| AEPD - E/03003/2020 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 32(1) GDPR |
| Type: | Investigation |
| Outcome: | No Violation Found |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | None |
| Parties: | Gureak Lanean SA |
| National Case Number/Name: | E/03003/2020 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD decision (in ES) |
| Initial Contributor: | n/a |
The AEPD did not find a violation of Article 32(1) GDPR regarding a data breach communicated by Gureak Lanean SA, as they concluded that the company had implemented appropriate technical and organisational measures to ensure an adequate level of security.
English Summary
Facts
A company called Gureak Lanean suffered an attempt of hacking of their servers. The attacker accessed the data stored in several servers, although according to the company, only a scarce amount of information went to the outside. The AEPD did not receive any complaint from any affected data subject.
Dispute
Was this data breach a violation of Article 32(1) GDPR?
Holding
The AEPD concluded that there was no violation of Article 32(1) GDPR, because the company had implemented appropriate technical and organisational measures to ensure a level of security, as they had protocols in case of breach, had a quick reaction and has already taken measures to avoid breaches from happening in the future.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/8
Procedure No.: E / 03003/2020
RESOLUTION OF ACTION FILE
Of the actions carried out by the Spanish Agency for Data Protection and
based on the following
ACTS
FIRST: The entity GUREAK LANEAN SA informs the Spanish Agency of
Protection of data that, dated *** DATE.1, detected a blocked access,
after ten unsuccessful login attempts, from an internal server on the network to the
NAS (network attached storage device) server. In reviewing the
incident, it was verified that the access attempt was made with a profile of
Administrator of one of the two domains of the company and the access was not executed
by people of the entity for what they consider that there has been a gap of
security that has compromised passwords. In the notification they indicate that you can
there are about 500 people affected (customers and suppliers) and there may be data
economic and health.
On February 12, 2020, an additional notification was received sent by GUREAK
LANEAN SA in which they show that on February 9 at 5:30 p.m.
have detected the creation of a user with an Administrator profile as well
state that accesses have been made using the Administrator profile as well
of the other domain also of the entity and searches in the active directory (service of
Microsoft that stores information about objects on the network, including
information on user accounts) with access to name and surname data,
department charge of some users. In this notification they indicate that you can
have 23044 data records affected.
On February 12, 2020, 11 notifications of security breaches were received
in which it is shown that GUREAK LANEAN SA, in its capacity as
data controller, has notified them of unauthorized access to their servers.
The following entities have reported the breach as responsible:
GUREAK GARBITASUNA SLU. Number of data records affected 674.
GUREAK BERDEA SLU. Number of data records affected 156.
GUREAK ZERBITZUGUNEAK SLU. Number of data records affected
97.
GUREAK OSTALARITZA SLU. Number of data records affected 137.
GUREAK ZERBITZU ANITZAK SLU. Number of records affected 203.
GUREAK ARAN SLU. Number of data records affected 56.
GERONTOLOGICO DE RENTERIA SLU. Affected registration number 131.
GUREAK ARABA SLU. Number of data records affected 351.
GUREAK NAVARRA SLU. Number of data records affected 181.
GUREAK IKUTTEGIA SL. Number of data records affected 123.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/8
GOYENECHE DE SAN SEBASTIAN FOUNDATION. Number of affected 336.
GUREAK MARKETING SLU
On February 12 and April 3, 2020, two notifications were received from the
company GUREAK MARKETING SLU in which it is shown that they had
knowledge of the gap described above through the computer system of
company verification. In this last notification, two minutes of the
extraordinary meeting of the privacy committee of GUREAK MARKETING SLU of
dates 12 and 27 February 2020 on the security breach
In the Minutes of February 12, it is stated that GUREAK LANEAN is a Group entity
company and acts as the person in charge of the treatment of GUREAK MARKETING in
regarding infrastructure and data processing and have verified that the incident
security has affected the infrastructure of this entity in a similar way to the
GUREAK MARKETING infrastructure. They also report the existence of
company INTEGRATED TECHNPLOGY SISTEM SL (hereinafter ITS) as supplier
cybersecurity services that together with GUREAK LANEN will develop a
technical report on the security breach. The number of potential affected
GUREAK MARKETING amounts to 371 employees with basic data, identification,
economic / financial, contact, location and health data.
In the Minutes of February 27, it is stated that the Report prepared by ITS with the
following conclusions:
The intrusion has been through a server with a wrong configuration in the
Firewall (computer system whose function is to prevent and protect the private network,
intrusions or attacks from other networks, blocking your access).
The first failed attempts are from January 30, 2020.
IP addresses located in *** COUNTRY. 1.
Only the attempt to access two GUREAK servers has been verified
MARKETING having been denied.
It has not been verified that there have been effective accesses or extraction of data from
GUREAK MARKETING.
In this same Minute it also appears that a report prepared by GUREAK is attached.
