AEPD - E/07796/2020
|AEPD - E/07796/2020|
|Relevant Law:||Article 32(1) GDPR|
|Outcome:||No Violation Found|
|Parties:||REAL MADRID CLUB DE FUTBOL|
|National Case Number/Name:||E/07796/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD decision (in ES)|
The Spanish DPA decided not to fine a football club that suffered a data breach because it had implemented adequate security measures and was diligent in mitigating the breach's consequences and reporting it to the authority.
English Summary[edit | edit source]
Facts[edit | edit source]
A Spanish football club, Real Madrid, suffered a data breach in which contracts, sport licenses, budgets, and other types of identifying data and economic information, related to around 1000 persons. This was done by a hacker that accessed the system with stolen credentials.
The club diligently informed of such breach to the competent authority and proceeded to scan the deep web and regular Real Madrid information on the web to verify whether the information had been made public or was for sale. There was no evidence that the hacked information had been used, nor received the authority any complaints regarding it.
After the breach, the controller installed additional measures to prevent it from happening again, namely new cyber-security measures, a double factor identification system, new laptop security protocols, and blocking the IPs from which the attack came.
The controller issued a report considering that the stolen information would not affect the reputation of the people involved, not pose any kind of risk to them. Therefore, they decided not to communicate the breach to the data subjects.
Additionally, a police investigation is taking place.
Holding[edit | edit source]
The AEPD concluded that the controller had adequate security measures and was diligent to mitigate its consequences and to report it to the authority.
Such adequate measures included, among others:
- Data protection policy
- Security policies and protocols
- Measures to prevent computer atacks
- Tools for monitoring, detecting, analysis and reporting security incidents
- Data protection and security trainings
- Access control measures
- Risk analysis of the affected data processing activities
- Cyber-security reports
- Cyber-security guides
Because of this, the AEPD considered that Real Madrid had implemented appropriate technical and organisational measures to ensure a certain level of security. Therefore, they did not find a violation of Article 32(1) and decided not to fine the controller.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 Procedure No.: E / 07796/2020 RESOLUTION OF ACTION FILE Of the actions carried out by the Spanish Agency for Data Protection and based on the following FACTS FIRST: As a consequence of the notification to the Innovation Division Technological of this Agency of a personal data security breach by part of the REAL MADRID CLUB DE FUTBOL Treatment Manager with number entry record O00007128e2000002465 relating to hacking on the website of the foundation, the Subdirectorate General for Data Inspection is ordered to assess the need to carry out the appropriate preliminary investigations in order to determine a possible violation of data protection regulations. SECOND: In view of the aforementioned data security bankruptcy notice personal data, the Subdirectorate General for Data Inspection proceeded to carry out of previous investigation actions, having knowledge of the following extremes: Notification date of the personal data security breach: 17 of September 2020. INVESTIGATED ENTITIES During these proceedings, the following entities have been investigated: REAL MADRID CLUB DE FÚTBOL with NIF G28034718 with address at AVDA. CONCHA ESPINA, Nº 1 - 28036 MADRID (MADRID) RESULT OF RESEARCH ACTIONS 1.- On January 11, 2021, information was requested from REAL MADRID CLUB DE FOOTBALL (hereinafter Real Madrid) in order to expand the documentation received in the gap notification. From the response received, the following can be inferred: Regarding the company. • Real Madrid has signed a service provision contract with *** COMPANY.1 for the maintenance of Information Systems. (document 3 and 3a). • Real Madrid has signed a contract with *** EMPRESA.2 for the service of cybersecurity provided for the identification of the breach and the execution of a incident response protocol (document 4). Regarding the chronology of the events. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/7 • On September 9, 2020 at 00:32 UTC, an access is identified from an IP address from which that computer is rarely accessed. Because of this, They try to identify all the accesses made and two accesses are detected. carried out through the account of a user of the organization who was in holiday period so they are suspicious and it is verified that they are related to subsequent access to the server. An analysis of the communications and connection attempts established between the server and other elements of the environment. • On September 11, the Incident Response team is activated, with a backup made on the server at dawn from 9 to 10 September that turned out to be not correct and on the 16th a new shipment is made with the correct backup to the incident response team. • The analysis determines that, after the access made at 00:32 UTC on September 9, September 2020, an access to an available network drive is also detected in the equipment, locating