Garante per la protezione dei dati personali (Italy) - 10063782

Garante per la protezione dei dati personali - 10063782

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(f) GDPR Article 25 GDPR Article 33(3) GDPR
Type:	Investigation
Outcome:	Violation Found
Started:	17.08.2023
Decided:	04.07.2024
Published:
Fine:	900,000 EUR
Parties:	Postel S.p.A.
National Case Number/Name:	10063782
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante per la protezione dei dati personali (in IT)
Initial Contributor:	fb

The DPA fined a subsidiary of Poste Italiane €900,000 after a data breach led to the disclosure of employees' data. The controller did not resolve two vulnerabilities in its IT system, even though they had been known for almost a year.

English Summary

Facts

The controller is a subsidiary of Poste Italiane, the main post services company of Italy.

In August 2023, an unauthorised person accessed, through a ransomware cyberattack, the controller’s servers, containing data of the controller’s employees and job applicants (around 25,000 data subjects).

These files, that were afterwards published online on the dark web, contained not only the name, surname and date of birth, but also data related to the trade union membership and health of the data subjects, therefore falling into the scope of Article 9 GDPR, and related to criminal convictions and offences (Article 10 GDPR).

On 17 August 2023, the controller notified the data breach to the DPA.

On 13 October 2023, the DPA requested the controller to provide further details about the data breach, arguing that the first notification was lacking some of the elements provided for by Article 33(3) GDPR.

The controller pointed out that the data breach occurred due to two vulnerabilities in the IT system.

Holding

First, the DPA held that the notification was lacking some of the elements provided for by Article 33(3) GDPR. The DPA pointed out that, also according to Recital 87 GDPR, the notification made to the DPA must contain adequate and exhaustive information concerning the data breach. According to the DPA, the purpose of such a notification is to allow the DPA to use its powers and restore a high level of protection of personal data.

In the case at hand, for example, the notification was lacking any information about which servers were impacted and what vulnerabilities were used to access the system. Moreover, the controller did not refer to any measure taken to mitigate the data breach adverse effects, even though this would be required by Article 33(3)(d) GDPR.

Therefore, the DPA found a violation of Article 33 GDPR.

Second, the DPA noted that the data breach could happen due to two vulnerabilities present in the Microsoft Exchange platform, allowing the unauthorised third party to access the server and set themselves as an admin user.

The DPA also pointed out that Microsoft had reported these vulnerabilities several months before the breach. The same had been done also by the Italian Cybersecurity Agency. However, the controller did not take any action to solve this problem.

The DPA referred to the judgement of the CJEU in case C-340/21, Natsionalna agentsia za prihodite. On the one hand, the DPA pointed out that – as previously noted by the controller – the CJEU had ruled that the simple unauthorised access by a third party is not sufficient to hold that the technical and organisational measures were not appropriate (para. 39; see also C-687/21, MediaMarktSaturn, para. 40).

On the other hand, the DPA noted that in the same judgement, the CJEU ruled that, since the level of protection provided for by the GDPR is dependent on the security measures adopted by controllers, the latter must be encouraged to do everything in their power to prevent the occurrence of data breaches (C-340/21, Natsionalna agentsia za prihodite, para. 55).

According to the DPA, it is apparent that the controller did not do everything in its power, since the vulnerabilities were reported almost 12 months earlier. Therefore, the DPA found a violation of Article 5(1)(f), 25 and 32 GDPR.

On these grounds, the DPA issued a fine of €900,000 and ordered the controller to implement internal procedures in order to timely detect and solve vulnerabilities in its IT system.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Newsletter of 22 October 2024

[web doc. n. 10063782]

Measure of 4 July 2024

Register of measures
n. 572 of 4 July 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councillor Fabio Mattei, Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);

HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);

HAVING SEEN the personal data breach notified by Postel S.p.A. to the Authority on 17 August 2023, pursuant to art. 33 of the Regulation, supplemented several times by the Company, up to 4 October 2023, relating to a cyber attack on its systems;

HAVING EXAMINED the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000;

REPORTER Prof. Pasquale Stanzione;

WHEREAS

1. The breach of personal data and the investigation activity.

On 17 August 2023, Postel S.p.A. (hereinafter, the Company) notified the Guarantor, pursuant to art. 33 of the Regulation, of a breach of personal data, which was supplemented several times by the Company until the final version was sent on 4 October 2023.

With the aforementioned report, the Company communicated that it had suffered “a ransomware-type cyber attack which was subsequently claimed by the cyber gang called Medusa. This attack resulted in the blocking of some servers and some workstations [of the Company], with the consequent activation of recovery/restore procedures”.

In particular, the attack involved the exfiltration (and subsequent publication on the dark web) of files containing personal data relating to the company's workers (including terminated workers), workers' relatives, corporate office holders (members of the board of directors, the board of auditors and the supervisory body), job candidates, as well as representatives of companies having commercial relationships with the Company.

For some files present in the network folders, the Company was unable to restore them and, consequently, the availability of such data was also lost.

Based on what was declared by the Company in the notification to the Guarantor, the breach affected, overall, approximately 25,000 data subjects and the categories of personal data subject to the breach were multiple: personal data; contact data; access and identification data; payment data; data relating to criminal convictions and crimes; data relating to identification/recognition documents; data revealing trade union membership; health data.

