Garante per la protezione dei dati personali (Italy) - 10002324: Difference between revisions

Garante per la protezione dei dati personali - 10002324
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(f) GDPR Article 33(1) GDPR Article 33(2) GDPR Article 33(5) GDPR Article 42 GDPR
Type:	Investigation
Outcome:	Violation Found
Started:	15.08.2021
Decided:	21.03.2024
Published:
Fine:	271,000 EUR
Parties:	LAZIOcrea S.p.A.
National Case Number/Name:	10002324
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante (in IT)
Initial Contributor:	im

The DPA fined the processor €271,000 for inadequate security measures, that led to a two-day unavailability of multiple healthcare services in the Lazio Region.

English Summary

Facts

On the night of 31 July 2021, a cyber-attack occurred in the healthcare system of the Lazio region, Italy. It had some serious repercussions causing local health authorities, hospitals and nursing homes ('the controllers') being unable to use regional information systems for hours and in some cases even for months. Essential services related to the emergency activities were not interrupted as they were separeted from other applications.

The ransomware attack originated in March 2021 on a computer of a regional employee working remotely for one of the entities. The employee installed a malicious software necessary to connect to the processor’s network. The software created a backdoor to the system stealing the employee’s access credentials.

LAZIOcrea S.p.a. was a company responsible for the management and security of the information systems of Lazio Region pursuant to Article 28 GDPR (‘processor’ or ‘company’). The attack targeted machines located in one of the rooms of the data center managed by the company. The company was therefore also acting as a controller for its own purposes, as the operating systems which were attacked also managed additional processing activities.

The company did not notify the data breach immediately but with considerable delay and in any case beyond 72 hours as required by Article 33 GDPR. The data breach was notified to the affected controllers about two weeks after the incident, lacking specific references to the attacked processing systems which would have been beneficial for each controller to delineate the extent of the breach and evaluate associated risks.

The notification of the data breach itself did not document necessary information about the attack such as, i.e. date and time of closure of the incident, date and time of resolution of the incident, person who detected the incident. Moreover, some of the information provided was inaccurate, i.e. description of the incident, the response actions carried out.

Due to this, the Italian DPA (‘Garante’) had to act ex officio following press reports regarding the facts in question and notifications presented by various data controllers involved. The investigation revealed that the company did not adopt several security measures.

Firstly, at the time of the incident, the company did not have staff dedicated to a 24-hour analysis of the alerts generated by Microsoft’s SIEM, the security monitoring system. Secondly, the company did not separate the networks for employee’s accounts and servers used for various processing operations carried out. Thirdly, although the filtering rules on the firewalls in the data center managed by the company were set up to target specific critical systems, they failed to stop the malware from spreading to around 180 systems. Fourthly, the attackers succeeded due to a vulnerable authentication procedure for remote system access, relying solely on username and password credentials and the company’s failure to update its operating system creating additional vulnerabilities.

It also emerged that the temporary unavailability of access to data processed through the mentioned healthcare facilities was, on the one hand, a direct consequence of the cyber-attack and, on the other hand, an indirect consequence of the subsequent actions by the company. In fact, the company decided to shut down all the server systems which disabled them from determining which ones were compromised. Additionally, given the absence of the system separation, it could not prevent further spread of the malware.

As part of its defence, the company represented that it performed annual internal audits based on the certification process of the Information Security Management System. The company also declared that prior to the accident, the system information security was implemented in compliance with the industry standards certification ISO/IEC 27001.

Holding

The investigations conducted by the Garante revealed a series of serious violations by the company. Firstly, the Garante determined that the company acted in the role of a controller of its own operating systems which were also a target of the cyber-attack. For this reason, it failed to fulfil its obligation under Article 33(1) GDPR to report the breach to the DPA within 72 hours since the moment it became aware of it. In addition to that, the DPA determined that as a processor, the company was obliged to report the incident to all the controllers affected by the breach as per Article 33(2) GDPR. The company failed to provide adequate justifications regarding the reasons for the above-mentioned delays. As a result, the DPA found a violation of Article 33 GDPR.

