ANSPDCP (Romania) - Altex Romania

From GDPRhub
Revision as of 11:55, 18 November 2024 by Maxinescu (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=Altex Romania |ECLI= |Original_Source_Name_1=Romanian DPA |Original_Source_Link_1=https://dataprotection.ro/?page=Comunicat_Presa_18.11.2024&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Lang...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Altex Romania
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 18.11.2024
Fine: 20,000 EUR
Parties: n/a
National Case Number/Name: Altex Romania
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: maxinescu

The Romanian DPA fined Altex Romania for failing to implement sufficient security measures as required under Article 32(1)(b) and Article 32(2) GDPR. This failure allowed unauthorized access to client accounts through two separate data breaches. As a consequence, the DPA imposed a fine of 99,516 lei (20,000 EUR) and corrective measures to improve data security and prevent future incidents.

English Summary

Facts

The investigation by the DPA began after Altex Romania reported two data breaches. The first breach involved a notification from a third party alerting Altex Romania that client accounts, including names, emails, passwords, delivery addresses, phone numbers, order histories, payment card details, and customer communications, were exposed on a platform. The second breach was a "credential stuffing" attack involving repeated login attempts on client accounts to place unauthorized gift card orders. This breach affected similar personal data, including login credentials and financial information.

Holding

The DPA concluded that Altex Romania failed to implement adequate security measures to prevent unauthorized access, violating Article 32(1)(b) and Article 32(2) GDPR. The breaches exposed client data, leading the DPA to mandate the following corrective measures: • Implement new device login alerts, display logged-in devices in accounts, and enforce complex password policies with expiration intervals for all client accounts. • Establish a system to monitor inbound and outbound internet traffic on authentication platforms for all managed e-commerce sites and applications.

Comment

The Romanian DPA does not typically publish full decisions, but this case stands out as more detailed, specifying corrective actions rather than general recommendations to ensure GDPR compliance through adequate technical and organizational measures.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

18.11.2024

Penalty for non-compliance with the GDPR

The National Supervisory Authority for the Processing of Personal Data completed, in October 2024, an investigation at the operator Altex România S.A. and found a violation of the provisions of art. 32 para. (1) lit. b) and of art. 32 para. (2) of Regulation (EU) 2016/679 (GDPR).

As such, the operator was fined 99,516 lei, the equivalent of 20,000 EURO.

The investigation was started as a result of the fact that Altex România S.A. sent two notifications to the National Supervisory Authority regarding the occurrence of personal data security breaches, as follows:

a) The operator was informed by email by a third party about the fact that some accounts of the operator's customers were published on a platform, the personal data of a very large number of concerned persons being affected, respectively: name, surname , email, altex.ro account password, information available in the customer account, such as delivery address, no. telephone, order history, data related to the cards with which the online payment is made, communications in the relationship with the operator;

b) The operator found that it was the victim of a "credential stuffing" computer attack, through repeated attempts to validate passwords on some customer accounts for placing gift card orders; it was stated that the following personal data were affected, for an approximately significant number of concerned persons: identification data for logging into the customer account: name, first name, email address, customer account access password, financial data related to bank cards registered in the application/site.

During the investigation, it was found that the operator Altex România S.A. did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk presented by the processing, in order to prevent illegal access to the accounts of the operator's customers. This led to the unauthorized access to the personal data of a very large number of the operator's customers by means of two distinct computer attacks involving the taking over of some accounts.

At the same time, pursuant to art. 58 para. (2) lit. d) from Regulation (EU) 2016/679, the following corrective measures were ordered:

- The technical and procedural implementation of the following measures to reduce the risk of breaching the confidentiality of personal data through a computer attack on the authentication platforms in customer accounts on all managed e-commerce sites/applications: new device login notification, device display account logins, complexity policy and password history on all customer accounts with a pre-set expiration interval;

- Technical and procedural implementation of a system for monitoring incoming and outgoing Internet traffic (inbound/outbound) executed on authentication platforms in customer accounts on all managed e-commerce sites/applications.

Legal and Communication Department

A.N.S.P.D.C.P.