On 13 October 2023, given the absence, within the final notification sent by the Company, of elements deemed necessary for the exercise, by the Authority, of the tasks and powers provided for by the Regulation, information was requested from the Company regarding, in particular, the vulnerabilities used to carry out the attack suffered and the information provided, as data controller, to other owners whose data had been involved in the violation.

On 23 October 2023, the Company responded to the Authority's request and, on that occasion, stated that:

“through the […] vulnerabilities [CVE-2022-41080 and CVE-2022-41082], the attacker, following penetration of the Company's systems, was able to create a user account which was simultaneously added to the domain administrators group, in order to obtain the persistence of the malicious actor on the company IT platform” (see note 23/10/2023 cit., p. 1);

“the perimeter of the security incident did not concern the production platforms dedicated to the provision of services to the Company's customers, but exclusively some systems used to carry out internal activities. Nevertheless, personal data processed by the Company in its capacity as data controller were exfiltrated relating to some documents, exceptionally present in the aforementioned systems used for the performance of internal activities, attributable to 22 [company] clients out of the total documents managed by the Company on behalf of approximately 4,000 clients” (see note cit., p. 1);

“the aforementioned clients were all made aware of the event by the undersigned through formal communications pursuant to art. 33, par. 2, GDPR” (see note cit., p. 2).

The Company has provided the list of data controllers, for which it acts as data controller, involved in the data breach in question who have regularly notified the violation of personal data pursuant to arts. 33 and 34 of the Regulation.

It was also verified that the Company, for the data subject to data breach for which it acts as data controller, communicated the violation to the data subjects involved, believing that the risk to the rights and freedoms of the latter was high.

2. The initiation of the procedure and the Company's deductions.

On 15 December 2023, the Office notified the Company, pursuant to art. 166, paragraph 5, of the Code, of the alleged violations of the Regulation found, with reference to art. 5, par. 1, letter f), 25, 28, par. 3, letter f), 32, 33, of the Regulation.
On 12 January 2024, the Company submitted its defence papers and on that occasion highlighted that:

“Postel […] has equipped itself with a structured management system aimed at protecting the rights and freedoms of natural persons who could be impacted by the Data processing that it carries out” (see note 12/01/2024 cit., p. 1);

“with regard to the security profile of the Data, organizational and technical measures are implemented aimed at: - managing the risks of violation of the same; - implementing the actions required by the current legislation if violations nevertheless occur” (see note cit., p. 1);

“in the face of the Data violation suffered (the “Breach”), Postel has introduced all the actions necessary to: - comply with the provisions of Articles 33 and 34 of the […] Regulation […]; - mitigate as much as possible the impact of the Violation itself on the rights and freedoms of natural persons, as well as of other stakeholders involved” (see note cit., p. 2);

“Postel itself is the first victim of Medusa’s criminal conduct, given the very serious economic damages associated with the slowdowns of the technological infrastructure that were necessary to mitigate the consequences of the Violation, as well as the need to allocate a significant part of its human, economic and technological resources for a significant period of time to the management of the Violation itself” (see note cit., p. 2);

“has analyzed the events connected to the Violation […] and consequently reports that: - a series of additional organizational and technical measures are underway aimed at strengthening the security of the Data processed; - actions are being defined to strengthen its protocols for managing Data Violations pursuant to Articles 33 and 34 of the Regulation, also with regard to the management of relationships with any data controller clients, pursuant to Article 28, paragraph 3, letter a). f) of the Regulation” (see note cit., p. 3);

“Postel wishes to demonstrate its spirit of maximum cooperation with the Authority itself, declaring its willingness to adhere to any additional provisions that the Authority intends to recommend” (see note cit., p. 3);

“on the alleged insufficiency of the notification of the Violation […] Postel considers this assessment to be legally unfounded, as well as not corresponding to the facts, and therefore not acceptable. In fact, in fulfilling its obligations pursuant to art. 33 of the Regulation, Postel has filled in all the fields of the standard notification form on the institutional website of this esteemed Authority: this compilation, although complete, was necessarily synthetic in nature” (see note cit., p. 3, 4);

“furthermore, the information element of which this esteemed Authority contests the omission – that is, the type of vulnerabilities used by the attacker – is not expressly mentioned among the mandatory elements of the notification pursuant to the Regulation (not even in recital 87 cited by this esteemed Authority). Nor are explicit indications on the point found in the Code and/or in provisions of the European Data Protection Committee and/or of this esteemed Authority” (see note cit., p. 4);

“the contested omission of the information element indicated by [the] Authority is certainly not the result of a lack of transparency on the part of Postel […] in response to a subsequent specific request on the point by this esteemed Authority, Postel did not hesitate to provide all the information requested” (see note cit., p. 4, 5);

“the Authority’s statement that the notification sent by Postel did not indicate «[…] the details of the security measures that were applied to the systems involved in the attack […]» is not true, as the undersigned diligently filled in field F.9 […] of the standard notification form prepared by the Authority itself” (see note cit., p. 5);

