ANSPDCP (Romania) - Fine against Altex Romania S.A.
ANSPDCP - Altex Romania | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 32(1)(b) GDPR Article 32(2) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 18.11.2024 |
Fine: | 20,000 EUR |
Parties: | n/a |
National Case Number/Name: | Altex Romania |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Romanian |
Original Source: | Romanian DPA (in RO) |
Initial Contributor: | maxinescu |
The DPA fined Altex Romania 99,516 RON (20,000 EUR) for failing to implement sufficient security measures. This lead to unauthorized access to client accounts through two separate data breaches.
English Summary
Facts
The investigation by the DPA began after Altex Romania reported two data breaches. The first breach involved a notification from a third party alerting Altex Romania that client accounts, including names, emails, passwords, delivery addresses, phone numbers, order histories, payment card details, and customer communications, were exposed on a platform. The second breach was a "credential stuffing" attack involving repeated login attempts on client accounts to place unauthorized gift card orders. This breach affected similar personal data, including login credentials and financial information.
Holding
The DPA concluded that Altex Romania failed to implement adequate security measures to prevent unauthorized access, violating Article 32(1)(b) and Article 32(2) GDPR. The breaches exposed client data, leading the DPA to mandate the following corrective measures:
- Implement new device login alerts, display logged-in devices in accounts, and enforce complex password policies with expiration intervals for all client accounts.
- Establish a system to monitor inbound and outbound internet traffic on authentication platforms for all managed e-commerce sites and applications.
Comment
The Romanian DPA does not typically publish full decisions, but this case stands out as more detailed, specifying corrective actions rather than general recommendations to ensure GDPR compliance through adequate technical and organizational measures.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
18.11.2024 Penalty for non-compliance with the GDPR The National Supervisory Authority for the Processing of Personal Data completed, in October 2024, an investigation at the operator Altex România S.A. and found a violation of the provisions of art. 32 para. (1) lit. b) and of art. 32 para. (2) of Regulation (EU) 2016/679 (GDPR). As such, the operator was fined 99,516 lei, the equivalent of 20,000 EURO. The investigation was started as a result of the fact that Altex România S.A. sent two notifications to the National Supervisory Authority regarding the occurrence of personal data security breaches, as follows: a) The operator was informed by email by a third party about the fact that some accounts of the operator's customers were published on a platform, the personal data of a very large number of concerned persons being affected, respectively: name, surname , email, altex.ro account password, information available in the customer account, such as delivery address, no. telephone, order history, data related to the cards with which the online payment is made, communications in the relationship with the operator; b) The operator found that it was the victim of a "credential stuffing" computer attack, through repeated attempts to validate passwords on some customer accounts for placing gift card orders; it was stated that the following personal data were affected, for an approximately significant number of concerned persons: identification data for logging into the customer account: name, first name, email address, customer account access password, financial data related to bank cards registered in the application/site. During the investigation, it was found that the operator Altex România S.A. did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk presented by the processing, in order to prevent illegal access to the accounts of the operator's customers. This led to the unauthorized access to the personal data of a very large number of the operator's customers by means of two distinct computer attacks involving the taking over of some accounts. At the same time, pursuant to art. 58 para. (2) lit. d) from Regulation (EU) 2016/679, the following corrective measures were ordered: - The technical and procedural implementation of the following measures to reduce the risk of breaching the confidentiality of personal data through a computer attack on the authentication platforms in customer accounts on all managed e-commerce sites/applications: new device login notification, device display account logins, complexity policy and password history on all customer accounts with a pre-set expiration interval; - Technical and procedural implementation of a system for monitoring incoming and outgoing Internet traffic (inbound/outbound) executed on authentication platforms in customer accounts on all managed e-commerce sites/applications. Legal and Communication Department A.N.S.P.D.C.P.