MARKETING in which it is revealed that after making the
internal checks have not occurred access and / or extraction of data from
GUREAK MARKETING.
On July 3, they send additional information to the gap in which a
Follow-up act dated June 26 and a Report from ITS and GUREAK LANEAN
in which they rule out access and / or leakage of personal data
On July 16 and 17, all entities that have notified the breach
referenced above have sent a full notification on the gap
informing the Agency that it has been found that there has been no access to data
of a personal nature.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/8
SECOND: On March 23, 2020, the Director of the Spanish Agency for
Data Protection orders the Subdirectorate General for Data Inspection to
assess the need to carry out the appropriate preliminary investigations in order to
determine a possible violation of data protection regulations, having
knowledge of the following points:
Notification date of the personal data security breach: February 11,
2020.
INVESTIGATED ENTITY
GUREAK LANEAN SA with NIF A20044590 and address at *** ADDRESS. 1
(Guipúzkoa)
RESULT OF RESEARCH ACTIONS
As stated on the web *** URL.1, GUREAK is a Basque business group that
generates and manages stable job opportunities and suitably adapted to
people with disabilities, primarily with intellectual disabilities in
Gipuzkoa.
1.- On May 21, 2020, a written request for
information to GUREAK LANEAN SA, which in its answering brief makes
reference to the rest of the Group companies. From the response received, it is clear
following:
Regarding the company.
GUREAK LANEAN is the sole owner and / or administrator of some of the
referenced companies. The companies share facilities, services
administrative centers, infrastructures, service providers and others,
although they are independent legal persons.
GUREAK LANEAN has signed a service provision contract with
each of the companies in which GUREAK LANEAN acts as
data controller and the rest of the companies that act as
data controllers. They have provided a contract with GUREAK
GARBITASUNA SLU dated January 3, 2019 and state that the model
contract is unique (Annex 1).
The treatments that appear correspond, among others, to:
o Maintenance of Computer Systems
o Development and maintenance of applications
Information systems are centralized in the offices
Group headquarters. Work centers are interconnected with
the central in order to use the available services and centralize the
information managed from the centers.
The connection is made through a dedicated fiber line. This private network
interconnection has a Firewall to secure Internet access from
all delegations.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/8
The headquarters also has a Firewall in order to control the
Delegations access allowing only access to services
necessary, necessary communications and securing the internet access of the
Central.
The servers are housed in two CPDs
Information on the infrastructure, networks and
software classified as CONFIDENTIAL.
GUREAK LANEAN has signed a service provision contract with
INTEGRATED TECHNOLOGY SYSTEMS (ITS) dated February 25,
2019, for which the latter company will carry out computer maintenance.
(annex 9)
Regarding the chronology of the events and measures taken to minimize the
impact of the gap
The entity has provided a report prepared for this purpose (annex 3 CONFIDENTIAL) in
the one that appears:
On Saturday *** DATE 1, a computer team sends an alert via email to the
support address indicating that several accesses have been attempted from a
server. Access has been blocked by entering several consecutive times
wrong password.
On Sunday, February 9, a systems technician reviews the alert in order to
verify the reason why a device is being accessed, since it does not
it is a common access. By verifying that the Security Manager of the
company that was not trying to access the equipment is turned off as a first measure
prevention. It also checks whether other computers have been accessed in
similar hours detecting failed login attempts with a user
administrator.
Immediately the password of the administrator user and the
Responsible for Security and the rest of the accounts of
administrator on all systems.
It is verified that there has been no encryption, but a process is detected
weird running on some servers so they stop
immediately its execution.
It is detected that one of the servers has a fraudulent active connection due to
which proceeds to turn it off and closes the Internet connection in the
Firewall as a precautionary measure.
As an additional measure, an email is sent so that the entire organization
modify the passwords before the possibility that they have been seen
committed.
On Monday, February 10, the ITS security company that carries out
the management of firewalls and a bad configuration is detected in the Firewall
that allowed access from the outside. The server that gave access was
has been turned off from the day before. It is concluded that the intrusion is
closed and there is no unauthorized connection.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/8
Throughout the week, a forensic analysis of the
intrusion and compromised machines are recovered.
Admin passwords are changed twice again
consecutive as an additional precautionary measure.
No anomalous accesses or generation of fraudulent users are detected.
On Tuesday, February 11, users are again obliged to change their
password.
On Wednesday, February 12, they proceed to notify the AEPD of the gap in
security due to the type of information found on the servers
affected, although there is no evidence that data has been compromised
personal, for this reason they decide not to communicate the gap to possible
affected.
It is decided to report the facts to the Ertzaintza (annex 19).
On Monday, February 17, the intrusion was closed and no leakage of
information.
On Wednesday, February 19, the Firewall migrated to another.
On Thursday, April 9, the second ITS technical report is received where the
finds that after the analysis carried out there has been no leakage of
information.