“Postel intends to positively and proactively take note of the observations of this esteemed Authority, committing to implement awareness-raising activities, exercises and simulations relating to its own protocols for managing data breaches, especially with regard to the implementation of a greater level of detail and granularity of the information transmitted to the supervisory authority pursuant to art.33 of the Regulation. On this occasion, actions will also be implemented to reduce the management times of any Data breaches” (see note cit., p. 5);

“in the case in question, the management times are largely justified by the complexity and scope of the Breach itself […]. Moreover, the Breach occurred during the summer period of partial company closure, with consequent increased difficulty in activating contingency procedures” (see note cit., p. 5);

with regard to the dispute relating to the “failure to adopt measures to mitigate vulnerabilities” “the aforementioned vulnerability does not constitute the [root cause] of the Breach, to be identified solely and exclusively in the criminal action of Medusa. Consequently, a direct causal link cannot be found between the existence of the software vulnerability and the occurrence of the Breach” (see note cit., p. 6);

“the failure to remove the vulnerabilities in question did not derive from the absence of company procedures and protocols regarding “patch and vulnerability management” or from the inadequacy of the procedures and protocols themselves. In fact, a structured early warning process, detection and issuing of security critical alerts and scanning and patching of its information systems is implemented on Postel’s infrastructure. This process was also activated with regard to the aforementioned vulnerabilities and, in particular, following the early warning, they had been temporarily managed by applying workarounds. Unfortunately, however, due to a human error in the configuration of the scanning activities, the Exchange server subject to the attack had been excluded from the scan itself: this accidentally determined the failure to patch the aforementioned vulnerabilities, exclusively with regard to that system. Therefore, also with regard to the management of the aforementioned vulnerabilities, security measures compliant with the requirements of art. 5, par. 1, letter a) of the GDPR have been implemented. f), 25 and 32 of the Regulation, which only due to an isolated and unfortunate anomaly were unable to operate effectively” (see note cit., p. 7);

“it was deemed appropriate to implement actions to improve the corporate security posture and a structured action plan is therefore being implemented for this purpose […] it includes, among other things, the review and improvement of the management process of security critical alerts. Moreover, this Cybersecurity Improvement Plan is supported by a structured and pre-existing system of organizational and technical measures” (see note cit., p. 8);

regarding the dispute relating to the “lack of support to the data controllers by the data processor” “Postel believes these assessments to be different from the factual reality […]. [the statements of some owners], made in the absence of cross-examination, do not come from impartial third parties, but from interested parties who would only benefit from the attribution to Postel alone of any failure and/or delay in fulfilling its obligations regarding the protection of personal data (primarily, those pursuant to Articles 33 and 34 of the Regulation). Moreover, such statements come from only three of the twenty-two Postel customers impacted by the Violation” (see note cit., p. 8);

“with regard to the owner Coop Italia S.p.A., its involvement in the Violation was communicated by Postel shortly after the relevant discovery, first by brief channels and shortly thereafter by communication via PEC. On 22 September [2023], having completed the necessary analyses, Postel sent Coop Italia the detailed report relating to the Violation, without prejudice to the fact that in the meantime the channels of dialogue with the customer had always remained open […]. Moreover, even after the aforementioned report was sent, Postel remained at the owner's disposal for further requests for support" (see note cit., p. 9);

"as for the owner SAT S.p.A., in response to the first communication sent on 30 August [2023] and the requests for further clarification submitted by the same owner the following day, Postel provided the requested feedback after a few days, i.e. on 7 September [2023], and in any case after having completed the necessary investigative activities" (see note cit., p. 9);

"similar considerations can be made with regard to what was reported by the owner Nexi S.p.A., to whom Postel transmitted the relevant information pursuant to art. 28, par. 3, letter f) of the Regulation on 8 September [2023], i.e. as soon as the owner's involvement in the Violation was discovered, a circumstance that had not previously emerged given the fact that the analyses of the perimeter of the incident were still in progress. The discussions with this customer continued in the following days, with the production of a further detailed report on the dynamics of the Violation” (see note cit., p. 9);

“the times of transmission of the relevant information pursuant to art. 28, par. 3, letter f) of the Regulation by Postel to the three clients mentioned above were in no way due to inertia or lack of collaboration, but are attributable to the same technical times of analysis and collection of information, to be parameterized to the extent of the cyber attack perpetrated by Medusa” (see note cit., p. 9);

with reference to art. 83 par. 2 letter a) of the Regulation “the Violation is connected to the loss of confidentiality and availability of some Data held by Postel, caused by a cyber attack perpetrated by the professional cyber gang Medusa. The data subjects involved in the violation are approximately 24,800: however, only with regard to 2,161 data subjects (therefore equal to approximately 8.71% of the total) was a high level of risk for the rights and freedoms of natural persons detected, such as to determine the need to send a communication pursuant to art. 34 of the Regulation. As for the Data held by Postel as data controller, the Violation impacted the Data attributable to only twenty-two customers, compared to the total documents managed by Postel on behalf of approximately 4,000 customers” (see note cit., p. 10, 11);

with reference to art. 83 par. 2 letter b) of the Regulation “the Violation was caused by the cyber attack of a criminal nature maliciously perpetrated by Medusa […]. Consequently, no infringement of the Regulation can be attributed to Postel” (see note cit., p. 11);

