AEPD (Spain) - E/03003/2020

From GDPRhub
AEPD - E/03003/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 32(1) GDPR
Type: Investigation
Outcome: No Violation Found
Started:
Decided:
Published:
Fine: None
Parties: Gureak Lanean SA
National Case Number/Name: E/03003/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The AEPD did not find a violation of Article 32(1) GDPR regarding a data breach communicated by Gureak Lanean SA, as they concluded that the company had implemented appropriate technical and organisational measures to ensure an adequate level of security.

English Summary

Facts

A company called Gureak Lanean suffered an attempt of hacking of their servers. The attacker accessed the data stored in several servers, although according to the company, only a scarce amount of information went to the outside. The AEPD did not receive any complaint from any affected data subject.

Dispute

Was this data breach a violation of Article 32(1) GDPR?

Holding

The AEPD concluded that there was no violation of Article 32(1) GDPR, because the company had implemented appropriate technical and organisational measures to ensure a level of security, as they had protocols in case of breach, had a quick reaction and has already taken measures to avoid breaches from happening in the future.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                              1/8










     Procedure No.: E / 03003/2020


                  RESOLUTION OF ACTION FILE

Of the actions carried out by the Spanish Agency for Data Protection and
based on the following


                                      ACTS

FIRST: The entity GUREAK LANEAN SA informs the Spanish Agency of
Protection of data that, dated *** DATE.1, detected a blocked access,
after ten unsuccessful login attempts, from an internal server on the network to the

NAS (network attached storage device) server. In reviewing the
incident, it was verified that the access attempt was made with a profile of
Administrator of one of the two domains of the company and the access was not executed
by people of the entity for what they consider that there has been a gap of
security that has compromised passwords. In the notification they indicate that you can

there are about 500 people affected (customers and suppliers) and there may be data
economic and health.

On February 12, 2020, an additional notification was received sent by GUREAK
LANEAN SA in which they show that on February 9 at 5:30 p.m.
have detected the creation of a user with an Administrator profile as well
state that accesses have been made using the Administrator profile as well
of the other domain also of the entity and searches in the active directory (service of
Microsoft that stores information about objects on the network, including

information on user accounts) with access to name and surname data,
department charge of some users. In this notification they indicate that you can
have 23044 data records affected.

On February 12, 2020, 11 notifications of security breaches were received
in which it is shown that GUREAK LANEAN SA, in its capacity as
data controller, has notified them of unauthorized access to their servers.
The following entities have reported the breach as responsible:

       GUREAK GARBITASUNA SLU. Number of data records affected 674.

       GUREAK BERDEA SLU. Number of data records affected 156.

       GUREAK ZERBITZUGUNEAK SLU. Number of data records affected
97.

       GUREAK OSTALARITZA SLU. Number of data records affected 137.
       GUREAK ZERBITZU ANITZAK SLU. Number of records affected 203.

       GUREAK ARAN SLU. Number of data records affected 56.

       GERONTOLOGICO DE RENTERIA SLU. Affected registration number 131.

       GUREAK ARABA SLU. Number of data records affected 351.
       GUREAK NAVARRA SLU. Number of data records affected 181.

       GUREAK IKUTTEGIA SL. Number of data records affected 123.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/8








       GOYENECHE DE SAN SEBASTIAN FOUNDATION. Number of affected 336.

GUREAK MARKETING SLU
On February 12 and April 3, 2020, two notifications were received from the

company GUREAK MARKETING SLU in which it is shown that they had
knowledge of the gap described above through the computer system of
company verification. In this last notification, two minutes of the
extraordinary meeting of the privacy committee of GUREAK MARKETING SLU of
dates 12 and 27 February 2020 on the security breach

In the Minutes of February 12, it is stated that GUREAK LANEAN is a Group entity
company and acts as the person in charge of the treatment of GUREAK MARKETING in
regarding infrastructure and data processing and have verified that the incident

security has affected the infrastructure of this entity in a similar way to the
GUREAK MARKETING infrastructure. They also report the existence of
company INTEGRATED TECHNPLOGY SISTEM SL (hereinafter ITS) as supplier
cybersecurity services that together with GUREAK LANEN will develop a
technical report on the security breach. The number of potential affected

GUREAK MARKETING amounts to 371 employees with basic data, identification,
economic / financial, contact, location and health data.

In the Minutes of February 27, it is stated that the Report prepared by ITS with the
following conclusions:
 The intrusion has been through a server with a wrong configuration in the

    Firewall (computer system whose function is to prevent and protect the private network,
    intrusions or attacks from other networks, blocking your access).

 The first failed attempts are from January 30, 2020.

 IP addresses located in *** COUNTRY. 1.
 Only the attempt to access two GUREAK servers has been verified

    MARKETING having been denied.
 It has not been verified that there have been effective accesses or extraction of data from

    GUREAK MARKETING.

In this same Minute it also appears that a report prepared by GUREAK is attached.
MARKETING in which it is revealed that after making the
internal checks have not occurred access and / or extraction of data from
GUREAK MARKETING.