Secondly, the DPA noted that the company failed to adequately document the violation as the report contained incomplete information regarding the data breach and its handling. Such behavior was also not in line with the company's own data breach management policies which provide for the keeping of an events register on reports of alleged breaches. The DPA thus found a breach of obligations under Article 33(5) GDPR.

Thirdly, the lack of various security measures, such as assigning personnel for system security monitoring, separating operational networks, or reinforcing filtering rules on the firewalls within the data center, led to various vulnerabilities. Exploited by attackers, these vulnerabilities provided access to the company's operating systems which, as discovered after the attack, were outdated.

In this regard, the DPA highlighted that the processing operations carried out in this context require the adoption of the highest security standards. The company argued that its information security system is in compliance with the ISO/IEC 27001 certification standards. However, the DPA noted that such certification is not, at the moment, among those envisaged by Article 42 GDPR. The certification can be used as an element to demonstrate compliance with the GDPR obligations and show that an organization has identified and implemented certain security controls. However, it does not guarantee predefined security levels or measures. For these reasons, the Garante found a violation of the processing principle under Article 5(1)(f) GDPR and Article 32 GDPR related to the security of processing which was compromised by the company in its capacity as a controller and processor.

The DPA imposed a fine of a €271,000 to the company for the failure to report the data breach and a lack of security measures adopted to the processing operations conducted on such wide scale.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Newsletter of 10 April 2024

