AEPD (Spain) - EXP202210465
| AEPD - EXP202210465 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 16.09.2022 |
| Decided: | 05.12.2024 |
| Published: | |
| Fine: | 1,300,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | EXP202210465 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | ao |
The DPA fined Telefonica Espana €1,300,000 for a data breach affecting more than a million people and their data connected to wifi routers.
English Summary
Facts
On 16 September, Telefonica Espana, the controller, detected a data breach caused by a cyberattack. The personal data of two subsidiary companies of the controller, Movistar and O2 were affected. The personal data accessed comprised phone number, technical data from wifi connections and routers as well as account access credentials (username and password). The database which was compromised included data on more than a million customers. The database was used to manage its customers’ wifi routers (“eDomus portal”).
There had been up to 4 million access requests to the internal system of the controller per day from a single employee in Lithuania. The usual number of access requests was at 55,000 per day. This was detected on the 16 September 2022. However, the employees credentials weren’t blocked until four days later on the 20 September 2022, as they had been on holidays and only then could confirm that they were not making these requests. Subsequent to the employee’s statement, the controller investigated the incident.
Subsequent to the detection of the data breach, the controller appealed to its customers to change their passwords. The controller denied responsibility for the cyberattack as it was unforeseen. Crucially, it made the argument that the data leaked was not sensitive data or of major importance as it mainly comprised technical data. Further, the controller disputed that a landline number were personal data.
Holding
The AEPD concluded that the controller had failed to comply with the risk based approach to data security and the principle of accountability. The controller had acted seriously negligent in light of the amount of personal data processed and the amount of people affected which were 1,407,257.
The AEPD rejected the controller’s argument that a landline number cannot be personal data. It further rejected the controller's argument that the data leaked was not of vital importance and held that the leaked data could lead to a total loss of control and further that it could be used to commit offences such as theft, identity fraud or other financial crimes. The AEPD highlighted that if the controller had implemented two-step verification to access the database, a very common measure, the cyberattack could have been prevented.
The AEPD set a fine of €800,000 for in general processing data without ensuring adequate security under Article 5(1)(f) GDPR. Further, the AEPD set a fine of €500,000 for failing to apply technical and organisational measures which would have minimised the cyberattack risk under Article 32 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
