AEPD - E/08205/2019

From GDPRhub
AEPD - E/08205/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR

Article 32 GDPR

Article 33 GDPR

Type: Investigation
Outcome: No violation found
Decided: 06.11.2019
Published: n/a
Fine: None
Parties: promofarma ecom S.L
National Case Number: E/08205/2019
European Case Law Identifier n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

The AEPD confirmed an online pharmacy's (Promofarma ecom S.L) compliance with the GDPR after having used its investigation powers.

English Summary[edit | edit source]

Facts[edit | edit source]

The AEPD carried out an ex officio investigation.

Holding[edit | edit source]

The AEPD found the existence of a data breach by possible access to personal data. 1,300,000 data sets were lost through an external attack. The data was subsequently found on the deepweb. 

However, the AEPD confirmed that Promofarma, had technical and organizational measures to deal with such an incident. This allowed the detection, analysis and classification of the data breach in order to notify, communicate and minimize the impact and implement reasonable measures to avoid future repetition through an action plan.

The adoption of technical and organizational measures, such as a more robust encryption system and improvements of the personal data management applications was also positively taken into account by the AEPD.

The final report on the breach and its impact was seen as a valuable source of information to analyze and manage future risks. The use of this information will serve to prevent the repetition of a similar attack.

Therefore, it has been accredited that the action of the controller has been in accordance with the GDPR and the file was closed.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.


Procedure No.: E/08205/2019
940-0419


TERMINATION OF PROCEEDINGS

Of the actions carried out by the Spanish Data Protection Agency and based on the following

FACTS

FIRST: The inspection actions are initiated by the receipt of a security bankruptcy notification letter sent by PROMOFARMA ECOM S.L (from now on PROMOFARMA) in which they inform the Spanish Data Protection Agency that they have found out through a journalistic publication in the social network Twitter that the database of registered users in the entity had been obtained by a hacker and commercialized through the deep web.

They indicate that the bankruptcy began on 06/08/2019. First, they estimated 2,950,000 affected, considering after the investigation a total of 1,300,000. With regard to the type of data, these are basic and contact data for customers and users of the entity's website.

SECOND: The General Sub-directorate of Data Inspection carried out previous investigation actions to clarify the facts that were the object of the complaint, being aware of the following points:

BACKGROUND

Bankruptcy notification date: August 9, 2019

ENTITIES UNDER INVESTIGATION

PROMOFARMA ECOM S.L with NIF B65130122 with address in AV DIAGONAL Num.534 P.6 PTA.2 - 08029 Barcelona (BARCELONA)

RESEARCH FINDINGS

1.- FACTS. The entity reports the following chronology of events:
FIRST: PROMOFARMA, on August 6, 2019, at 5:30 p.m., was aware of a news item published in a foreign media regarding an alleged illegal sale of a database corresponding to its clients. Immediately after carrying out an initial check on the veracity of this news item, PROMOFARMA activated the security protocol established in the Procedure for the Management of Incidents and Violations of Personal Data Security (hereinafter referred to as Security Breach) and, in parallel, began the investigation of an alleged cyber attack through direct contact with the author of the news item, a specialist in information security.
SECOND - After an exchange of messages via email and the social network Twitter, the author of the news provided a screenshot showing a
 



