AEPD - E/03003/2020
|AEPD - E/03003/2020|
|Relevant Law:||Article 32(1) GDPR|
|Outcome:||No Violation Found|
|Parties:||Gureak Lanean SA|
|National Case Number/Name:||E/03003/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD decision (in ES)|
The AEPD did not find a violation of Article 32(1) GDPR regarding a data breach communicated by Gureak Lanean SA, as they concluded that the company had implemented appropriate technical and organisational measures to ensure an adequate level of security.
English Summary[edit | edit source]
Facts[edit | edit source]
A company called Gureak Lanean suffered an attempt of hacking of their servers. The attacker accessed the data stored in several servers, although according to the company, only a scarce amount of information went to the outside. The AEPD did not receive any complaint from any affected data subject.
Dispute[edit | edit source]
Was this data breach a violation of Article 32(1) GDPR?
Holding[edit | edit source]
The AEPD concluded that there was no violation of Article 32(1) GDPR, because the company had implemented appropriate technical and organisational measures to ensure a level of security, as they had protocols in case of breach, had a quick reaction and has already taken measures to avoid breaches from happening in the future.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/8 Procedure No.: E / 03003/2020 RESOLUTION OF ACTION FILE Of the actions carried out by the Spanish Agency for Data Protection and based on the following ACTS FIRST: The entity GUREAK LANEAN SA informs the Spanish Agency of Protection of data that, dated *** DATE.1, detected a blocked access, after ten unsuccessful login attempts, from an internal server on the network to the NAS (network attached storage device) server. In reviewing the incident, it was verified that the access attempt was made with a profile of Administrator of one of the two domains of the company and the access was not executed by people of the entity for what they consider that there has been a gap of security that has compromised passwords. In the notification they indicate that you can there are about 500 people affected (customers and suppliers) and there may be data economic and health. On February 12, 2020, an additional notification was received sent by GUREAK LANEAN SA in which they show that on February 9 at 5:30 p.m. have detected the creation of a user with an Administrator profile as well state that accesses have been made using the Administrator profile as well of the other domain also of the entity and searches in the active directory (service of Microsoft that stores information about objects on the network, including information on user accounts) with access to name and surname data, department charge of some users. In this notification they indicate that you can have 23044 data records affected. On February 12, 2020, 11 notifications of security breaches were received in which it is shown that GUREAK LANEAN SA, in its capacity as data controller, has notified them of unauthorized access to their servers. The following entities have reported the breach as responsible: GUREAK GARBITASUNA SLU. Number of data records affected 674. GUREAK BERDEA SLU. Number of data records affected 156. GUREAK ZERBITZUGUNEAK SLU. Number of data records affected 97. GUREAK OSTALARITZA SLU. Number of data records affected 137. GUREAK ZERBITZU ANITZAK SLU. Number of records affected 203. GUREAK ARAN SLU. Number of data records affected 56. GERONTOLOGICO DE RENTERIA SLU. Affected registration number 131. GUREAK ARABA SLU. Number of data records affected 351. GUREAK NAVARRA SLU. Number of data records affected 181. GUREAK IKUTTEGIA SL. Number of data records affected 123. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/8 GOYENECHE DE SAN SEBASTIAN FOUNDATION. Number of affected 336. GUREAK MARKETING SLU On February 12 and April 3, 2020, two notifications were received from the company GUREAK MARKETING SLU in which it is shown that they had knowledge of the gap described above through the computer system of company verification. In this last notification, two minutes of the extraordinary meeting of the privacy committee of GUREAK MARKETING SLU of dates 12 and 27 February 2020 on the security breach In the Minutes of February 12, it is stated that GUREAK LANEAN is a Group entity company and acts as the person in charge of the treatment of GUREAK MARKETING in regarding infrastructure and data processing and have verified that the incident security has affected the infrastructure of this entity in a similar way to the GUREAK MARKETING infrastructure. They also report the existence of company INTEGRATED TECHNPLOGY SISTEM SL (hereinafter ITS) as supplier cybersecurity services that together with GUREAK LANEN will develop a technical report on the security breach. The number of potential affected GUREAK MARKETING amounts to 371 employees with basic data, identification, economic / financial, contact, location and health data. In the Minutes of February 27, it is stated that the Report prepared by ITS with the following conclusions: The intrusion has been through a server with a wrong configuration in the Firewall (computer system whose function is to prevent and protect the private network, intrusions or attacks from other networks, blocking your access). The first failed attempts are from January 30, 2020. IP addresses located in *** COUNTRY. 1. Only the attempt to access two GUREAK servers has been verified MARKETING having been denied. It has not been verified that there have been effective accesses or extraction of data from GUREAK MARKETING. In this same Minute it also appears that a report prepared by GUREAK is attached. MARKETING in which it is revealed that after making the internal checks have not occurred access and / or extraction of data from GUREAK MARKETING. On July 3, they send additional information to the gap in which a Follow-up act dated June 26 and a Report from ITS and GUREAK LANEAN in which they rule out access and / or leakage of personal data On July 16 and 17, all entities that have notified the breach referenced above have sent a full notification on the gap informing the Agency that it has been found that there has been no access to data of a personal nature. