Garante per la protezione dei dati personali (Italy) - 10013321

From GDPRhub
Garante per la protezione dei dati personali - 10013321
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(e) GDPR
Article 5(1)(f) GDPR
Article 32 GDPR
Article 32(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 11.04.2024
Published:
Fine: 25,000 EUR
Parties: n/a
National Case Number/Name: 10013321
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante (in IT)
Initial Contributor: im

The DPA fined a processor €25,000 for not deleting a backup copy containing personal data of over 22,000 users after a system update and for using weak password encryption.

English Summary

Facts

The Rome Chamber of Commerce (‘the Chamber’ or ‘controller’) notified the DPA that it was a victim of a cyber-attack. The attack resulted in the manipulation of their application’s database of users. The purpose was to load malicious files which then enabled remote access to the system. The controller learned about the attack through the publication of an anonymous tweet mentioning the Chamber and denouncing the attack on its website.

Subsequently, Innova Camara - the processor in charge of the management of the Chamber’s website - was informed of a link to a CSV file from where it was possible to download a list of 22,300 users. The personal data affected included names, surname, tax codes, e-mail address, landline or telephone numbers, and access and identification data.

The DPA’s investigation of the notified personal data breach revealed several vulnerabilities in the processor’s security measures.

Firstly, the concerned personal data was not found on the institutional website but in a database consisting of a backup copy of the appointment management system instead. The backup was created during a system upgrade. However, it was not delete after the period necessary to verify the functioning of the system. The controller acknowledged that this copy was supposed to be deleted earlier as the work on the system update was nearing completion. However, due to the health emergency at that time, the controller had to reschedule all priorities in order to render services to users.

Secondly, the passwords of users registered in the appointment management system were stored in a file which was the object of the cyber-attack. The file was protected by the MD5 encryption algorithm which, according to the DPA, is not cryptographically robust.

Holding

The DPA's decision adopted in the case at issue concerns the processor.

The DPA first recalled that under Article 5(1)(e) GDPR, personal data undergoing processing must be kept in an identifiable form only as long as necessary for the purposes it is processed. Following the upgrade of the system, the backup copy containing the personal data of more than 22,000 users was still present in the system. The controller itself confirmed that it was no longer necessary to store the personal data relating to the appointment management service. Therefore, the violation of the principle of storage limitation was found.

Moreover, based on the identified vulnerabilities if the system’s security measures, the DPA found a violation of principle of integrity and confidentiality and of the security obligations under Articles 5(1(f) and 32 GDPR. It stated that in the present case, the password encryption was not cryptographically robust and effective for these purposes. In fact, serious vulnerabilities of the MD5 algorithm have been known for several years that make it possible to trace back the passwords it generated.

In addition to the serious weaknesses, the DPA underlined that it is not sufficient to set up the security measures when the service is designed. The controller should also conduct the assessment of the adequacy of these measures. In fact, Article 32(1) GDPR expressly identifies, among other things, encryption as a suitable security measuring and requires that the effectiveness of the technical and organizational measures adopted are regularly assessed.

The DPA noted that because of the common habit of many users to reuse the same password for different online services or to use a similar password, account must be taken of the high risks presented arising from unauthorised access to them. Therefore, the controller should have continually carried out the assessment of the adequacy of the measures adopted over time, also in the light of technological development.