with reference to art. 83 par. 2 letter c) of the Regulation “to mitigate the consequences of the Breach, the company procedure for managing IT security events and incidents was immediately activated, with: − opening of a ticket for managing the incident; − convening of the technical crisis unit; − carrying out continuous analyses relating to the dynamics and perimeter of the incident; − implementing actions to contain the attack; − sanitization and subsequent restoration of information systems. Furthermore, Postel has: − implemented communication, collaboration, support and assistance activities towards the interested parties (compliant, as also recognized by this esteemed Authority, with art. 34 GDPR), the clients (especially those for which Postel acts as data controller), as well as other relevant stakeholders; − filed a complaint with the competent police authorities” (see note cit., p. 11);

with reference to art. 83 par. 2 letter c). d) of the Regulation “at the time of the Breach, the following security measures (still in place) were implemented - among others - to protect information systems: − secure authentication procedures; − antivirus systems; − antimalware systems; − «Defender for Identity» type systems; − intrusion prevention systems; − firewall systems; − «security information and event management» procedures and systems; − backup procedures; − business continuity and disaster recovery procedures” (see note cit., p. 11, 12);

“subsequent to the Breach […] a Cybersecurity Improvement Plan was implemented which, with regard to the issue of vulnerability management, provides for the review and improvement of the management process of security critical alerts. In particular, the integration between scanning, asset management and trouble ticketing tools has been planned, ensuring that security tickets are automatically generated and forwarded to the competent function whenever the scanning systems detect a vulnerability that is the subject of a security critical alert, in order to allow its acceptance and resolution, which is governed by service level agreements agreed between the security and operational functions” (see note cit., p. 12);

“the […] Cybersecurity Improvement Plan includes the following additional improvement actions […]: - strengthening of awareness-raising activities for employees and organization of training courses on secure data management; - strengthening of the process of upgrading operating systems and middleware; - migration to cloud file sharing systems (SharePoint); - migration of email boxes still present on the on-premises system to the cloud platform” (see note cit., p. 12, 13);

“awareness-raising activities, exercises and simulations are being implemented regarding the protocols for managing data breaches, especially with regard to: - the implementation of a greater level of detail and granularity of the information transmitted to the supervisory authority pursuant to art. 33 of the Regulation; - assistance to any data controllers on whose behalf Postel acts as data processor” (see note cit., p. 13);

with reference to art. 83, par. 2, letter f), of the Regulation “since the Breach was detected, Postel has provided the widest cooperation to remedy the event itself and mitigate its possible negative effects […] Furthermore, Postel has notified this esteemed Authority pursuant to art. 33 of the Regulation and has promptly responded to its requests for clarification” (see note cit., p. 13);

with reference to art. 83, par. 2, letter f), of the Regulation g), of the Regulation “the Violation mainly concerned personal and contact data, as well as sometimes payment data and data relating to identification and/or recognition documents. In an even smaller number of cases, data revealing trade union membership and data relating to health were also impacted” (see note cit., p. 13);

with reference to art. 83, par. 2, letter h), of the Regulation “[t]he Authority became aware of the Violation as a result of the notification […] made by Postel itself pursuant to art. 33 of the Regulation immediately after the discovery of the Violation itself and subsequently the subject of integration” (see note cit., p. 13);

with reference to art. 83, par. 2, letter i), of the Regulation “there are no specific corrective measures already adopted by this esteemed Authority with reference to the specific violation contested” (see note cit., p. 14);

in relation to art. 83 par. 2 letter k) of the Regulation “[the violation to the Company] resulted in an economic loss” (see note cit., p. 14);

“the possible imposition of a pecuniary administrative sanction by this esteemed Authority would further aggravate the economic impact of the Violation on the undersigned, with potential prejudice also for the stakeholders in relation to the same (workers, suppliers, etc.)” (see note cit., p. 15).

On January 31, 2024, following a specific request from the Company, the hearing of the same was held. On that occasion, the party represented that:

“the Company is ISO9001 and ISO27001 certified”;

“the company policies on privacy, also by virtue of the public corporate composition of the group, are based on a complex structure, divided into 14 areas of intervention set out in specific group privacy guidelines that define roles, procedures and actions. In addition, starting from the GDPR, the Company has initiated a continuous improvement action on privacy which also involved staff training activities and targeted audits”;

“the Company believes that the event is not attributable to a structural and systemic problem, but to an isolated episode. For this reason, it is highlighted that the Company did not act based on a logic of advantage in the imperfect application of security measures, as the same did not generate any cost savings for the Company itself”;

“a recent ruling by the ECJ (case C-340 of 2021) […] established that the occurrence of a data breach is not proof in re ipsa of a structural inadequacy of the security measures implemented by the data controller”;

“with reference to the management of the data breach, it is highlighted that the attack entailed the need to carry out a manual and timely reconnaissance of the systems and data involved due to the extent of the violation. The analysis involved all company levels and required a significant amount of time”;

“to date, the Company is evaluating the implementation of specific training activities dedicated to data breaches to further raise staff awareness and improve the ability to respond in similar cases”;

“the Company, starting from the pandemic period and up to the recent war events and the atmospheric events that affected the Melzo plant, has been affected by adverse economic conditions. Furthermore, following the cyber attack suffered, the Company chose to block, for security reasons, the production systems and, consequently, some customers turned to other competitors”.