On April 28, the automated review (vaccination) of all the
servers already checked manually. No unusual activity is detected.
Regarding the causes that made the breach possible
The ITS provider replaces the Firewall with a new firewall.
This Firewall allowed the attempt to connect via remote desktop with a
administrator password that was detected to be weak and that the hack was
he must have used a password cracking technique and later be able to
connect to the rest of the computers.
Regarding the affected data.
Forensic reports commissioned from an external company and those prepared by
GUREAK LANEAN's own IT technicians state that no
there is evidence that any data has been affected
personal. For this reason, they consider that there have been no consequences for
possible affected since no data has been extracted abroad. (Annex 6 in the
minutes dated February 12, 2020, annex 7 in the minutes of the Committee on
security dated February 18 and annex 8 in the Minutes of February 28)
GUREAK LANEAN states that the intrusion detection was carried out in
early form and the volume of information exchanged abroad has
been low relative to the existing data volume. Also in the logs of
systems that have personal data have not been detected
unusual accesses.
No disclosure of data of nor have they been found on the Internet
knowledge that a third party has accessed the Group's data.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/8
Regarding the actions taken for the final resolution of the gap
GUREAK LANEAN has taken, among others, the following actions:
Review of all firewall rules
Firewall monitoring
Information on the recurrence of these events and the number of analogous events
happened in time
GUREAK LANEAN state that it is the first time that an event of these
characteristics happens in your organization. There have been no similar cases
previous
Regarding the security measures previously implemented, the breach
GUREAK LANEAN has provided the following documents:
o Register of treatment activities (annex 10).
o Risk Analysis (Annex 11).
o Analysis of the need for impact assessment (Annex 12).
o Security measures based on the ISO 27002 standard (annex 13).
o Information Security Policy (Annex 14).
o Data Protection Policy (annex 15).
o Incident management and security breaches (Annex 16).
o Audit Report on compliance with the Protection regulations
Data dated December 14, 2019 (Annex 17).
FOUNDATIONS OF LAW
I
In accordance with the investigative and corrective powers that article 58 of the
Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter
RGPD) grants each control authority, and according to the provisions of article 47 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD), is competent to
resolve these investigative actions by the Director of the Spanish Agency for
Data Protection.
II
The GDPR defines, in a broad way, "data security breaches
personal "(hereinafter security bankruptcy) as" all those violations of the
security that cause accidental or unlawful destruction, loss or alteration of
personal data transmitted, stored or otherwise processed, or the
unauthorized communication or access to said data. "
In the present case, it is established that there was a data security breach
personal in the circumstances indicated above, categorized as a gap
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/8
confidentiality, as a consequence of a bad configuration in the Firewall
allowing access from the outside.
The investigation actions show that, prior to the gap in
security, the investigated entity had reasonable security measures in place
depending on the possible estimated risks. Provides Record of Activities of
Treatment and Risk Analysis as indicated in the history and have been taken
appropriate subsequent actions to avoid a repetition of the incident.
Likewise, it had action protocols to deal with an incident such as the
now analyzed, which has allowed diligently the identification, analysis and
classification of the personal data security breach as well as the diligent
reaction to it in order to minimize the impact and implement new
reasonable and timely measures to avoid a recurrence of the incidence in the future to
through the implementation and effective execution of an action plan by the
different figures involved such as the person responsible for the treatment and the Delegate of
Data Protection.
There are no claims made to this Agency by third parties.
Consequently, it must be concluded that the investigated entity had available measures
reasonable technical and organizational measures to avoid this type of incident and that by
insufficient data have been diligently updated. Finally, it is recommended
prepare a Final Report on the traceability of the event and its valuation analysis, in
particular, regarding the final impact. This Report is a valuable source of
information that should be fed into the analysis and risk management and will serve
to prevent the repetition of a gap with similar characteristics such as the
analyzed, predictably caused by a specific error.
III
In view of the actions carried out, it has been proven that the actions of
GUREAK LANEAN, S.A as the entity responsible for the treatment has been in accordance with
the regulations on the protection of personal data analyzed in the paragraphs
previous.
Therefore, in accordance with the provisions, by the Director of the Spanish Agency for
Data Protection,
HE REMEMBERS:
FIRST: PROCEED TO THE FILING of these actions.
SECOND: NOTIFY this resolution to GUREAK LANEAN, S.A. with NIF
A20044590 and address at *** ADDRESS.1 (Guipúzkoa).
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/8
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, and in accordance with the provisions of the
arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may
file, optionally, an appeal for reconsideration before the Director of the Agency
Spanish Data Protection within a period of one month from the day
following notification of this resolution or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and paragraph 5 of the provision
Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-Administrative, within two months from the next day
upon notification of this act, as provided in article 46.1 of the aforementioned Law.
940-0419
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