In light of this, the DPA found that the processor violated Article 5(1)(e), (1)(f) and Article 32 GDPR. For these violations, the processor was fined €25,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 10013321]
Provision of 11 April 2024
Register of measures
n. 198 of 11 April 2024
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and which repeals Directive 95/46/ EC, General Data Protection Regulation (hereinafter, Regulation);
HAVING REGARD TO Legislative Decree 30 June 2003, n. 196, containing the Code regarding the protection of personal data (hereinafter, Code);
HAVING REGARD to regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.garanteprivacy.it, doc. web no. 9107633 (hereinafter "reg. of the Guarantor no. 1/2019");
HAVING SEEN the documentation in the documents;
GIVEN the observations made by the general secretary pursuant to art. 15 of the reg. of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data (web doc. no. 1098801);
SPEAKER Prof. Pasquale Stanzione;
PREMISE
1. The preliminary investigation activity.
On XX, the Chamber of Commerce, Industry, Crafts and Agriculture of Rome (hereinafter, Chamber of Commerce) notified the Guarantor, pursuant to art. 33 of the Regulation, a violation of personal data, which occurred between XX and XX, caused by a "cyber attack (SQL Injection type) on one of the components used by the CMS (Content management system) application environment provided by the company ISWEB spa, as part of the service dedicated to the institutional portal of the Chamber of Commerce".
In particular, the Chamber of Commerce stated that it "was the victim of a cyber attack on the Isweb CMS which exploited the vulnerability of the application environment based on a parameter that can be used via a SQL Injection GET call. The attack allowed access to the application database, with the subsequent manipulation of application users for the purpose of loading malicious files onto the filesystem for remote access to the system (backdoor)", declaring that it had become aware of the violation of personal data through the "publication of a tweet mentioning the Rome Chamber of Commerce by an account attributable to Anonymous, which reported an attack on the organisation's institutional website. The tweet and a blog post by Anonymous referred to a fictitious news story published by the same hackers."
Subsequently, on XX, the Chamber of Commerce provided some additional elements to the aforementioned notification, representing that "Innova Camera [...], responsible for managing the institutional site, [...] reports that "On the XX day, at 1 pm: 50 the Innova Camera Company detected a tweet, attributable to "Lulzsecita" which published csv files of data, calling them "Company Register"" and which "on the same XX, at 2.51 pm, the General Director of Innova Camera received a communication from CNAIPIC [...] which reported the online presence of a link to a csv file where it was possible to download the list of approximately 22 thousand users and defined the attack as "probably of the SQL Injection type against the server". This attack, continues the CNAIPIC, "was a means through which the attackers probably planted a backdoor".
In the same note, the Chamber of Commerce also declared that:
for the management of its institutional website - within which the appointment management system involved in the violation of personal data was located - it uses ISWEB S.p.A. as data controllers. and of Innova Camera – Special company of the Rome Chamber of Commerce, Industry, Crafts and Agriculture for innovation (hereinafter, Company or Innova Camera);
“According to what Innova Camera reports, the csv file of data being published “can be traced back to a back up database, not exposed to the web, stored on the same server that suffered the attack through the ISWEB CMS already detected on 15 June 2019. The database in question refers to a backup copy of the XX of the application that manages appointments [...], which was carried out before the migration of the application itself to another server in order to optimize resources hardware. It is made up of 22,334 records of registered users who, through user names and passwords obtained following registration, accessed a system that allows them to make an appointment online [...]". Innova Camera, in the report referred to above, also reports that the CNAIPIC has reported risks for two other web resources: a chat module forming part of the ISWEB application, which is devoid of content, and a system called Ariannaweb, used for consultation of the historical archive of the Chamber of Commerce. These resources are located on a different server than the one subjected to the primary attack. As a precaution, Innova Camera has ordered the deactivation of all services and inhibited access to the server from the web";
the violation of personal data would therefore have concerned "personal data (name, surname, tax code)", "contact data (email address, landline or mobile telephone number)", as well as "access and identification data (username , password encrypted in MD5)”;
“An application vulnerability of this CMS allowed malicious users to carry out the attack and insert backdoors that allowed remote access to the system and the webserver and caused the attackers to steal the data of the mentioned data back up base not exposed to the web, resident on the same server as the CMS subject to the violation";
“the publication on XX of the csv file, relating to a backup copy of the application that manages the online appointment system of the Rome Chamber of Commerce, led to the dissemination of the personal data of approximately 22,300 users”.
With a note dated XX, the Chamber of Commerce, in response to a request for information dated XX sent pursuant to art. 157 of the Code, specified that "the password was freely chosen by the user upon registration. If the user wished to change their password, they could use the "password recovery" function and receive a link on their e-mail address.