3. Outcome of the proceedings.

3.1 Established facts and observations on the legislation on the protection of personal data.

Following the examination of the elements acquired during the investigation and the subsequent assessments of the Authority, on the basis of the findings of the specific technical reports drawn up during the proceedings, it emerged that the Company has implemented conduct that is not compliant with the legislation on the protection of personal data.

In particular, it is established that the Company, despite the relevance of the data breach suffered, sent the Authority an incomplete notification of the violations; it was also ascertained that the Company did not conduct itself in compliance with the data protection regulations, not even with regard to the security measures that it should have adopted in the terms that will be indicated.

In this regard, it is highlighted that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor".

Art. 5, par. 1, letter f), of the Regulation establishes that personal data must be "processed in a manner that ensures appropriate security of the personal data, including protection, through appropriate technical and organizational measures, against unauthorized or unlawful processing and against accidental loss, destruction or damage".

In this regard, art. 32 of the Regulation, concerning the security of processing, establishes that “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk […]” (par. 1) and that “when assessing the appropriate level of security, special account shall be taken of the risks presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” (par. 2).

According to art. 25, par. 1, of the Regulation, the data controller “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons posed by the processing, both at the time of determining the means of processing and at the time of the processing itself [must] implement appropriate technical and organisational measures, such as pseudonymisation, designed to implement data protection principles, such as data minimisation, effectively and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects” (principle of data protection by design).

Art. 25, par. 2, of the Regulation also provides that the data controller must "implement appropriate technical and organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed" with reference to "the amount of personal data collected, the scope of the processing, the period of storage and accessibility", ensuring, in particular, "that, by default, personal data are not made accessible to an indefinite number of natural persons without the intervention of the natural person" (principle of data protection by default).

Art. 33 of the Regulation provides that “in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons […]” (par. 1) and “the notification referred to in paragraph 1 shall at least: (a) describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (b) communicate the name and contact details of the data protection officer or another contact point where more information can be obtained; (c) describe the likely consequences of the personal data breach; (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, to mitigate its possible adverse effects” (par. 3).

3.2 Confirmed violations.

3.2.1 Insufficiency of information contained in the notification of the breach.

It was first ascertained, also taking into account the findings of the specific technical reports drawn up by the Authority, that the Company, following a data breach that affected some servers and some workstations of the Company, made a notification of the breaches, pursuant to art. 33 of the Regulation, lacking the elements deemed necessary for the exercise, by the Guarantor, of the tasks and powers provided for by the Regulation.

Art. 33, par. 3, of the Regulation requires that the notification of a data breach, among the elements that it must necessarily contain, report, inter alia (“at least”), the description of the nature of the breach (including, where possible, categories and approximate number of data subjects, categories and approximate number of records of the personal data subject to the breach) as well as the description of the measures adopted or proposed to be adopted to remedy the breach and, if applicable, to mitigate its possible negative effects.

Paragraph 5 of the aforementioned article also provides that, in the event of any data breach, the data controller must document it, also keeping track of the “circumstances relating to it, its consequences and the measures taken to remedy it. Such documentation allows the supervisory authority to verify compliance with this Article”.

Recital 87 of the Regulation, referred to in the Guidelines 9/2022 on personal data breach notification under GDPR (adopted on 28 March 2023, see point 26), specifies in this regard that the notification of a data breach “may give rise to an intervention by the supervisory authority within the scope of its tasks and powers under this Regulation”.

From the literal wording of the aforementioned provisions as well as from their systematic reading, it clearly emerges that the notification provided for by art. 33 of the Regulation must contain suitable and comprehensive information in reference to the breach event. It is essential, that the report includes all the information necessary to identify the characteristics of the IT incident that caused the data breach. These elements are necessary to allow the Guarantor, when a data breach occurs, to exercise its powers - and to ascertain that the technological and organizational measures appropriate to the specific case have been implemented, also with a view to restoring an adequate level of protection of the personal data breached.

With regard to the report submitted by the Company, it is believed that it lacks such fundamental elements and, therefore, does not comply with the provisions of art. 33 of the Regulation: in particular, the report does not indicate the impacted servers (specifically the Exchange servers), the type of vulnerability exploited by the attacker and some elements regarding the kill chain of the attack. This information, absent in the first report, is not found in the subsequent integrations either, even though the integration activity of the original report covered a long period of time (between the first communication of 17/08/2023 until the sending of the final version, on 4/10/2023), so much so that the aforementioned activity inevitably led to the extension of the times for the verification, by the Authority, of compliance with the data protection regulations.

The mere compilation of “all the fields of the standard notification form on the Authority’s institutional website” (see defence documents of 12/01/2024, p. 4) with generic information (including, for example, “This attack resulted in the blocking of some servers and workstations”, see supplementary notification of 4/10/2023, section F.7), cannot in itself be considered a sufficient condition to provide adequate information in reference to the violation event, given the vagueness of the content of such information.

