HDPA (Greece) - 10/2024

From GDPRhub
Revision as of 21:25, 21 April 2024 by Ilianapapantoni (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=10/2024 |ECLI= |Original_Source_Name_1=HDPA |Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2024-04/10_2024%2520anonym_0.pdf |Original_Source_Language_1=Greek |Original_Source_Language__Code_1=EL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_S...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
HDPA - 10/2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Other
Outcome: n/a
Started:
Decided:
Published:
Fine: 2,955,140 EUR
Parties: Hellenic Post
National Case Number/Name: 10/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Iliana Papantoni

The HDPA imposed a fine of 3,995,140 € to the Hellenic Post (hereinafter “ELTA” or the “controller”) for violation of Articles 5 (f) and 32 GDPR, following its personal data breach notifications.

English Summary

Facts

1st incident: On 23.03.2022 ELTA notified a personal data breach to the HDPA relating to encryption of software in its systems, as a result of a malicious attack.

On 19.05.2022 the HDPA, after examining the notification, requested a description of the actions taken in the context of investigating/ addressing the personal data breach, the actions taken in relation to the notification of data subjects concerned or any third party and any other relevant detail.

On 01.06.2022 and 02.06.2022 ELTA responded to HDPA’s request, by sending an e-mail, including a cybersecurity incident report and the following information: i) the controller informed the public as regards the personal data breach and the actions taken; ii) the controller announced the incident internally; iii) the controller informed international bodies, e.g., International Post Corporation, PostEurop, etc.; iv) the controller also informed national authorities, such as the Hellenic Authority for Communication Security and Privacy; v) the controller informed the company "Water Supply and Sewerage Limited Liability Company” (EYDAP) (ELTA acts as a processor on its behalf), which had separately notified the HDPA; and vi) a supplementary notification had been submitted, including new information, which came out during the investigation procedure.

On 21.06.2022 the HPDA requested copies of the policies and procedures adopted by ELTA and further details on how such policies and procedures are implemented.

On 06.07.2022 ELTA shared with the HDPA: i) a systems & data security policy; and ii) a privacy by design and by default policy.

2nd incident: On 27.07.2022, ELTA notified a personal data breach to the HDPA (a supplementary notification was submitted on 29.12.2022) relating to the leakage of personal data which were published on the dark web, as a consequence of the abovementioned incident.

On 26.01.2023 the HDPA requested the hyperlinks with onion domain of Vice Society group, on which the personal data relating to the case are posted and any supplementary report shall be available on this matter.

On 21.02.2023 ELTA shared with the HDPA the following documents: i) The group's hyperlink to the dark web through which there is access to the personal data (http://vsociet***.onion/); ii) investigation report of Netbull, stating that ransomware group Vice Society has posted on the website it maintains on dark web (Hacker Forum), data related to the attack; and iii) detailed analysis of the files posted on the website in which including subfolder name, file name, file category, category of data subject, type of personal data and description.

Hearing before the HDPA: The HDPA invited the controller to a hearing on 29.11.2022. Finally, the hearing was held on 06.06.2023. The controller argued that: i) at the time of the cyberattack, the controller was facing financial difficulties; ii) the cyberattack at 1:30 a.m. and was detected at 6:30 a.m. and following confirmation of the threat, the system was taken offline and a process of investigation, logging, categorisation, classification and notification of the parties involved was initiated; iii) the training of the staff has started; iv) following the incident, significant resources were made available to shield the security of the system; and v) there were no alerts from the Windows Management Instrumentation Command (WMIC) due to a network connection failure; vi) the majority of systems were recovered from backups (magnetic tapes) that had not been encrypted and from copies that were located outside the infrastructure under attack and vii) as soon as the cyberattack was detected, the controller informed its corporate customers (acting as controllers or processors).

Holding

The HDPA found that ELTA: i) had not implemented appropriate technical and organisational measures; ii) had not implemented appropriate data protection policies; iii) had not ensured confidentiality, availability and resilience of processing systems and services and the integrity of processes for regularly testing.

In order to calculate the fine, the HDPA took into consideration the following: i) the number of data subjects affected; ii) the level of damage; iii) the fact that took place a breach of controller's system, unauthorised access to resources, installation of malicious software and disclosure of data to the dark web; iv) the fact that there was a failure to implement the security policy, failure to ensure access to data by authorised users, insufficient technical documentation on the issues of the collection of domain passwords and underutilization of unusual warning messages activity by the protection mechanisms; v) the categories of personal data affected (personal data of particular significance, e.g., financial data, employees’ data, etc.); the fact that historical application data was not recovered and no measures were taken to limit the uploading of data on the dark web.

The HDPA took into account the following mitigating factors: i) following the incidents, the system security was strengthened; ii) there was no leakage of special categories of personal data; iii) there has been a restoration of a significant part of the data volume from backups and restoration of service availability; iv) the controller has submitted an additional notification of the incident which included detailed information about the leakage of personal data to the dark web; v) the controller has submitted an additional notification of an incident which includes detailed information about the leakage data leakage to the dark web.

Following the abovementioned, the HDPA imposed a fine of 3,995,140 € to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.