At the end of the investigation carried out, given the particular complexity of the technological profiles that emerged during the investigation, it emerged that:
the passwords of the users registered with the appointment management system in question were stored in a file contained on the server subject to the cyber attack, following the use of a hashing algorithm, such as the MD5 algorithm, which is not robust in cryptographic terms . The aforementioned hashing algorithm is in fact not an effective measure for protecting user passwords as serious vulnerabilities in the MD5 algorithm have been known for several years which allow anyone to trace the password, starting from a hash value. who begot him;
the aforementioned backup copy of the personal data of the users registered with the reservation management service should have been deleted at the end of the application migration activities, or, in any case, within a period appropriate to the need to guarantee a possible restoration of the data in case of malfunctions or security incidents.
Finally, with a note dated XX, the Chamber of Commerce, in response to a request for information dated XX by this Authority, added, in particular, that:
“As for Innova Camera, which as mentioned, is not a company, but a Special Agency of the Chamber of Commerce, an instrumental body established pursuant to art. 2 of Law 29 December 1993, n. 580 and subsequent amendments and art. 21, paragraph 2, letter. f) of the Chamber Statute, the appointment as Data Controller was made as a consequence of the tasks entrusted to it, within the institutional purposes of the Chamber, set out in the art. 3 “Activities” of the Organization Regulations”;
“the violated data was not found on the institutional website, but rather in a database consisting of a back up copy of the application that manages appointments which was violated as it resides on the same server on which the Isweb CMS was located, which suffered the primary attack”;
“The back up copy subject to the violation was created by the Innova Camera Special Company in September 20th, on an extraordinary and one-off basis, as part of a series of activities aimed at optimizing the resources present on the servers and which also included moving the dating system to a different server. […] Although this copy was to be kept only for the period necessary to verify the functioning of the appointment system on the new server, it was not promptly deleted. In the 20th century, as the work for the online release of the new institutional site was nearing completion, the Innova Camera Special Company had planned the transfer of information, the reconfiguration of the applications and, consequently, also the deletion of all previous information , which would also include that backup copy. In fact, the online release of the new institutional website was scheduled for the month of April XX. Unfortunately, the difficulties created by the onset of the health emergency have forced both the Chamber and the Innova Camera Special Agency which, as mentioned, is an instrumental body of the Institution, to reprogram all priorities, limiting the presence in the offices and concentrating efforts on ensuring the carrying out of institutional activities which cannot otherwise be postponed to provide services to users. These circumstances inevitably led to delays which the attackers exploited for their own purposes."
With the same note, the Chamber of Commerce also produced, among other things, the deed confirming the appointment as data controller, pursuant to art. 28 of the Regulation, towards the Company and the related organizational regulation.
2. The initiation of the procedure for the adoption of corrective and sanctioning measures, pursuant to art. 166, paragraph 5, of the Code.
Preliminarily, it should be noted that based on the documentation collected, it emerged that the data controller, pursuant to articles. 4, no. 7), and 24 of the Regulation, was the Rome Chamber of Commerce, on whose behalf the Company carried out the processing, pursuant to art. 28 of the same Regulation, on the basis of the relevant appointment document acquired in documents.
Therefore, in relation to the checks carried out, on the basis of the elements acquired and the facts that emerged following the preliminary investigation, as well as the subsequent assessments, the Office, with note dated XX, notified the Company of the start of the procedure for the adoption of the corrective and sanctioning measures referred to in the art. 58, par. 2 of the Regulation, having ascertained, in the matter in question, the existence of violations of the relevant regulations regarding the protection of personal data. With the same note, the Company was notified of the violations carried out (pursuant to art. 166, paragraph 5, of the Code), inviting it to send defensive writings or documents and possibly to request to be heard by this Authority, within the term of 30 days (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law 689/1981).
From the investigation carried out, it was established that the violation of personal data notified to the Authority concerned personal data that "were not found on the institutional website, but rather in a database consisting of a back up copy of the application that manages appointments ", which "back up copy subject to infringement had been created by the Special Company Innova Camera in September 20th, on an extraordinary and one-off basis". In particular, "The backup copy subject to the violation was created by the Innova Camera Special Company in September 20th, on an extraordinary and one-off basis, as part of a series of activities aimed at optimizing the resources present on the servers and which also included moving the appointment system to a different server.”
In particular, it emerged that, at the time the personal data violation occurred, the passwords of users registered with the appointment management system were stored in a file created by the Company and contained on the server subject to the violation. cyber attack, following the use of a hashing function (MD5) that is not cryptographically robust, which is not an effective measure for these purposes.