example of 17 records allegedly filtered through the cyber attack, the data typology of which is as follows:
- Full name.
- Telephone.
- E-mail address.
- Postal address.
- Password encrypted by a secure algorithm.
THIRD: The information security department of PROMOFARMA contrasted the information obtained with the existing information in the company's database and, on a preliminary basis, concluded that the records of the screenshot provided by the author of the news could be indicative of a potential security breach of confidentiality. The number of potential affected persons detected in the first instance amounted to around 2.6 million, which was the maximum number of records in the database at that time. However, after further investigation, the number of records allegedly affected was found to be 1.3 million, given the existence of multiple records attributed to the same user.
PROMOFARMA has not been able to access the content of the allegedly stolen database.
FOURTH. As a result of the above, and even without being able to affirm with total certainty the scope of interested parties affected by the lack of conclusive information, PROMOFARMA, acting with prudence and in the interest of its users, chose to take as a reference the most serious of the possible scenarios and considered as affected treatments all those that involved personal data of its clients, potential clients and suppliers, resulting in about 1.3 million records mentioned above, containing the following data: name, surname(s), telephone number, e-mail address, postal address and encrypted passwords for access to PROMOFARMA.
FIFTH - On August 9, 2019, in view of the evidence of the possible attack, the corresponding notification was presented to the AEPD and, at the same time, a complaint was filed with the Barcelona Court of Justice, requesting the further investigation of the events by the Judicial Police, which constitute an offence under Article 278 of the Criminal Code, of discovering and revealing company secrets.
SIXTH - On August 9, 2019, even without being able to verify the veracity of the theft of personal data and taking into account that the supposedly filtered passwords were duly encrypted, PROMOFARMA, in a preventive manner and as one of the actions taken with the aim of minimizing the adverse effects of the supposed cyber attack, forced a reset of passwords to all users at 8:00 pm, thus forcing all PROMOFARMA users to change their access password to a different one.
In addition, the Board of Directors of the parent company of PROMOFARMA was informed of the details known at the time of the alleged security breach, as well as the fact that the notification of the breach had been submitted to the AEPD and the corresponding report to the Court of Guard of Barcelona.
 



As an additional measure to lessen the effects of the potential security breach, PROMOFARMA increased the type of algorithm used to encrypt the information in the database, further reducing the risk of information decryption.
SEVENTH: On 14 August, at around 7.50pm, PROMOFARMA launched an email communication to potentially affected users regarding the alleged cyber attack.
EIGHTH - In line with the above, due to the fact that the passwords of the users supposedly affected were encrypted at the time of the attack, and that PROMOFARMA proceeded to promptly reset those passwords, as well as to change the encryption algorithm of the passwords to one of the most robust currently on the market, it is unlikely that users will suffer any consequences of the cyber attack, except for the obligation to create a new password at the next login.
In this sense, and as evidence of the non-existence of negative consequences derived from the alleged breach, to the date of submission of this paper no fraudulent use of the data accessed has been detected, and no user has contacted the organization to claim or make known any aspect related to the facts.

2.- PRE-EXISTING MEASURES:
PROMOFARMA has adapted to the RGPD by implementing a management system for governance, risk and compliance with the aforementioned regulations. The company has identified, reviewed and adapted the company's processing of personal data.
As a result of this process of adaptation to the RGPD, it drew up a series of documents that make up the organisation's management system, which is made up of the following elements, among others
- Record of processing activities carried out by PROMOFARMA;

- Previous risk analysis of each and every data treatment carried out by PROMOFARMA;
- Information clauses for data subjects and the legitimacy of each processing operation;

- Model contracts to regularize the relationship with third parties who have access, even potential, to data of a personality nature under the responsibility of PROMOFARMA;
- Inventory of employees with access to the information system to carry out the processing of personal data, as well as evaluation of compliance with the security measures effectively implemented;
- Carrying out various impact assessments relating to the protection of data from processing operations classified as involving a high risk to the rights and freedoms of data subjects;
 



And procedures relating, among others, to:
- Data protection from design and default.

- Duty to inform and obtain and revoke consent.

- Registration and cancellation of users and management of passwords.

- Selection and contracting of personnel.

- Control of access to the facilities.

- Encryption and ciphering.

- Definition and assignment of roles and responsibilities in data processing.
- Communications and data transfers to third parties.

- Hiring of third parties with access to data.

- Exercise and attention to the rights of the interested parties.

- Notification and management of security incidents and violations.

- Evaluation of the inherent risk and impact on privacy.

- Identification and regularization of international transfers.

- Destruction and conservation of data.

PROMOFARMA has provided a copy of the company's Processing Activities Register, with the treatments affected by the security breach. The Registry of Treatment Activities includes the Risk Analysis of each of the treatments. The methodology used to determine the treatment risks is described in the Inherent Risk and Privacy Impact Assessment Procedure, a copy of which is also provided.