This also took into account the fact that, in indicating the measures applied to the systems at the time of the event (see section F.9 of the form), the Company did not make any reference to the patching activities of the indicated vulnerabilities, or to the mitigation/elimination actions of the vulnerability performed, but limited itself to listing the measures generically adopted (“The servers and endpoints were and are protected through authentication systems, antivirus, antimalware, defender for identity, IPS, firewall and SIEM. Backup and business continuity and disaster recovery systems are present”; see supplementary notification of 4/10/2023, section F.9).

The information relating to the type of vulnerability used by the attacker and the details of the security measures that were applied to the systems involved in the attack were provided, in fact, only in response to a specific request for information from the Authority (in particular, the request for information dated 13/10/2023).

The aforementioned Guidelines 9/2022 on personal data breach notification under GDPR clarify in this regard that, in any case, in addition to the information that the Regulation expressly requires the presence of, the data controller, having assessed the specific case, must proactively provide all the additional information necessary to fully explain the circumstances of each case of data breach (see point 54 “Article 33(3) GDPR states that the controller «shall at least» provide this information with a notification, so a controller can, if necessary, choose to provide further details. Different types of breaches (confidentiality, integrity or availability) might require further information to be provided to fully explain the circumstances of each case”).

For the reasons indicated, the conduct held by the Company does not comply with art. 33 of the Regulation.

3.2.2 Inadequacy of security measures: failure to adopt mitigation measures and vulnerability resolution.

It was also found that the Company did not conduct itself in compliance with the obligations set forth in the data protection regulations, in relation to the adoption of adequate technical and organizational measures to guarantee a level of security appropriate to the risk.

In particular, it emerged that the person who carried out the cyber attack against the Company exploited two vulnerabilities in the Microsoft Exchange platform (CVE-2022-41040 and CVE-2022-41082) used by the Company.

The combination of the aforementioned vulnerabilities, given their characteristics (the first allows the escalation of user privileges, the second allows the execution of remote code on the target machine of the attack), allowed, in general terms, an attacker to assume administrator privileges on the attacked machine and execute remote malicious code, thus taking full control of the platform.

In this case, as highlighted by the Company itself, the attacker, following penetration into the systems, was able to create a user account that was simultaneously inserted into the "domain administrators" group, in order to ensure the persistent possibility of conducting fraudulent activities on the Company's IT platform.

It is noteworthy that the aforementioned vulnerabilities had already been disclosed, in September 2022, by the Microsoft Security Response Center which had also published the appropriate mitigation actions; furthermore, in November 2022, Microsoft had made available the necessary updates to be made to the Exchange platform to overcome the vulnerabilities indicated (furthermore considering that they had been assessed as highly critical).

Moreover, even in Italy, several months before the event, the existence of the aforementioned vulnerability had been appropriately reported by the National Cybersecurity Agency (see the bulletin of the Computer Security Incident Response Team of the National Cybersecurity Agency of November 2022, see https://www.csirt.gov.it/contenuti/vulnerabilita-0-day-in-exchage-server-al03-220930-csirt-ita).

Despite this, in August 2023, the month in which the Company suffered the cyber attack, it had not yet adopted on its systems any of the actions specifically recommended by Microsoft (“We recommend that customers protect their organizations by applying the updates immediately to affected systems”), having not carried out the necessary updates to the Microsoft Exchange platform.

For these reasons, having examined in detail the failure to adopt timely measures to protect against attacks on the Microsoft Exchange platform, having assessed the practical effect of the aforementioned failure on the processing actually carried out, the Company's conduct conflicts with the provisions of art. 5, par. 1, letter f), and art. 32 of the Regulation.

Furthermore, this conduct also conflicts with the principles of data protection by design and data protection by default pursuant to art. 25 of the Regulation, since the aforementioned measures - made known and duly announced to the audience of users of the Microsoft Exchange platform, among other things, long before the data breach that affected the Company, fall precisely among the measures that a data controller must adopt to implement the principles of data protection and to integrate the necessary guarantees into the processing in order to meet the requirements of the Regulation, as well as to ensure that, by default, only the data necessary for each specific purpose of the processing are processed.

The assessment carried out by the Authority, therefore, was not limited to taking into account the occurrence, as such, of the data breach (which, as underlined by the Guidelines 4/2022 on the calculation of administrative pecuniary sanctions pursuant to the GDPR, adopted on 24 May 2023, “does not necessarily imply a breach of the GDPR”, see point 5.6, note 37), but, starting from the data breach under investigation, it was verified whether the Company had adopted all those technical and organizational measures that could have avoided the breach of personal data.

In this regard, therefore, the Authority's actions were absolutely compliant with what was indicated in the ruling, referred to by the Company, of the Court of Justice of the European Union of 14 December 2023 (case C-340 of 2021), in particular where it is specified, with reference to the measures referred to in art. 32 of the Regulation, that “the adequacy of such technical and organizational measures must be assessed in two stages. On the one hand, it is necessary to identify the risks of personal data breaches induced by the processing in question and their possible consequences for the rights and freedoms of natural persons. This assessment must be carried out in concrete terms, taking into account the degree of probability of the risks identified and their degree of severity. On the other hand, it is necessary to verify whether the measures implemented by the controller are appropriate to those risks, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of that processing” (point 42).