information of an apparently sensitive nature relative to budgets, personal information and private information of the entity. • At that time, Real Madrid was alerted to a possible information leak on Sept. 16, 2020, 6:20 p.m. • On September 17, a data copy is detected from the network drive did the server and the download of two tools at 1:40 UTC on the 9th of September. The generation of different compressed files is detected which includes the mentioned documents. At least one of these files is generated on the computer around 1:40 UTC and subsequently removed at 2:06 UTC. The rest of the compressed files cannot determine the exact date of their creation. The use of different services and applications related to shipping and document exchange during the time range in which the suspicious user stays on the team. As a result of these findings, on September 17, 2020 at 5:20 p.m. The company that is conducting the analysis informs Real Madrid that there has been an information leak. • On September 18, the information obtained on the equipment is correlated, with the available network registers, being therefore possible to detect a sending of data to external sources (between 1:04 and 3:50 UTC). Actions taken in order to minimize adverse effects and measures taken for your final resolution. • Among other short-term measures o Reset the credentials of the compromised users o Establish measures to not allow the use of tools that allow the Authentication to remote systems without requiring the introduction of credentials. o Block the use of certain platforms. • Between post-hoc measures o Double verification factor o Server restore o Blocking of the IP addresses from which the access took place. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/7 Regarding the causes that made the breach possible • The gap occurs as a consequence of the use of credentials of a user by a third party outside the organization. It is currently unknown how the alleged attacker obtained the credentials. • Real Madrid states that the inquiries of the suppliers of cybersecurity and systems have been unsuccessful and there is currently a ongoing police investigation, opened as a result of the complaint filed with the Police. (document 0). Regarding the affected data. • The data processing affected by the incident is related to: FUTBOL - Administrative Management, Contractual Relationship and follow-up of players. HR - Labor relationship management. • The personal data that have been affected are those found in the following types of documents: Contracts, federative licenses, documents, Excel budgets and other documents. Basically identifying data and economical. • The categories of stakeholders that have been affected by this incident It has been staff of the entity including players and technicians. In total about 1,000 people. • Real Madrid states that it does not consider that the information affected in the incidence, may produce identity theft, economic damage or denial of services. And, it is not estimated that with such information cause damage to the honor or reputation of the affected persons in case of public, nor affect their dignity or produce any type of discrimination for what they will not communicate the incident to those affected. They also state that they evaluated the incidence and concluded that there is a risk to the rights and freedoms of the interested parties according to what is indicated in Annex 1 and according to the criteria reflected by the Working Group of art. 29 (GT29), now Committee European Data Protection (CEPD) in its Guidelines on notifications of personal data incidents adopted on October 3, 2017 and reviewed and finally adopted on February 6, 2018, the Agency is notified, not so to the communication to the interested parties following the same criteria. • Real Madrid states that it has been supervising itself on the Internet, including the Deep Web, activity that could reflect the illegitimate use by third parties of the information affected by the breach, without to date nothing has been detected respect. Likewise, they state that they are not aware of any type of use by third party of the information affected by the breach. There are continuous automatic and manual searches of information about the Real Madrid through different sources, such as social networks, web forums and of the Deep web, ... to detect possible exposed assets and with regard to C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/7 This incident has been used more specific searches and has not been found any evidence that the compromised information has been used by third parties. Regarding the security measures implemented Before the breach: • General measures o Data protection or information security policies. o Logical access control measures for authorized users. o Control measures to prevent attacks, intrusions and infections. o Monitoring, detection, analysis and reporting of events of incidents of safety. o Training and awareness of staff on data protection. o Regulatory framework for information security. o Security governance model. • Specific o Analysis of network accessibility. o Updating of applications and systems. o Review of the source code. o Cyber crisis management. o Monitoring events and audit logs. o Secure file delivery service. o General control of security and monitoring. • Documents: o Registry of Treatment Activities related to the treatments