On July 3, they send additional information to the gap in which a
Follow-up act dated June 26 and a Report from ITS and GUREAK LANEAN
in which they rule out access and / or leakage of personal data

On July 16 and 17, all entities that have notified the breach
referenced above have sent a full notification on the gap
informing the Agency that it has been found that there has been no access to data

of a personal nature.





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/8








SECOND: On March 23, 2020, the Director of the Spanish Agency for
Data Protection orders the Subdirectorate General for Data Inspection to
assess the need to carry out the appropriate preliminary investigations in order to
determine a possible violation of data protection regulations, having
knowledge of the following points:

Notification date of the personal data security breach: February 11,
2020.


INVESTIGATED ENTITY

GUREAK LANEAN SA with NIF A20044590 and address at *** ADDRESS. 1
(Guipúzkoa)

RESULT OF RESEARCH ACTIONS


As stated on the web *** URL.1, GUREAK is a Basque business group that
generates and manages stable job opportunities and suitably adapted to

people with disabilities, primarily with intellectual disabilities in
Gipuzkoa.

1.- On May 21, 2020, a written request for
information to GUREAK LANEAN SA, which in its answering brief makes
reference to the rest of the Group companies. From the response received, it is clear

following:
    Regarding the company.

     GUREAK LANEAN is the sole owner and / or administrator of some of the
       referenced companies. The companies share facilities, services

       administrative centers, infrastructures, service providers and others,
       although they are independent legal persons.
     GUREAK LANEAN has signed a service provision contract with

       each of the companies in which GUREAK LANEAN acts as
       data controller and the rest of the companies that act as
       data controllers. They have provided a contract with GUREAK
       GARBITASUNA SLU dated January 3, 2019 and state that the model
       contract is unique (Annex 1).

       The treatments that appear correspond, among others, to:

           o Maintenance of Computer Systems

           o Development and maintenance of applications
     Information systems are centralized in the offices

       Group headquarters. Work centers are interconnected with
       the central in order to use the available services and centralize the
       information managed from the centers.

       The connection is made through a dedicated fiber line. This private network
       interconnection has a Firewall to secure Internet access from
       all delegations.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/8










       The headquarters also has a Firewall in order to control the
       Delegations access allowing only access to services
       necessary, necessary communications and securing the internet access of the
       Central.

       The servers are housed in two CPDs
       Information on the infrastructure, networks and

       software classified as CONFIDENTIAL.
     GUREAK LANEAN has signed a service provision contract with

       INTEGRATED TECHNOLOGY SYSTEMS (ITS) dated February 25,
       2019, for which the latter company will carry out computer maintenance.
       (annex 9)

    Regarding the chronology of the events and measures taken to minimize the
    impact of the gap

    The entity has provided a report prepared for this purpose (annex 3 CONFIDENTIAL) in
    the one that appears:

     On Saturday *** DATE 1, a computer team sends an alert via email to the
       support address indicating that several accesses have been attempted from a
       server. Access has been blocked by entering several consecutive times
       wrong password.

     On Sunday, February 9, a systems technician reviews the alert in order to
       verify the reason why a device is being accessed, since it does not
       it is a common access. By verifying that the Security Manager of the
       company that was not trying to access the equipment is turned off as a first measure

       prevention. It also checks whether other computers have been accessed in
       similar hours detecting failed login attempts with a user
       administrator.

       Immediately the password of the administrator user and the
       Responsible for Security and the rest of the accounts of
       administrator on all systems.

       It is verified that there has been no encryption, but a process is detected
       weird running on some servers so they stop
       immediately its execution.

       It is detected that one of the servers has a fraudulent active connection due to
       which proceeds to turn it off and closes the Internet connection in the
       Firewall as a precautionary measure.

       As an additional measure, an email is sent so that the entire organization
       modify the passwords before the possibility that they have been seen
       committed.

     On Monday, February 10, the ITS security company that carries out
       the management of firewalls and a bad configuration is detected in the Firewall
       that allowed access from the outside. The server that gave access was

       has been turned off from the day before. It is concluded that the intrusion is
       closed and there is no unauthorized connection.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/8








       Throughout the week, a forensic analysis of the
       intrusion and compromised machines are recovered.

       Admin passwords are changed twice again
       consecutive as an additional precautionary measure.

       No anomalous accesses or generation of fraudulent users are detected.
     On Tuesday, February 11, users are again obliged to change their

        password.
     On Wednesday, February 12, they proceed to notify the AEPD of the gap in

        security due to the type of information found on the servers
        affected, although there is no evidence that data has been compromised
        personal, for this reason they decide not to communicate the gap to possible
        affected.

       It is decided to report the facts to the Ertzaintza (annex 19).

     On Monday, February 17, the intrusion was closed and no leakage of
        information.

     On Wednesday, February 19, the Firewall migrated to another.
     On Thursday, April 9, the second ITS technical report is received where the

        finds that after the analysis carried out there has been no leakage of
        information.