[doc. web no. 10002324]
Provision of 21 March 2024
Register of measures
n. 194 of 21 March 2024
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);
HAVING REGARD TO Legislative Decree 30 June 2003, n. 196, containing "Code regarding the protection of personal data, containing provisions for the adaptation of the national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regarding the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter “Code”);
GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution of the Guarantor no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);
HAVING SEEN the documentation in the documents;
GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;
SPEAKER prof. Pasquale Stazione;
GIVEN
1. The preliminary investigation activity.
Following press reports and notifications of personal data breaches sent in the first days of XX by the Lazio Region and the Lazio Regional Council, pursuant to art. 33 of the Regulation, the Authority has learned that the information systems managed by the company LAZIOcrea S.p.a. (hereinafter “Company” or “LAZIOcrea”), as data controller on behalf of the Region, the Regional Council of Lazio and various bodies of the regional health service, had been the subject of a cyber attack, caused by a malware ransomware type.
In particular, with the notification of , the Lazio Region declared that it had "suffered a cyber attack which compromised the functionality of the services offered by the regional CED; a technical verification of what happened is currently underway, at the moment it is not possible to determine whether there has been data loss, the categories and approximate number of records of the personal data in question and the possible consequences of the data breach personal".
In consideration of the large number of interested parties involved and the nature of the personal data subject to the violation, the Office requested information from the aforementioned Company regarding the aforementioned personal data violation, as well as the security measures adopted, with particular reference to the technical measures and organizational measures adopted to guarantee the availability and resilience of the processing systems and services and the timely restoration of the availability and access of personal data in the event of an accident (notes of the XX and XX to which the Company has provided feedback with notes of the XX and XX, XX and XX).
Subsequently, an inspection activity was carried out against the Company in the months of XX and XX.
With note dated XX, the aforementioned Company, in response to the aforementioned request for information formulated by the Office, declared that:
“following the cyber attack that occurred on the night of the 20th century. (caused by ransomware-type malware) some IT systems in the Lazio Region were deactivated, making the related services, data and information processed temporarily unavailable";
was "committed to providing support to the investigation activities being carried out by the police and other competent national security authorities";
"analysis activities were underway to ascertain the scope and extent of the violation of the personal data processed [...] once the dynamics of the events had been learned in detail, also from a historical and technical point of view";
it was "necessary to operate in parallel to restore services by putting in place all the safeguards and precautions needed to prevent the systems themselves from being subjected to a further attack".
Subsequently, on the XX, the Company notified, on a preliminary basis, the violation of personal data, making use of the right to provide further information in subsequent phases, provided with the subsequent additions of the XX and the XX.
In the aforementioned notification it was stated, in particular, that "the delay in notification depended (i) on the need to acquire the minimum elements necessary to provide as complete information as possible (ii) on the need to primarily restore the essential services to the citizen of the Lazio Region and (iii) to ascertain with the collaboration of cyber security companies and the judicial police authorities the actual extent of the incident both in terms of application and with reference to the protection of personal data and the freedoms and rights of interested parties who at present, except for the voluntary unavailability of the data, do not appear to have been compromised".
It was also represented that:
“the attack began in the late evening of July 31st but was evident in the early hours of the morning of August 1st when some virtual machines were found to be unusable. This is a cyber attack aimed at propagating malware belonging to the family known as "RansomEXX", alias "Defray777" which was promptly reported by our IT security service to the CSIRT and CNAIPIC with information/exposed via email dated 1 ° August at 10.22 am. The attack concerned the application layer of data center virtualization, forcing the Company to take all systems offline to ensure that the integrity and confidentiality of the data were not compromised";
“the essential services relating to the emergency activities of 112, 118, blood transfusion centres, the Emergency Room and Civil Protection have never been interrupted or compromised even during the investigative activities aimed at ascertaining the extent of the accident. Partly because they are segregated from other applications”;
"all other services and applications resident in the data center have been restored or will be restored [...] after having verified that any residual and/or possible contamination has been remediated and having reconfigured the systems with respect to the pre-existing security architecture. For purely informative purposes, the vaccination activities against Covid continued as well as the booking service for the aforementioned vaccines was restored in four days before the new administration slots became available. Slots which at the time of the accident were already occupied until the following 13 August. Starting from August 16th. third party application providers resident in the data center will have the possibility to reinstall their systems to resume the provision of related services";
“The origin of the incident currently appears to be attributable to the inoculation, on one or more client computers operating remotely via VPN, of malicious software which created a communication channel (backdoor) between the infected client computers and the group of cyber criminals. The cyber criminals, using the same credentials, subsequently managed to access the company network and from there move "laterally" even within the so-called under networks by carrying out an escalation on administrative users who were probably identified by intercepting at a low level the data packets that occurred on that network at the time of user login. These criminals appear to have used the skills of another group of hackers to whom the encrypted passwords were passed. This further group of criminals, exploiting a presumable vulnerability in the operating system, managed to decrypt a password which was then combined with one of the four user id with administrator privilege previously identified by hackers”;
