AEPD (Spain) - EXP202210465

From GDPRhub
Revision as of 15:39, 10 December 2024 by Ao (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202210465 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00291-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202210465
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started: 16.09.2022
Decided: 05.12.2024
Published:
Fine: 1,300,000 EUR
Parties: n/a
National Case Number/Name: EXP202210465
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: ao

The DPA fined Telefonica Espana €1,300,000 for a data breach affecting more than a million people and their data connected to wifi routers.

English Summary

Facts

On the 16 September, the controller detected the data breach through a cyberattack. There had been up to 4 million applications per day from a single employee in Lithuania. The usual number of applications was at 55,000 per day. However, the employees credentials weren’t blocked until four days later as they had been on holidays and only then could confirm that they were not making these applications. Subsequent to the employee’s statement, the controller investigated the incident.

The personal data of two subsidiary companies of the controller, Movistar and O2 were affected. The personal data accessed comprised phone number, technical data from wifi connections and personal devices as well as account access credentials (username and password). The database which was compromised included data on more than a million customers. The database was used to manage its customers’ wifi routers (“eDomus portal”).

Subsequent to the detection of the data breach, the controller appealed to its customers to change their passwords. The controller denied responsibility for the cyberattack as it was unforeseen. Crucially, it made the argument that the data leaked was not sensitive data or of major importance as it mainly comprised technical data. Further, the controller disputed that a landline number proves to be personal data.

Holding

The AEPD concluded that the controller had failed to comply with the risk based approach to data security and the principle of proactive responsibility. The controller had acted seriously negligent in light of the amount of personal data processed and the amount of people affected.

The AEPD rejected the controller’s argument that a landline number cannot be personal data. It further rejected the controller's argument that the data leaked was not of vital importance and held that the leaked data could lead to a total loss of control and further that it could be used to commit offences such as theft, identity fraud or other financial crimes. The AEPD stated that if the controller had implemented two-step verification to access the database, a very common measure, the cyberattack could have been prevented.

The AEPD set a fine of €800,000 for processing data without ensuring adequate security under Article … Further, the AEPD set a fine of €500,000 for failing to apply technical and organisational measure which would have minimised the cyberattack risk under Article 32 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.