     On April 28, the automated review (vaccination) of all the
        servers already checked manually. No unusual activity is detected.

    Regarding the causes that made the breach possible
     The ITS provider replaces the Firewall with a new firewall.

     This Firewall allowed the attempt to connect via remote desktop with a
        administrator password that was detected to be weak and that the hack was

        he must have used a password cracking technique and later be able to
        connect to the rest of the computers.
    Regarding the affected data.

     Forensic reports commissioned from an external company and those prepared by
        GUREAK LANEAN's own IT technicians state that no

        there is evidence that any data has been affected
        personal. For this reason, they consider that there have been no consequences for
        possible affected since no data has been extracted abroad. (Annex 6 in the
        minutes dated February 12, 2020, annex 7 in the minutes of the Committee on
        security dated February 18 and annex 8 in the Minutes of February 28)

     GUREAK LANEAN states that the intrusion detection was carried out in
        early form and the volume of information exchanged abroad has
        been low relative to the existing data volume. Also in the logs of

        systems that have personal data have not been detected
        unusual accesses.

     No disclosure of data of nor have they been found on the Internet
        knowledge that a third party has accessed the Group's data.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/8










    Regarding the actions taken for the final resolution of the gap
    GUREAK LANEAN has taken, among others, the following actions:

     Review of all firewall rules

     Firewall monitoring

    Information on the recurrence of these events and the number of analogous events
    happened in time

     GUREAK LANEAN state that it is the first time that an event of these
       characteristics happens in your organization. There have been no similar cases
       previous

    Regarding the security measures previously implemented, the breach
     GUREAK LANEAN has provided the following documents:

           o Register of treatment activities (annex 10).

           o Risk Analysis (Annex 11).

           o Analysis of the need for impact assessment (Annex 12).

           o Security measures based on the ISO 27002 standard (annex 13).

           o Information Security Policy (Annex 14).
           o Data Protection Policy (annex 15).

           o Incident management and security breaches (Annex 16).

           o Audit Report on compliance with the Protection regulations
               Data dated December 14, 2019 (Annex 17).


                               FOUNDATIONS OF LAW
                                               I
In accordance with the investigative and corrective powers that article 58 of the

Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter
RGPD) grants each control authority, and according to the provisions of article 47 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD), is competent to
resolve these investigative actions by the Director of the Spanish Agency for
Data Protection.

                                              II
The GDPR defines, in a broad way, "data security breaches
personal "(hereinafter security bankruptcy) as" all those violations of the
security that cause accidental or unlawful destruction, loss or alteration of
personal data transmitted, stored or otherwise processed, or the

unauthorized communication or access to said data. "

In the present case, it is established that there was a data security breach
personal in the circumstances indicated above, categorized as a gap


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/8








confidentiality, as a consequence of a bad configuration in the Firewall
allowing access from the outside.


The investigation actions show that, prior to the gap in
security, the investigated entity had reasonable security measures in place
depending on the possible estimated risks. Provides Record of Activities of
Treatment and Risk Analysis as indicated in the history and have been taken
appropriate subsequent actions to avoid a repetition of the incident.


Likewise, it had action protocols to deal with an incident such as the
now analyzed, which has allowed diligently the identification, analysis and
classification of the personal data security breach as well as the diligent
reaction to it in order to minimize the impact and implement new
reasonable and timely measures to avoid a recurrence of the incidence in the future to

through the implementation and effective execution of an action plan by the
different figures involved such as the person responsible for the treatment and the Delegate of
Data Protection.

There are no claims made to this Agency by third parties.


Consequently, it must be concluded that the investigated entity had available measures
reasonable technical and organizational measures to avoid this type of incident and that by
insufficient data have been diligently updated. Finally, it is recommended
prepare a Final Report on the traceability of the event and its valuation analysis, in
particular, regarding the final impact. This Report is a valuable source of

information that should be fed into the analysis and risk management and will serve
to prevent the repetition of a gap with similar characteristics such as the
analyzed, predictably caused by a specific error.
                                           III
In view of the actions carried out, it has been proven that the actions of

GUREAK LANEAN, S.A as the entity responsible for the treatment has been in accordance with
the regulations on the protection of personal data analyzed in the paragraphs
previous.

Therefore, in accordance with the provisions, by the Director of the Spanish Agency for
Data Protection,


HE REMEMBERS:

FIRST: PROCEED TO THE FILING of these actions.

SECOND: NOTIFY this resolution to GUREAK LANEAN, S.A. with NIF
A20044590 and address at *** ADDRESS.1 (Guipúzkoa).


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.






C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/8









Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, and in accordance with the provisions of the

arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may
file, optionally, an appeal for reconsideration before the Director of the Agency
Spanish Data Protection within a period of one month from the day
following notification of this resolution or directly contentious appeal

administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and paragraph 5 of the provision
Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-Administrative, within two months from the next day

upon notification of this act, as provided in article 46.1 of the aforementioned Law.

                                                                                       940-0419
Mar Spain Martí
Director of the Spanish Agency for Data Protection













































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es