Furthermore, considering that the personal data subject to the violation represent "a back up copy of the XX of the application that manages appointments [...], which was carried out before the migration of the application itself to another server in order to optimize the hardware resources", it emerged that, "Although this copy should have been kept only for the period necessary to verify the functioning of the appointment system on the new server, it was not promptly deleted".
On the contrary, this backup copy of the personal data of users registered with the booking management service should have been deleted at the end of the application migration activities, or, in any case, within a period appropriate to the need to guarantee any data restoration in case of malfunctions or security incidents.
It emerges, therefore, that the choices made in this case are to be attributed to the Company, within the sphere of discretion granted to the data controller on detailed aspects concerning the technical and organizational measures (in this regard, see the Guidelines 07/2020 on the concepts of data controller and data controller pursuant to the GDPR, adopted by the European Data Protection Committee on 7 July 2021, spec by Innova Camera, with reference to the aforementioned profiles, the following was carried out:
in violation of the principle of limitation of conservation (art. 5, par. 1, letter e), of the Regulation);
in violation of the principle of integrity and confidentiality (art. 5, par. 1, letter f), of the Regulation);
in violation of safety obligations (art. 32 of the Regulation).
3. Defensive activity.
With a note dated XX, the Company sent its defense writings, representing that:
“Due to the aforementioned primary attack on the ISWEB CMS […], in fact, it was possible to exfiltrate the data contained in the database which […] was a backup copy made in the XX in relation to the migration activity to the new server for avoid the risk of information being lost. The copy was in fact created as part of the management activities of the chamber of commerce portal, organized by Innova Camera and aimed at optimizing the resources present on the servers. Although the migration activity had been successfully completed and therefore no anomalies had been detected that would have allowed the file to be stored further for checks, due to a simple oversight, the copy was not deleted. In short, cyber criminals - taking advantage of an unknown vulnerability in the application provided by ISWEB, violated the server on which - in addition to the CMS - a backup, dating back to the 20th century, containing data relating to the dating platform was still erroneously stored" ;
“As soon as it became aware of what had happened, Innova Camera promptly took action by implementing the activities listed below: a) request to ISWEB for a timely report on the incident; b) provision for the immediate blocking of utilities. On this point it should be noted that in any case, at the time of the attack, it was not possible to exploit the hashes of the passwords found in the backup copy to access the appointment system since the service was not active; c) immediately inform the Chamber of Commerce and its Data Protection Officer of the information learned; d) deletion of the backup copy from the published appointment system; e) request for verification on the server regarding the presence of anomalies and modification of the access keys by the supplier; f) request to Twitter to remove the post in addition to providing the most appropriate collaboration with CNAIPIC in the investigative investigation phase; g) arranging for the publication of the new Chamber of Commerce website and all services relating to the rm.camcom.it CMS on a new server, different from the one that suffered the attack and conducting a manual check of all files and databases to eliminate any anomalies”;
“Following the purely technical checks, the Special Agency took care, on behalf of the Chamber of Commerce, of informing the interested parties of what happened by sending, on XX, an email to each of the 22,334 interested parties affected by the violation of the personal data by also providing a contact number to manage all possible requests for clarification. Specifically, it should be noted that requests for clarification were received from some interested parties which were promptly processed. A few days later, following the request for information addressed by this Authority to the Chamber of Commerce with which it was believed that the communication to interested parties should be integrated, Innova Camera sent a further communication to each interested party containing the recommendation to no longer use the password compromised and to proceed with changing the access credentials to any other online service if they coincide or are similar to those subject to the violation".
Furthermore, with reference to the specific findings made by the Office, relating to compliance with the regulations on the protection of personal data, the Company observed the following:
on the violation of the principle of limitation of conservation (art. 5, par. 1, letter e) of the Regulation): "the file still resided on the server subject to the violation due to a human error since, although the migration to the new server was completed without reporting any malfunction, the backup copy was not removed. The copy in question had in fact been created on a completely extraordinary basis and should have been deleted after verification of the correct migration activity and therefore before the period of full application of the GDPR";
on the violation of the principle of integrity and confidentiality (art. 5, par. 1, letter f), of the Regulation):
