ANSPDCP (Romania) - Fine against Altex Romania S.A.
| ANSPDCP - Altex Romania | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 32(1)(b) GDPR Article 32(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 18.11.2024 |
| Fine: | 20,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | Altex Romania |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Romanian |
| Original Source: | Romanian DPA (in RO) |
| Initial Contributor: | maxinescu |
The DPA fined an online electronics retailer RON 99,516 (€20,000) for failing to implement sufficient security measures. This lead to unauthorized access to client accounts in two separate data breaches.
English Summary
Facts
The controller, an online electronics retailer, was informed by a third party that some data subjects' account data were published online. This data included their name, surname, email, as well as information available in the customer account, such as delivery address, phone number, order history and data related to the cards with which online payments were made.
Moreover, the controller found that similar data (name, surname, phone number, ...) were published online due to a so-called "credential stuffing", i.e. an illegal act consisting in using stolen user-IDs and the corresponding passwords in order to get access to the data subjects' account on the controller's platform. This attack involved repeated login attempts on client accounts to place unauthorized gift card orders.
The controller notified these data breaches to the DPA.
Holding
The DPA concluded that the controller failed to implement adequate security measures to prevent unauthorized access, violating Article 32(1)(b) and 32(2) GDPR.
On these grounds, the DPA fined the controller RON 99,516 (€20,000) and ordered to adopt the following corrective measures:
- implement new device login alerts, display logged-in devices in accounts, and enforce complex password policies with expiration intervals for all client accounts;
- establish a system to monitor inbound and outbound internet traffic on authentication platforms for all managed e-commerce sites and applications.
Comment
The Romanian DPA does not typically publish full decisions, but this case stands out as more detailed, specifying corrective actions rather than general recommendations to ensure GDPR compliance through adequate technical and organizational measures.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
18.11.2024 Penalty for non-compliance with the GDPR The National Supervisory Authority for the Processing of Personal Data completed, in October 2024, an investigation at the operator Altex România S.A. and found a violation of the provisions of art. 32 para. (1) lit. b) and of art. 32 para. (2) of Regulation (EU) 2016/679 (GDPR). As such, the operator was fined 99,516 lei, the equivalent of 20,000 EURO. The investigation was started as a result of the fact that Altex România S.A. sent two notifications to the National Supervisory Authority regarding the occurrence of personal data security breaches, as follows: a) The operator was informed by email by a third party about the fact that some accounts of the operator's customers were published on a platform, the personal data of a very large number of concerned persons being affected, respectively: name, surname , email, altex.ro account password, information available in the customer account, such as delivery address, no. telephone, order history, data related to the cards with which the online payment is made, communications in the relationship with the operator; b) The operator found that it was the victim of a "credential stuffing" computer attack, through repeated attempts to validate passwords on some customer accounts for placing gift card orders; it was stated that the following personal data were affected, for an approximately significant number of concerned persons: identification data for logging into the customer account: name, first name, email address, customer account access password, financial data related to bank cards registered in the application/site. During the investigation, it was found that the operator Altex România S.A. did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk presented by the processing, in order to prevent illegal access to the accounts of the operator's customers. This led to the unauthorized access to the personal data of a very large number of the operator's customers by means of two distinct computer attacks involving the taking over of some accounts. At the same time, pursuant to art. 58 para. (2) lit. d) from Regulation (EU) 2016/679, the following corrective measures were ordered: - The technical and procedural implementation of the following measures to reduce the risk of breaching the confidentiality of personal data through a computer attack on the authentication platforms in customer accounts on all managed e-commerce sites/applications: new device login notification, device display account logins, complexity policy and password history on all customer accounts with a pre-set expiration interval; - Technical and procedural implementation of a system for monitoring incoming and outgoing Internet traffic (inbound/outbound) executed on authentication platforms in customer accounts on all managed e-commerce sites/applications. Legal and Communication Department A.N.S.P.D.C.P.