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/8 SECOND: On March 23, 2020, the Director of the Spanish Agency for Data Protection orders the Subdirectorate General for Data Inspection to assess the need to carry out the appropriate preliminary investigations in order to determine a possible violation of data protection regulations, having knowledge of the following points: Notification date of the personal data security breach: February 11, 2020. INVESTIGATED ENTITY GUREAK LANEAN SA with NIF A20044590 and address at *** ADDRESS. 1 (Guipúzkoa) RESULT OF RESEARCH ACTIONS As stated on the web *** URL.1, GUREAK is a Basque business group that generates and manages stable job opportunities and suitably adapted to people with disabilities, primarily with intellectual disabilities in Gipuzkoa. 1.- On May 21, 2020, a written request for information to GUREAK LANEAN SA, which in its answering brief makes reference to the rest of the Group companies. From the response received, it is clear following: Regarding the company. GUREAK LANEAN is the sole owner and / or administrator of some of the referenced companies. The companies share facilities, services administrative centers, infrastructures, service providers and others, although they are independent legal persons. GUREAK LANEAN has signed a service provision contract with each of the companies in which GUREAK LANEAN acts as data controller and the rest of the companies that act as data controllers. They have provided a contract with GUREAK GARBITASUNA SLU dated January 3, 2019 and state that the model contract is unique (Annex 1). The treatments that appear correspond, among others, to: o Maintenance of Computer Systems o Development and maintenance of applications Information systems are centralized in the offices Group headquarters. Work centers are interconnected with the central in order to use the available services and centralize the information managed from the centers. The connection is made through a dedicated fiber line. This private network interconnection has a Firewall to secure Internet access from all delegations. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/8 The headquarters also has a Firewall in order to control the Delegations access allowing only access to services necessary, necessary communications and securing the internet access of the Central. The servers are housed in two CPDs Information on the infrastructure, networks and software classified as CONFIDENTIAL. GUREAK LANEAN has signed a service provision contract with INTEGRATED TECHNOLOGY SYSTEMS (ITS) dated February 25, 2019, for which the latter company will carry out computer maintenance. (annex 9) Regarding the chronology of the events and measures taken to minimize the impact of the gap The entity has provided a report prepared for this purpose (annex 3 CONFIDENTIAL) in the one that appears: On Saturday *** DATE 1, a computer team sends an alert via email to the support address indicating that several accesses have been attempted from a server. Access has been blocked by entering several consecutive times wrong password. On Sunday, February 9, a systems technician reviews the alert in order to verify the reason why a device is being accessed, since it does not it is a common access. By verifying that the Security Manager of the company that was not trying to access the equipment is turned off as a first measure prevention. It also checks whether other computers have been accessed in similar hours detecting failed login attempts with a user administrator. Immediately the password of the administrator user and the Responsible for Security and the rest of the accounts of administrator on all systems. It is verified that there has been no encryption, but a process is detected weird running on some servers so they stop immediately its execution. It is detected that one of the servers has a fraudulent active connection due to which proceeds to turn it off and closes the Internet connection in the Firewall as a precautionary measure. As an additional measure, an email is sent so that the entire organization modify the passwords before the possibility that they have been seen committed. On Monday, February 10, the ITS security company that carries out the management of firewalls and a bad configuration is detected in the Firewall that allowed access from the outside. The server that gave access was has been turned off from the day before. It is concluded that the intrusion is closed and there is no unauthorized connection. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/8 Throughout the week, a forensic analysis of the intrusion and compromised machines are recovered. Admin passwords are changed twice again consecutive as an additional precautionary measure. No anomalous accesses or generation of fraudulent users are detected. On Tuesday, February 11, users are again obliged to change their password. On Wednesday, February 12, they proceed to notify the AEPD of the gap in security due to the type of information found on the servers affected, although there is no evidence that data has been compromised personal, for this reason they decide not to communicate the gap to possible affected. It is decided to report the facts to the Ertzaintza (annex 19). On Monday, February 17, the intrusion was closed and no leakage of information. On Wednesday, February 19, the Firewall migrated to another. On Thursday, April 9, the second ITS technical report is received where the finds that after the analysis carried out there has been no leakage of information. On April 28, the automated review (vaccination) of all the servers already checked manually. No unusual activity is detected. Regarding the causes that made the breach possible The ITS provider replaces the Firewall with