Furthermore, in the same judgment, the Court of Justice specified that “it is clear from the provisions of Article 5(2), Article 24(1) and Article 32(1) of the GDPR that the burden of proving that personal data are processed in such a way as to ensure their appropriate security within the meaning of Article 5(1)(f) and Article 32 of that regulation lies with the controller in question” (point 52), and again on the point, “on the one hand, since the level of protection referred to in the GDPR depends on the security measures adopted by the controllers of the processing of personal data, the latter must be induced, bearing the burden of demonstrating the adequacy of those measures, to do everything possible to prevent processing operations that do not comply with that regulation” (point 55).

From the examination of the statements and the documentation produced by the Company, it is clear that the Company did not do everything it could to avoid the data breach, considering that, as already widely clarified, the Company did not adopt those mitigation measures that, publicly disclosed, first and foremost Microsoft and, at a national level, also the National Cybersecurity Agency had strongly recommended.

In this regard, it is noted that what has been stated by the Company cannot be considered suitable to justify its failure to update its systems in a complete and timely manner.

In fact, the Company's statement that "due to a human error in the configuration of the scanning activities, the Exchange server that was the object of the attack was excluded from the scan itself" is of no value (see defense documents of 12/01/2024, p. 7): given the criticality of the vulnerabilities in question (assessed, as already noted, by Microsoft as high risk for the loss of integrity, availability and confidentiality of the connected data, see https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-41040, and https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-41082) and the sensitivity of the impacted systems, the patching and updating activities should have been subjected to repeated and necessarily redundant checks by the Company and not performed starting from a manual activity not subject to any subsequent verification.

With reference to its systems, the Company, for a very long period of time (almost 12 months), was unable to guarantee the necessary protection against the loss and dissemination of personal data processed, except partially through workarounds, which by their nature are to be considered a temporary and emergency solution, among other things and in any case not applied to all Exchange servers.

In this regard, it is noted that the failure to update all systems, despite not being the direct cause of the attack perpetrated by the Medusa cybergang, has certainly made the systems and the data processed by them vulnerable, making them inadequately protected against the impending risks.

For these reasons, the Company was therefore unable to ensure on a permanent basis the confidentiality, integrity and resilience of the systems and processing services and has not adopted a procedure aimed at regularly verifying the effectiveness of the technical measures applied to them.

In relation to the set of reasons reported above, it is therefore believed that the Company has violated art. 5, par. 1, lett. f), 25 and 32 of the Regulation.

As regards the objection, formulated at the time of initiation of the proceedings, regarding the violation of art. 28, par. 3, letter f), of the Regulation in relation to the alleged shortcomings in the assistance provided to the data controllers involved in the data breach event, it is believed that what was represented by the Company in the defensive documents of 12 January 2024 has highlighted how the Company has implemented an adequate and timely assistance activity towards the data controllers involved in the event; this taking into account the necessary actions of analysis of the IT incident that the Company had to carry out.

For these reasons, it is not believed that, in this case, there are grounds for adopting measures in relation to the violation of art. 28, par. 3, letter f). f), of the Regulation, contained in the notification of violations of 15 December 2023 which is therefore deemed to be archived in the part concerning this specific profile subject to dispute.

4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, of the Regulation.

For the above reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office with the act initiating the procedure to be overcome and that they are therefore unsuitable to allow the archiving of the present proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply.

The conduct carried out by the Company - in particular the sending to the Authority of a data breach report lacking the essential elements and the failure to adopt activities to update its systems - are in fact unlawful, in the terms set out above, in relation to Articles 5, paragraph 1, letter f), 25, 32 and 33 of the Regulation.

The violation, ascertained in the terms set out in the reasons, cannot be considered "minor", taking into account the nature and gravity of the violation itself and the degree of responsibility (see Recital 148 of the Regulation).

The Authority also took into account the average level of severity of the violation in light of all the relevant factors in the specific case, and in particular the nature, gravity and duration of the violation, taking into account the nature, object or purpose of the processing in question as well as the number of data subjects harmed by the damage and the level of damage suffered by them.

The Authority also took into account the criteria relating to the intentional or negligent nature of the violation and the categories of personal data affected by the violation (see art. 83, par. 2 and Recital 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, in light of the specific case:

a. the controller is ordered to:

- carry out a timely assessment of vulnerabilities in its systems and their rapid resolution, taking into account the level of risk arising from the inadequate protection of the personal data processed;

- the preparation of a formalized procedure for vulnerability management, which includes, in particular, the planning of the control of all IT assets of the organization in order to detect the possible presence of known or potential vulnerabilities as well as the identification of the related correction and mitigation procedures;

- the identification, for the various IT assets through which the company processes personal data, of the values relating to the mean time to detect vulnerabilities (MTTD) and the mean time to respond (MTTR), which are adequate taking into account the risk to the rights and freedoms of natural persons.

b. the application of an administrative pecuniary sanction is ordered pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (art. 58, par. 2, letter i) of the Regulation).

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and the accessory sanctions (arts. 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

At the end of the proceedings, it appears that Postel S.p.A. has violated art. art. 5, par. 1, letter f), 25, 32 and 33 of the Regulation. For the violation of the aforementioned provisions, the application of the administrative pecuniary sanction provided for by art. 83, par. 4, letter a), and 5, letter a) of the Regulation is provided for, by adopting an injunction order (art. 18, l. 24.11.1981, n. 689).