The entity's representatives indicate that from the assessment of the processing risks it was necessary to carry out certain Data Protection Impact Assessments (DIA) of a series of processing operations, attaching five DIA. Also, in the process of adaptation to the RGPD, an inventory of information systems was carried out (software, databases, etc.), a copy of which was provided, and compliance with the corresponding security measures was associated with and evaluated for each of these, taking into account the security measures recommended by the following standards and reference guides
- ISO/IEC 27001:2017

- ISO/IEC 27002:2013.
 



- "Handbook on Security of Personal Data Processing" published by the European Network and Information Security Agency (ENISA)


Similarly, it should be noted that PROMOFARMA's online platform is stored on external hosting servers with which PROMOFARMA has a data processor contract, a copy of which is provided.
PROMOFARMA's information is hosted in the nodes located within the European Union's Economic Area (EEA) whose security measures, both physical and logical, are widely described in the document called "White Paper Security", a copy of which is provided, which emphasizes that the hosting server complies with virtually all existing information security standards worldwide.
PROMOFARMA has implemented, as an important part of its compliance management system, a Procedure related to the notification and management of security incidents and violations that is attached to this document as ANNEX VIII, with respect to which it can be verified by the AEPD that PROMOFARMA fully complies with the requirements established by the RGPD, at the same time that this was applied and fully complied with by the company.


3.- POST-GAP MEASURES:
In addition to the measures already indicated in the chronology of events, consisting of forcing the resetting of user passwords, submission of the notification of the breach to this Agency, reporting to the Barcelona Court of Justice and improvement of the encryption algorithm, PROMOFARMA has provided a Technical Report identifying each and every one of the measures implemented after the security breach, as well as indicating the security measures planned or in the process of implementation.

LEGAL FOUNDATIONS

I
In accordance with the investigative and corrective powers that Article 58 of Regulation (EU) 2016/679 (General Regulation on Data Protection, hereinafter RGPD) grants to each supervisory authority, and in accordance with the provisions of Article 47 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to resolve these investigative actions.

II

The RGPD broadly defines "personal data security breaches" (hereinafter referred to as security breaches) as "all security breaches that result in the accidental or unlawful destruction, loss or alteration of
 



personal data transmitted, stored or otherwise processed, or the unauthorised disclosure of or access to such data.

In the present case, it is known that a security breach of personal data occurred in the circumstances indicated above, categorized as a confidentiality breach due to the possible access of personal data by third parties, as a result of improper access to the database of customers and users as a result of an external attack and subsequently put on the Deep Web.

However, it is also recorded that PROMOFARMA had technical and organisational measures in place to deal with an incident such as the one analysed here, and in particular, the encryption and encoding of passwords. This has allowed for the detection, analysis and classification of the security breach of personal data as well as the diligent reaction to it in order to notify, communicate and minimise the impact and implement the appropriate reasonable measures to avoid its repetition in the future through the implementation of an action plan previously defined by the figures involved in the processing manager.

The adoption of technical and management measures should also be assessed, such as contracting a more robust encryption system and reporting to the Barcelona Court of Justice in order to minimise similar risks in the future and improve the quality of the personal data management applications for which it is responsible.

The final report after monitoring and closing the gap and its impact is a valuable source of information to feed into future risk analysis and management. The use of this information will serve to prevent the recurrence of the impact of a gap.

III

Therefore, it has been accredited that the action of the claimed party as the entity responsible for the processing has been in accordance with the regulations on the protection of personal data analysed in the previous paragraphs.

Therefore, in accordance with what has been indicated, by the Director of the Spanish Data Protection Agency

AGREED:

FIRST: PROCEEDING TO THE ARCHIVE of the present proceedings.

SECOND: TO NOTIFY the present resolution to PROMOFARMA ECOM S.L with NIF B65130122 and with address in AV DIAGONAL Num.534 P.6 PTA.2 - 08029
Barcelona (BARCELONA)

In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.
 



Against this resolution, which puts an end to the administrative procedure according to the provisions of article 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, and in accordance with the provisions of articles 112 and 123 of the aforementioned Law 39/2015, of 1 October, the interested parties may lodge, optionally, an appeal for reversal with the Director of the Spanish Data Protection Agency within the period of one month starting from the day following the notification of this decision or directly an administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Act.

Mar Spain Martí
Director of the Spanish Data Protection Agency