affected by the reported gap (document 7) o Risk Analysis of the two affected treatments. Two are attached Risk Analysis projections made for both treatments that have been carried out in order to verify that the additional measures are being implemented as a result of the gap that has occurred, contribute to further reduce the residual risk (documents 8, 8 bis, 9 and 9 bis) o Analysis of the need to carry out Impact Assessments (documents 10 and 11). o Corporate work environment in which security measures are detailed applied to the affected treatments (document 13). o Information security policy (document 14). o Guide for the Identification and communication of security incidents (document fifteen). o Review report on compliance with Title VIII of the Regulation of development of the LOPD (RD1720 / 2007) (document 16) which corresponds to the last data protection audit report, of June 30, 2016. o Cybersecurity report for the year 2020 (document 17) evaluation system keep going. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/7 o New cybersecurity measures (document 12). Information on the recurrence of these events and number of analogous events happened in time. There is no recurrence and there are no known analogous events. FOUNDATIONS OF LAW I In accordance with the investigative and corrective powers that article 58 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) grants each control authority, and according to the provisions of article 47 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), is competent to resolve these investigative actions by the Director of the Spanish Agency for Data Protection. II The GDPR defines, in a broad way, "data security breaches personal "(hereinafter security bankruptcy) as" all those violations of the security that cause accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorized communication or access to said data. " In the present case, it is established that there was a data security breach personal in the circumstances indicated above, categorized as a gap confidentiality, as a consequence of the leakage of information detected. Of the documentation provided by the company in the course of these actions of investigation, between her, RAT and AR of the two affected treatments, analysis on the need to carry out Impact Assessments, the document on the environment of corporate work in which security measures applied on the affected treatments and the guide for Identification and communication of incidents of security, it follows that prior to the breach, the investigated entity had reasonable security measures in place based on possible risks Dear. Regarding the impact, the data that have been violated are the content in the following types of documents: Contracts, federative licenses, documents, Excel of budgets and other documents, which basically contain identifying data and economic, finding the volume of data affected in the range of 1000. Continuous monitoring of the Internet including the Dark Web, as well as searches for information about Real Madrid, both automatically and manual, without any evidence of illegitimate use by third parties of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/7 information nor are there any claims made to this Agency regarding this gap. To prevent these events from being repeated, the provisions of the document are adopted New Cybersecurity Measures, among others, the double authentication factor and the change in the rules of use of laptops. As a result of the foregoing, it is established that the technical measures and reasonable organizational measures to avoid this type of incident, however and once Once this is detected, a diligent reaction is produced, in order to notify the AEPD and implement means to eliminate it. Finally, it is recommended to prepare a Final Report on the traceability of the event and its evaluative analysis, in particular, regarding the final impact. This Report is a valuable source of information with which the analysis and management of risks and will serve to prevent the repetition of a gap with similar characteristics as analyzed. III In the present case, the action of the investigated as the entity responsible for the treatment, has been diligent and proportional to the regulations on the protection of personal data analyzed in the previous paragraphs. Therefore, in accordance with the provisions, by the Director of the Spanish Agency for Data Protection, IT IS AGREED: FIRST: PROCEED WITH THE FILING of these actions. SECOND: NOTIFY this resolution to REAL MADRID CLUB DE FÚTBOL with NIF G28034718 with address at AVDA. CONCHA ESPINA, Nº 1 - 28036 MADRID (MADRID) In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/7 Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, and in accordance with the provisions of the arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may file, optionally, an appeal for reconsideration before the Director of the Agency Spanish Data Protection within a period of one month from the day following notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and paragraph 5 of the provision Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction Contentious-Administrative, within two months from the next day upon notification of this act, as provided in article 46.1 of the aforementioned Law. 940-0419 Mar Spain Martí Director of the Spanish Agency for Data Protection 28001 - Madrid 6 sedeagpd.gob.es