“Although it was a copy that should have been deleted, it was not accessible to users of the site but only to administrators as it was present on the server and not exposed on the web. Unfortunately, the attack aimed at the ISWEB CMS also involved the file containing user data since the attackers, after stealing the access credentials from an ISWEB administrative user, inserted backdoors that allowed remote access to the system and the webserver”;
“With reference to the MD5 hashing algorithm, […] the dating system dates back to the 20th century, a time before the entry into force of the European Data Protection Regulation. According to the evaluations carried out at that time, the algorithm in question was considered a valid password obfuscation mechanism. […] On the other hand, the correct evaluation is one carried out ex ante in practice and not ex post since otherwise, in the presence of a violation, any choice would necessarily be considered inadequate. In any case, it is also specified that the new appointment system, in compliance with the principle of data minimization, has been designed in such a way as not to provide for any authentication".
on the violation of security obligations (art. 32 of the Regulation): “In this regard, it is specified that the undersigned Azienda Speciale, following the full application of the European Regulation on the protection of personal data, proposed […] the implementation of a higher level of protection on servers using a hardware firewall. As a result, the Fortinet Fortigate 30E firewall was installed.”
With reference to the evaluation elements referred to in art. 83, par. 2 of the Regulation, the Company has highlighted that:
“the data subject to the violation are of a common nature […] and […] refer to 22,334 interested parties who booked an appointment on the rm.camcom.it website”;
the conduct is "culpable [...] as it was a human error, since the backup should have been removed after verifying the correct migration activity and therefore before the full application of the GDPR";
“immediately after the fact and with the aim of mitigating the consequences of the violation, Innova Camera proceeded to request Twitter to remove the post and at the same time requested ISWEB S.p.A. the blocking of all users";
“Innova Camera, on behalf of the Chamber of Commerce, promptly took action by sending a new communication to all interested parties involved in the violation of personal data containing the recommendation to no longer use the compromised password and to proceed with changing the access credentials to any other online service if coinciding or similar to those subject to violation";
“the violation did not concern “particular” categories of data or data “relating to criminal convictions and crimes” but rather personal data (name, surname, tax code), contact data (email address, landline or mobile telephone number) and access and identification (username and password hash)”;
“Innova Camera, in its capacity as data controller of the Chamber of Commerce, promptly contacted ISWEB S.p.A. as soon as she became aware of the publication of the tweet first and of the communication from CNAIPIC immediately afterwards. […] Innova Camera also informed the Chamber of Commerce of the incident via short channels on XX himself and with a written report the following day, providing maximum collaboration in the management of the incident and in the preparation/sending of the respective communications to the Guarantor Authority and the interested parties”;
had sent a specific communication to the interested parties in order to address "a further recommendation to the interested parties regarding the modification of the access credentials".
Finally, during the hearing held via videoconference on XX, the Company, in addition to reiterating what was already stated in the documents, specified, in particular, that:
"the Company believes itself to be the victim of a criminal cyber attack [...] before the migration process towards a new infrastructure was completed, initially scheduled for April XX and not carried out on that date also due to the epidemiological emergency period";
“the file containing such personal data was not intended for publication and the passwords present therein were protected with cryptographic techniques, the strength of which must be assessed with reference to the time in which they were adopted (XX) and in which the aforementioned was carried out backup (XX)”;
"in the approximately two years since the event, no reports, citations or requests for compensation for damages have been received from the interested parties".
4. The legislation regarding the protection of personal data.
As a preliminary point, it is stated that, although the conduct which is the subject of the investigation by this Authority began before the date of full application of the Regulation (September XX, date of creation of the backup copy subject to infringement), for the purpose of determining the applicable rule from a temporal point of view, the principle of legality referred to in the art. must be recalled. 1, paragraph 2, of the law. 24 November 1981, n. 689 which, in providing that "Laws that provide for administrative sanctions are applied only in the cases and times considered therein", asserts the recurrence of the principle of tempus regit actum. The application of this principle determines the obligation to take into consideration the provisions in force at the time of the violation. In the case in question, this moment - considering the permanent nature of the contested conduct - must be identified as the moment of cessation of the illicit conduct, which from the investigation documents appears to have continued at least until the month of June XX, i.e. after the 25th May 2018, the date on which the Regulation became fully applicable.