a new firewall. This Firewall allowed the attempt to connect via remote desktop with a administrator password that was detected to be weak and that the hack was he must have used a password cracking technique and later be able to connect to the rest of the computers. Regarding the affected data. Forensic reports commissioned from an external company and those prepared by GUREAK LANEAN's own IT technicians state that no there is evidence that any data has been affected personal. For this reason, they consider that there have been no consequences for possible affected since no data has been extracted abroad. (Annex 6 in the minutes dated February 12, 2020, annex 7 in the minutes of the Committee on security dated February 18 and annex 8 in the Minutes of February 28) GUREAK LANEAN states that the intrusion detection was carried out in early form and the volume of information exchanged abroad has been low relative to the existing data volume. Also in the logs of systems that have personal data have not been detected unusual accesses. No disclosure of data of nor have they been found on the Internet knowledge that a third party has accessed the Group's data. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/8 Regarding the actions taken for the final resolution of the gap GUREAK LANEAN has taken, among others, the following actions: Review of all firewall rules Firewall monitoring Information on the recurrence of these events and the number of analogous events happened in time GUREAK LANEAN state that it is the first time that an event of these characteristics happens in your organization. There have been no similar cases previous Regarding the security measures previously implemented, the breach GUREAK LANEAN has provided the following documents: o Register of treatment activities (annex 10). o Risk Analysis (Annex 11). o Analysis of the need for impact assessment (Annex 12). o Security measures based on the ISO 27002 standard (annex 13). o Information Security Policy (Annex 14). o Data Protection Policy (annex 15). o Incident management and security breaches (Annex 16). o Audit Report on compliance with the Protection regulations Data dated December 14, 2019 (Annex 17). FOUNDATIONS OF LAW I In accordance with the investigative and corrective powers that article 58 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) grants each control authority, and according to the provisions of article 47 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), is competent to resolve these investigative actions by the Director of the Spanish Agency for Data Protection. II The GDPR defines, in a broad way, "data security breaches personal "(hereinafter security bankruptcy) as" all those violations of the security that cause accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorized communication or access to said data. " In the present case, it is established that there was a data security breach personal in the circumstances indicated above, categorized as a gap C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/8 confidentiality, as a consequence of a bad configuration in the Firewall allowing access from the outside. The investigation actions show that, prior to the gap in security, the investigated entity had reasonable security measures in place depending on the possible estimated risks. Provides Record of Activities of Treatment and Risk Analysis as indicated in the history and have been taken appropriate subsequent actions to avoid a repetition of the incident. Likewise, it had action protocols to deal with an incident such as the now analyzed, which has allowed diligently the identification, analysis and classification of the personal data security breach as well as the diligent reaction to it in order to minimize the impact and implement new reasonable and timely measures to avoid a recurrence of the incidence in the future to through the implementation and effective execution of an action plan by the different figures involved such as the person responsible for the treatment and the Delegate of Data Protection. There are no claims made to this Agency by third parties. Consequently, it must be concluded that the investigated entity had available measures reasonable technical and organizational measures to avoid this type of incident and that by insufficient data have been diligently updated. Finally, it is recommended prepare a Final Report on the traceability of the event and its valuation analysis, in particular, regarding the final impact. This Report is a valuable source of information that should be fed into the analysis and risk management and will serve to prevent the repetition of a gap with similar characteristics such as the analyzed, predictably caused by a specific error. III In view of the actions carried out, it has been proven that the actions of GUREAK LANEAN, S.A as the entity responsible for the treatment has been in accordance with the regulations on the protection of personal data analyzed in the paragraphs previous. Therefore, in accordance with the provisions, by the Director of the Spanish Agency for Data Protection, HE REMEMBERS: FIRST: PROCEED TO THE FILING of these actions. SECOND: NOTIFY this resolution to GUREAK LANEAN, S.A. with NIF A20044590 and address at *** ADDRESS.1 (Guipúzkoa). In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/8 Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, and in accordance with the provisions of the arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may file, optionally, an appeal for reconsideration before the Director of the Agency Spanish Data Protection within a period of one month from the day following notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and paragraph 5 of the provision Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction Contentious-Administrative, within two months from the next day upon notification of this act, as provided in article 46.1 of the aforementioned Law. 940-0419 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es