"the experts then carried out checks to assess whether the attack, which did not compromise the integrity and confidentiality of the data, had allowed the intruders to appropriate the data through exfiltration and/or transfer techniques. The analyzes have confirmed that to date the exfiltration can be excluded given that during the period of the attack there were no data flows towards the outside";
“the files found in the temporary directories are in fact deriving from automatisms of the tools used for the attack and aimed mainly at verifying the system architecture and the inventory of applications present to then better prepare the attack depending on the system configurations detected . Furthermore, the firewall policies active during the attack did not allow the use of the FTP, SSH and SFTP protocols from within the data center perimeter towards the Internet. In any case, "Cyber Threat Intelligence" activities are still underway by the consultants hired to verify that information belonging to Laziocrea is not made public even if it refers to data already known before the attack. At the moment, despite the expiry of the ultimatum, no new information has been made available on the web and in particular on the so-called illegal one. “darkweb””;
“the data and information present in the databases were therefore unavailable for the time necessary to restore the applications and secure the perimeter of the data center and reconfigure it. For some systems the information will remain unavailable until reactivation which will take place completely over the next few days. Therefore, there are no serious limitations to the freedoms and fundamental rights of the interested parties."
With the supplementary notification of XX, the Company provided the list of applications and services involved in the violation - with an indication of those restored immediately and in the process of being restored - and the list of those that remained active as they were segregated from the infrastructure under attack, representing, in particular, that:
on the basis of "the investigations conducted by the internal IT Security structure, the CSIRT, the CNAIPIC and the company Leonardo S.p.A. it appears that the attack, which began at 3.05 pm on the afternoon of the 20th, was caused by the compromise of an account belonging to a regional employee whose access credentials were stolen by means of malicious artifacts (back doors) installed on the computer personnel used by the same for remote connections to the company network necessary for smart working";
“Forensic analysis activities have established that the artifacts were inoculated on March 25, 2021 and that they were not detectable on the host computer by antivirus and malware software. During the forensic analysis of the copy of the computer in question, the scan still gave a negative result despite the so-called “signature database” of the antivirus/malware software had been updated by forensic investigators as of the most recent date of August 10. The user's remote connections with the company network were still protected by a VPN";
“anomalous access attempts also emerged against six user accounts on the OWA interface of the email systems starting from 12 April 2021 and up to 26 July 2021. However, these attempts do not appear to be connected to the incident and were mostly most resolved, with the exception of one user, with the denial of access to the mail service";
“in conclusion, the attack was launched on the afternoon of Saturday 31 July 2021 using the first compromised account and emerged perceptibly when in the early hours of the morning of 1 August the first malfunctions of some virtual machines began to occur of the Data Center”;
“the attack concerned the machines located in Room “B” [of the data center managed by the Company], where there are different types of hardware both for the computational part and in terms of storage and network equipment (essentially Cisco, Dell, Fortigate , etc. etc.). Since these are modular machines and in any case scalable in terms of computational and storage equipment and characteristics, they are managed by proprietary firmware on which the Microsoft Active Directory Hosts and VMWare & virtualization operating environments have been installed. Microsoft Hyper-V environment. On this virtualization environment, virtual machines with Windows Server and Linux operating systems have been configured and installed to serve the services and applications necessary for the processing carried out by LAZIOcrea both as Data Controller and as Manager of other Data Controllers, and in particular of the Lazio Region" .
During the aforementioned inspection activities, the Company also declared that:
− "following the forensic analyzes carried out, it appears that, in the month of March 2021, a malicious party introduced a backdoor - not known and not detected, neither at the time nor during the analyses, by the most common antivirus and antispyware software - which was probably used to acquire the authentication credentials" attributed to the employee;
− "on 31 July 2021 the aforementioned authentication credentials were used to remotely access the Company's network and to conduct the actions leading to the cyber attack. In particular, the malicious actors carried out a series of scanning activities, aimed at acquiring information on the network and the server systems present there. As part of these activities, they identified the server with hostname "RLWSIRIFT01" on which basic software was installed for which updates or security patches from the manufacturer were no longer available. This circumstance was due to the need to guarantee the functioning of a legacy web application that required a particular version of the operating system and application server. By exploiting known vulnerabilities in the basic software present on the aforementioned server, the malicious parties managed to come into possession of authentication credentials with administrative privileges [...] used in the subsequent phases of the cyber attack";
− "the Company became aware of the cyber attack through a report from a healthcare worker who, unable to access certain services provided by the Company, at approximately 05:00 on 1 August 2021, contacted the on-call systems engineer by telephone for healthcare services. Following the report and the initial analyzes carried out, the systems engineer noted the relevance of the security incident and proceeded to contact other systems engineers, some of whom immediately went to the data center. At approximately 06:15 on 1 August 2021, the report was brought to the attention of the director of the Company's Infrastructure Systems Department";