Having said this, it is highlighted that the personal data being processed must be stored in a form that allows the identification of the interested parties for a period of time not exceeding the achievement of the purposes for which they are processed (principle of limitation of storage, of which to art. 5, par. 1, letter e), of the Regulation); furthermore, the data controller and data processor are required to adopt adequate technical and organizational measures to guarantee a level of security appropriate to the risk taking into account the state of the art and implementation costs, as well as the nature, object, context and the purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons (principle of integrity and confidentiality and security obligations, referred to in Articles 5, paragraph 1, letter f) , and 32 of the Regulation).
With reference to the figure of the data controller, the art. 28 of the Regulation establishes, in particular, that “Processing by a data controller is governed by a contract or other legal act pursuant to Union or Member State law, which binds the data controller to the data controller. processing and which stipulates the subject matter regulated and the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of interested parties, the obligations and rights of the data controller. The contract or other legal act provides, in particular, that the data controller: […]; c) adopt all measures required pursuant to Article 32; […]; f) assists the data controller in ensuring compliance with the obligations referred to in Articles 32 to 36, taking into account the nature of the processing and the information available to the data controller; […]” (par. 3).
5. Outcome of the preliminary investigation.
In general terms, the arguments put forward in the defense writings, although worthy of consideration, do not allow us to overcome the findings notified by the Office with the initiation of the proceedings and are insufficient to allow the dismissal of this proceeding against the Company , however, since none of the cases provided for in the art. 11 of the Guarantor's regulation no. 1/2019 on internal procedures with external relevance.
With reference to the specific findings made in the act of initiating the procedure aimed at adopting corrective and sanctioning measures, in relation to what was argued by the Company the following is observed:
on the violation of the principle of limitation of conservation (art. 5, par. 1, letter e), of the Regulation): the Company itself confirmed that it is no longer necessary to conserve the personal data of interested parties, relating to the appointment management service, within the backup copy made in the XX, admitting that this, having not been deleted - as it should have - following a migration activity towards a new server, was still present in the systems at the time it occurred violation of personal data (June XX);
on the violation of the principle of integrity and confidentiality and of security obligations (art. 5, par. 1, letter f), and 32 of the Regulation): in this regard, it should be borne in mind that the Regulation, which entered into force on 25 May 2016 and which became applicable on 25 May 2018, introduced (also for the data controller) the obligation to adopt adequate measures to guarantee the security of the processing: in particular, art. 32, par. 1 of the Regulation, among other things, expressly identifies encryption as one of the possible security measures suitable for guaranteeing an adequate level of security and requires that the effectiveness of the technical and organizational measures adopted be regularly evaluated, in order to ensure their update that also takes into account the state of the art and the specific risks to the rights and freedoms of the interested parties.
In the case in question, on the one hand, it must be considered that, already at the time when the appointment management service of the Chamber of Commerce (XX) was made operational, serious vulnerabilities in the MD5 hashing function capable of allow you to trace, starting from a hash value, the password that generated it. On the other hand, the high risks presented by the processing of such data which derive from unauthorized access to them or their disclosure must be taken into account, also due to the habit of many users of reusing the same password for different online services or , however, to use a password very similar to those used for other online services.
This means that the assessment of the adequacy of the measures adopted by the Company cannot be crystallized at the moment in which the processing connected to the service was designed (XX) but must be continuously carried out over time, also in light of the technological development in so as to mitigate the risks deriving from personal data breaches such as the one that occurred in June XX.
6. Conclusions.
In light of all the assessments mentioned above, the declarations made by the Company in the defense writings and in the hearing, although worthy of consideration for the purposes of evaluating the conduct, do not allow us to overcome the main findings notified by the Office with the deed of initiation of the procedure for the adoption of the measures referred to in article 58, par. 2 of the Regulation and are insufficient to allow the dismissal of this proceeding, as none of the cases provided for by the art. 11 of the reg. of the Guarantor n. 1/2019.
In this context, confirming the findings notified by the Office with the note of the XX, it is noted that, in the matter in question, Innova Camera has committed the violation of:
a) the principle of limitation of conservation referred to in art. 5, par. 1, letter. e), of the Regulation, with reference to the storage of personal data of users registered with the booking management service;
b) the principle of integrity and confidentiality and the security obligations referred to in the articles. 5, par. 1, letter. f), and 32 of the Regulation, with reference to the methods for storing user passwords.
In this framework, considering that measures have been adopted aimed at overcoming the critical issues described above, the conditions for the adoption of the corrective measures referred to in the art. 58, par. 2, of the Regulation.
7. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (art. 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).
In the present case, the Innova Camera Company appears to have violated the art. 5, par. 1, letter. e), of the Regulation, with reference to the conservation of personal data of users registered with the booking management service, as well as articles. 5, par. 1, letter. f), and 32 of the Regulation, with reference to the methods of storing user passwords, determining the application of administrative pecuniary sanctions whose amount must be determined taking due account of the elements provided for by the art. 83, par. 2, of the Regulation.
In this regard, art. is considered applicable. 83, par. 3, of the Regulation, according to which if, in relation to the same treatment or related treatments, a data controller violates, with intent or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the specified amount for the most serious violation (referred to in art. 83, paragraph 5, of the Regulation), thus absorbing the other less serious violations.
Therefore, the aforementioned violations are to be traced back, pursuant to art. 83, par. 3, of the Regulation and art. 166, paragraph 2, of the Code, within the scope of the sanction provided for the aforementioned violation with consequent application of the sanction provided for in the art. 83, par. 5, of the Regulation.
With specific regard to the nature and severity of the violations, as well as the degree of responsibility of the owner and the categories of personal data involved (art. 83, par. 2, letter a), d) and g), of the Regulation), it is necessary to consider that the matter originated from access to a backup copy which was no longer necessary for conservation and concerned the personal and contact data of users registered with the booking management service. Furthermore, it must be considered that the serious vulnerabilities that allow anyone to trace the password starting from a hash value have been known for some time, and that, therefore, safe storage through the use of state-of-the-art cryptographic techniques still represents one of the measures commonly adopted to protect the passwords of users of an online service.
In light of these circumstances, it is believed that, in the present case, the level of severity of the violations committed by the Innova Camera Company is medium (Guidelines 04/2022 on the calculation of administrative fines under the GDPR, adopted by the Committee on 23 May 2023, point 60).
In a sense favorable to the owner it is however necessary to consider, pursuant to art. 83, par. 2, letter. b), c), e) and f), of the Regulation, that the violation relating to the storage of personal data of users registered with the booking management service is attributable to human error and that the Company - in relation to which no previous relevant violations have been detected - has promptly taken action in order to mitigate the consequences of the violation of personal data, requesting the blocking of users and the removal of data published online, and has provided its collaboration to the data controller, and, in As part of the cooperation with the Authority, it sent a further recommendation to the interested parties involved, in order to remedy the violation and mitigate its possible negative effects.
On the basis of the aforementioned elements, evaluated as a whole, and of the Company's ordinary financial statements, it is decided to determine the pecuniary administrative sanction withheld, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive, the amount of the financial penalty:
to the extent of 10,000 (ten thousand) euros for the violation of the art. 5, par. 1, letter. e), of the Regulation;
in the amount of 15,000 (fifteen thousand) euros for the violation of the articles. 5, par. 1, letter. f), and 32 of the Regulation.
It is therefore believed that it is necessary to determine the total amount of the pecuniary sanction imposed on the Innova Camera Company in the amount of 25,000 (twenty-five thousand) euros in relation to the set of violations previously described.
Taking into account that the violations carried out have allowed access and exfiltration of the personal data of a large number of interested parties, subsequently published on the web, it is also believed that the accessory sanction of publication on the Guarantor's website of this document should be applied provision, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Guarantor's regulation no. 1/2019.
Finally, it is noted that the conditions set out in art. 17 of the Guarantor's regulation no. 1/2019.
ALL THIS CONSIDERING THE GUARANTOR
the illegality of the conduct carried out by Innova Camera - Special Agency of the Rome Chamber of Commerce, Industry, Crafts and Agriculture for Innovation, described in the terms set out in the motivation, consisting in the violation of the articles was noted. 5, par. 1, letter. e) and f), and 32 of the Regulation;
ORDER
to Innova Camera – Special company of the Rome Chamber of Commerce, Industry, Crafts and Agriculture for innovation, in the person of the legal representative pro tempore, with registered office in Via de' Burrò, 147, 00186 Rome (RM), C.F. 10203811004, to pay the sum of 25,000 (twenty-five thousand) euros as a pecuniary administrative sanction for the violations indicated in the justification. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;
ORDERS
to Innova Camera - Special agency of the Rome Chamber of Commerce, Industry, Crafts and Agriculture for innovation, in case of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 25,000 (twenty-five thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of the law. n. 689/1981;
HAS
pursuant to art. 166, paragraph 7, of the Code, the publication of this provision on the Guarantor's website, believing that the conditions set out in the art. 17 of the Guarantor's regulation no. 1/2019.
Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.
Messina, 11 April 2024
PRESIDENT
Stantion
THE SPEAKER
Stantion
THE GENERAL SECRETARY
Mattei