Considering that it is necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that "If, in relation to the same processing or connected processing, a controller […] infringes, with intent or negligence, several provisions of this Regulation, the total amount of the administrative pecuniary sanction shall not exceed the amount specified for the most serious infringement", the total amount of the sanction is calculated so as not to exceed the maximum amount provided for by the same art. 83, par. 5.

With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the administrative pecuniary sanction and the related quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that, in the specific case, the following circumstances were considered:

in relation to the nature of the violation, this concerned, among other things, cases punished more severely pursuant to Article 83, paragraph 5, of the Regulation (general principles of processing, in particular the principle of integrity and confidentiality);

in relation to the seriousness of the violation, the circumstance of the significant number of data subjects whose personal data were involved in the violation (approximately 25,000), the loss of availability of a part of the data subject to the violation and the high impact that the violation may have had on the data subjects (in terms of loss of control of the data, identity theft, fraud, reputational risks) were taken into consideration;

with regard to the duration of the breach, the duration of the breach was considered relevant given that, since the vulnerabilities exploited for the attack were made known (September 2022), the Company, almost twelve months later (August 2023), had not yet updated its systems;

the degree of responsibility of the data controller or processor, taking into account the technical and organizational measures implemented pursuant to Articles 25 and 32 of the Regulation which are specifically relevant in the proceedings;

with reference to the intentional or negligent nature of the breach and the degree of responsibility of the data controller, the conduct of the Company was taken into consideration, which did not adopt suitable technical measures to protect the personal data processed on its systems, despite public notices on the vulnerabilities and countermeasures to be adopted, coming from the software supplier and from ACN;

in favor of the Company, account was taken of the cooperation with the Supervisory Authority demonstrated during the proceedings and the decision to update the systems and implement a Cybersecurity Improvement Plan in order to update and improve the management process of security critical alerts.

It is also believed that, in this case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation), the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the ordinary financial statements for the year 2023, are relevant. Lastly, the amount of sanctions imposed in similar cases is taken into account.

In quantifying the sanction, it was also taken into account that, in this case, the pecuniary sanction is in addition to other corrective measures imposed by the provision.

In light of the elements indicated above and the assessments carried out, it is believed, in this case, to apply to Postel S.p.A. the administrative sanction of the payment of a sum equal to Euro 900,000 (nine hundred thousand).

In this context, it is also believed, in consideration of the type of violations ascertained that concerned the general principles of processing as well as the security measures and the content of the data breach report, that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this provision on the website of the Guarantor.

It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019.

GIVEN ALL THE ABOVE, THE GUARANTOR

determines the unlawfulness of the processing carried out by Postel S.p.A., in the person of its legal representative pro-tempore, with registered office in Viale Europa, 175, Rome, C.F. 04839740489, pursuant to art. 143 of the Code, for the violation of arts. 5, par. 1, letter f), 25, 32 and 33 of the Regulation;

RESOLVES

to archive the dispute adopted against Postel S.p.A. in the person of its legal representative pro-tempore, with deed dated 15 December 2023, limited to the violation of art. 28, par. 3, letter f), of the Regulation;

ORDERS

Postel S.p.A.:

a. pursuant to art. 58, par. 2, letter d) of the Regulation:

- to carry out a vulnerability assessment of its systems and their rapid resolution, taking into account the level of risk arising from inadequate protection of the personal data processed, within 90 days of notification of this provision;

- to prepare a formalized procedure for vulnerability management, which includes, in particular, planning the control of all IT assets of the organization in order to detect the possible presence of known or potential vulnerabilities as well as the identification of the related correction and mitigation procedures, within 90 days of notification of this provision;

- to identify, for the various IT assets through which the company processes personal data, values relating to the mean time to detect vulnerabilities (MTTD) and the mean time to respond (MTTR), which are adequate taking into account the risk to the rights and freedoms of natural persons, within 90 days of notification of this provision.

b. to pay the aforementioned sum of Euro 900,000 (nine hundred thousand), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. It is recalled that the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed, within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code);

ORDERS

pursuant to art. 58, paragraph 2, letter. i) of the Regulation to Postel S.p.A., to pay the sum of EUR 900,000 (nine hundred thousand) as an administrative pecuniary sanction for the violations indicated in this provision;

ORDERS

the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation no. 1/20129, and believes that the conditions set out in art. 17 of Regulation no. 1/2019 exist.

Requests Postel S.p.A. to communicate what initiatives have been undertaken in order to implement the provisions of this provision and to provide adequately documented feedback pursuant to art. 157 of the Code, within 120 days from the date of notification of this provision; any failure to respond may result in the application of the administrative sanction provided for by art. 83, par. 5, letter e) of the Regulation.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 4 July 2024

THE PRESIDENT
Stanzione

THE REPORTER
Stanzione

THE GENERAL SECRETARY
Mattei

SEE ALSO Newsletter of 22 October 2024

[web doc. no. 10063782]

Provision of 4 July 2024

Register of provisions
n. 572 of 4 July 2024