in accordance with required by article 32.1 of Regulation (EU) 2016/679 ”. r) Failure to comply with the duty to notify the protection authority of data from a personal data security breach in accordance with the provided for in article 33 of Regulation (EU) 2016/679. Accredited facts show the existence of a security breach in the systems of the claimed allowing their vulnerability causing access not authorized and illegal to information related to customers in relation to their cards bank, numbering, expiration date and CVV that could have been used to the commission of fraudulent operations, which together with the untimely notification of the aforementioned breach or security incident implies the violation of articles 32.1 and 33 of the GDPR. X In order to establish the administrative fine to be imposed, they must observe the provisions contained in articles 83.1 and 83.2 of the RGPD, which they point out: "1. Each supervisory authority will guarantee that the imposition of fines administrative under this article for the infractions of this Regulations indicated in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 30 30/35 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute title for the measures contemplated in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operation in question as well as the number of affected stakeholders and the level of damage and damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person in charge or in charge of the treatment to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge of the treatment, taking into account the technical or organizational measures that have applied by virtue of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to put remedy the violation and mitigate the possible adverse effects of the violation; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority learned of the infringement, in particular if the person in charge or the person in charge notified the infraction and, in such case, what extent; i) when the measures indicated in article 58, paragraph 2, have been previously ordered against the person in charge or the person in charge in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through the infringement. In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its Article 76, “Sanctions and corrective measures”, establishes that: "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offense. b) The linking of the activity of the offender with the performance of treatments of personal data. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have led to the commission of the offense. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 31 31/35 e) The existence of a merger process by absorption after the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) Have, when not mandatory, a delegate for the protection of data. h) The submission by the person in charge or in charge, with the character voluntary, to alternative dispute resolution mechanisms, in those cases in which there are controversies between those and any interested." In accordance with the provisions transcribed for the purpose of setting the amount of the sanction to be imposed in the present case for the infractions typified in article 83.4.a) of the RGPD for which AIR EUROPA is responsible, they are considered concurrent the following factors: - In relation to the violation of article 32.1 of the RGPD typified in the Article 83.4 of the aforementioned Regulation: The nature and severity of the offense given its not merely local scope of the declared security breach, but quite the opposite since they have been able to see compromised personal data not only of nationals but also foreigners, without forgetting the high number of people, clients, potentially affected by the itself (489,000) and the number of records affected (1,500,000); in the IBM report of 12/20/2018 it was stated that “GLOBALIA was informed by the companies of the credit cards that a large number of credit cards, about 4,000, had been used to commit fraud ”,“ Although IRIS has not been able to confirm how it managed to the attacker exfiltrating information from the GLOBALIA network or what was exfiltrated, having account of the limitation of records, what IRIS has confirmed is that the attacker had collected at least 488847 unique credit cards "and in the report of *** COMPANY.3 provided by the complainant on 11/14/2019 stated that “The *** COMPANY.3 investigation identified more than 2.7 million card numbers the only ones that had been extracted from the database systems by the attacker ”; the category of data affected by the infringement, without forgetting the damages suffered by some of the customers. The degree of responsibility of the person responsible for the treatment, taking into account the technical or organizational measures applied and that were violated. Thus , *** COMPANY.2 points out that “…, the attacker took advantage of 59 .- [………] to get access the network for the first time ”, that “ Every system exposed to the Internet, 60.- [………] “…, Subsequent investigations of the accounts compromised by the attacker, *** SERVICE.1 , revealed that it was using a password that did not meet the requirements of complexity and length in line with industry best practice, which would have made it easier for the attacker to compromise this account. " *** EMPRESA.3 in its report states that “ The intrusion probably had its origin in insecure systems available through the internet. *** COMPANY.3 identified several devices that had not been patched regularly… ”, But the claimed entity itself has indicated that "In relation to the systems of AIR EUROPA, there were no specific measures, such as encryption or tokenization, to protect the data accessed by attackers. However, the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 32 32/35 Information accessed by the attackers does not include sensitive information such as special categories of personal data, postal addresses or phone numbers telephone, passport or ID number or date of birth. This sensitive information is not stored together with bank card information as a measure of security. As a result, it is very difficult to identify unique individuals within the data set." The categories of personal data that have been affected as a consequence of the infringement, since the identification data must be joined banking and financial, consequence of access to cards, with a purpose clearly fraudulent. In the audit report carried out by *** COMPANY. 2 of 12/20/2018 it is stated that “In October 2018, GLOBALIA was informed by the credit card companies that a large number of credit cards, some 4,000 had been used to commit fraud. The stolen data included personal and financial data of GLOBALIA clients who made reservations and modifications in *** URL.1 ” (the underlining corresponds to the AEPD). The way in which the infringement has been known as it was due to a communication from BANCO POPULAR, and as indicated in the previous paragraph by credit card companies, without the respondent having had proof of the intrusion and access committed that began on 05/12/2018. The continuing nature of the offense in the sense interpreted by the National High Court as a permanent offense, since since the security incident until the breach was detected a period of time of several months. The activity of the allegedly infringing entity is linked to the data processing of both clients and third parties; the aforementioned is known relationship since the entity by its activity is in permanent contact with clients and third parties dealing with a large volume of data, which imposes a greater duty of care. The business volume of the claimed as it is one of the company leader within the Spanish market, in its air transport business object; the claimed is part of the business holding Globalia Corporación Empresarial SA and of which a large number of companies are part, having had income annual of € 2,367,061,000 (2018) and € 2,130,517,000 (2019) and a result of exploitation of € 82,921,000 (2018 and 93,984,000 (2019) as stated on the page corporate group website and according to the latest BORME publication on 12/30/2020 a share capital of € 17,923,050. For all these reasons, a sanction amount is established for violation of the Article 32.1 of the RGPD of 500,000 euros. In relation to the circumstances of the responsibility, the complainant has alleged that the application of the mitigating circumstances, considering that if the offense is understood to have been committed of article 32.1, the following extenuating circumstances should apply: the the low severity of the incident and the low level of damage caused; measures taken by the person responsible to alleviate the damages suffered; The cooperation with the control authority and the lack of benefits obtained. However, such a claim cannot be accepted; the circumstances Aggravating factors that have been taken into account are those that concur in the present case. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 33 33/35 Regarding the seriousness of the offense, it already concurs as an aggravating grading of the sanction for infraction of article 32.1: "The nature and gravity of the breach given its non-merely local scope of the security breach declared, but quite the opposite since data has been compromised personal character not only of nationals but foreigners, without forgetting the high number of people, clients, potentially affected by it (489,000) and the number of records affected (1,500,000); in the report of *** COMPANY. 2 of 12/20/2018 it was stated that ... " In addition, it is striking that the offense is classified as low severity committed when the LOPDGDD itself in its article 73 considers it for the purposes of prescription as a serious offense and when it is evident and palpable the lack of diligence in the application of appropriate technical measures and organizational, lasting from 05/12/2018 date of first access until Appropriate measures were implemented at the request of the contracted companies. Regarding the low level of damages caused as a consequence of the offense, it is not predicable to the present case where there are also injured parties, but Even if there were not, we are faced with the infringement of a fundamental right and the high degree of intrusion into the privacy of customers must be taken into account this being enough damage for them. Even more striking is the request that the adoption of measures taken by the person responsible to alleviate damages and cooperation with the supervisory authority, when they are nothing but legal obligations that must be required of any person responsible and in charge of the treatment and, more when, as indicated above, the lack of diligence in the application of the same to prevent unauthorized access, although it is true that their non-compliance could lead to its application as aggravating factors. And as for the absence of benefits, it is inappropriate; the GDPR is refers to the benefits obtained as a result of the commission of the offense, not that the absence of benefits should be considered as mitigating. Therefore, evaluating the concurrent circumstances and taking into consideration especially those that operate as aggravating factors and that have been analyzed above, the penalty imposed by infringement of article 32.1 of the RGPD, given the seriousness of the events that occurred - In relation to the violation of article 33 of the RGPD typified in article 83.4 of the aforementioned Regulation: The serious lack of diligence in complying with the obligations imposed by data protection regulations, making an extemporaneous notification of the security bankruptcy to which he was bound. The way in which the infringement has been known as it was due to a notification from BANCO POPULAR and by credit card companies, without the respondent would have had evidence of the intrusion and access committed that started on 05/12/2018. The activity of the allegedly infringing entity is linked to the data processing of both clients and third parties; the aforementioned is known C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 34 34/35 relationship since the entity by its activity is in permanent contact and deals with a large volume of data, which imposes a greater duty of care. The business volume of the claimed as it is one of the company leader within the Spanish market, in its business object. For all these reasons, a sanction amount is established for violation of the Article 33 of the RGPD of 100,000 euros. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been proven, The Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE AIR EUROPA LINEAS AÉREAS SA, with CIF *** CIF.1 , for an infringement of article 32.1 of the RGPD, typified in Article 83.4.a) of the RGPD, a fine of € 500,000 (five hundred thousand euros). SECOND: IMPOSE AIR EUROPA LINEAS AÉREAS SA, with CIF *** CIF.1, for an infraction of article 33 of the RGPD, typified in article 83.4.a) of the RGPD, a € 100,000 fine (one hundred thousand euros). THIRD: NOTIFY this resolution to AIR EUROPA LINEAS AÉREAS SA FOURTH: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000 , opened in the name of the Agency Spanish for Data Protection in the banking entity CAIXABANK, SA. In case Otherwise, it will be collected in the executive period. Received the notification and once executive, if the date of execution is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment volunteer will be until the 20th of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within one month to C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 35 35/35 counting from the day after notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through letter addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es