− "with reference to the initiatives taken following the detection of "hostile activities" (2,189 alarms) by the "Microsoft Windows Defender ATP console" on the evening of 31 July 2021, [...] pending the activation of Leonardo's SOC service S.p.a., this monitoring tool was not manned 24 hours a day" and, therefore, "these alarms could not be managed with "greater" timeliness"".
In the documentation acquired during the preliminary investigation phase, the Company also provided the following list of the owners on whose behalf it carried out the processing of personal data involved in the violation: Lazio Region; Lazio Regional Council; Local Health Authority Rome 1; Local Health Authority Rome 2; Local Health Authority Rome 3; Local Health Authority Rome 4; Local Health Authority Rome 5; Local Health Authority Rome 6; Frosinone Local Health Unit Company; Latina Local Health Authority; Rieti Local Health Unit Company; Viterbo Local Health Authority; PTV Policlinico Tor Vergata Foundation; San Camillo Forlanini Hospital; San Giovanni Addolorata Hospital Complex; Sant'Andrea University Hospital; National Institute for Infectious Diseases Lazzaro Spallanzani IRCCS; General house of the Hospitaller Order of Saint John of God – Fatebenefratelli (which was taken over, from the 20th century, by the Gemelli Isola Società Benefit S.p.a. company); Religious Province of St. Peter of the Hospitaller Order of St. John of God – Fatebenefratelli; Policlinico Umberto I University Hospital; ARES 118 Regional Health Emergency Company; Institute of the Daughters of St. Camillus; Bambino Gesù Pediatric Hospital; European Hospital S.p.a.; Eurosanità S.p.a.; Agostino Gemelli IRCCS University Polyclinic Foundation; Association of Italian Knights of the Sovereign Military Order of Malta; San Carlo di Nancy Hospital GVM Care & Research S.r.l.; Campus Bio-Medico University of Rome; Israelite Hospital; Virginia Bracelli S.p.a.; National Institute for the promotion of the health of migrant populations and for the fight against diseases of poverty; Casa di Cura Sant'Anna - Policlinico Città di Pomezia S.p.a.
1.1 The measures in place at the time of the violation
With reference to the measures in place at the time of the violation, the Company declared that "the data center and the company procedures for data security and protection are ISO 27001 certified".
In particular, with regard to the technical and organizational measures adopted to guarantee the availability and resilience of the processing systems and services, as well as the timely restoration of the availability and access of personal data in the event of an accident, the Company has provided a copy of the backup procedures, the business continuity and disaster recovery plan, the incident management process and the personal data breach management procedure in place as of 31 July 2021.
During the inspection activities, the Company then declared that:
“uses Microsoft's Active Directory as an IT authentication system. This system is used for the authentication of users of the Company, the Region and other external bodies for access to systems certified to the domain (workstations and servers) and to some web applications, as well as for remote access, via VPN, to the Company's network" specifying that "at the time the personal data breach occurred, a multi-factor IT authentication procedure was not envisaged for VPN access";
“has defined different password policies for the different types of accounts used by the staff of the Company, the Lazio Region and other entities. In particular, at the time the personal data breach occurred, passwords for accounts without administrative privileges had to be composed of a minimum number of 8 characters, contain characters from at least three categories (uppercase letters, lowercase letters, numbers, special characters ), do not coincide with the last four passwords, and be changed at most every 90 days; the passwords of accounts with administrative privileges had to be composed of a minimum number of 20 characters, contain characters from at least three categories (uppercase letters, lowercase letters, numbers, special characters), not coincide with the last four passwords, and be changed at maximum every 30 days";
“has put in place measures to segregate the systems that are present within the data center. In particular, the servers that host the various databases are located in networks that are segregated from other networks, which is why the cyber attack at the end of July did not involve the data stored within these servers. Similar segregation measures are applied to servers that provide particularly critical services [...] or dedicated to specific customers [...]";
with reference to the security measures relating to the segregation of networks, in place at the time of the personal data violation, "there are two levels of firewalling: the first is dedicated to filtering communications between the networks on which the workstations of the employees of the Lazio Region and of the Company (attested on LAN networks accessible at the headquarters of the regional offices and of the Company) and those on which the server systems are attested; the second is instead used for filtering network traffic to and from the data center and communications between the networks on which the server systems are located. In particular, the firewalling rules are configured on the basis of the indications provided by the various project managers. In some cases, network traffic filtering is also implemented between the different architectural layers of a system (front-end, back-end, database) or for different environments (development, testing and production). Some critical systems or services [...] are instead connected to dedicated and separate networks, even physically, from the other systems present in the data center";
“at the end of July 2021, when the security incident subject to the inspection occurred, the filtering rules did not prevent, at network level, the reachability of the server systems compromised by the network used for VPN access by the company's employees Lazio Region, including [... the employee's account]. For this reason, the malicious actors managed to carry out a reconnaissance of the server systems visible from the network used for VPN access, as well as to identify one with an obsolete operating system ("RLWSIRIFT01") affected by some known vulnerabilities. […] one of these vulnerabilities was then exploited to acquire the authentication credentials with administrative privileges […] used in the subsequent phases of the cyber attack”;
“until 30 June 2021, it used a Security Information and Event Management (SIEM) service, based on IBM technology and provided by Fastweb S.p.a. within the scope of a Consip agreement. From 1 July 2021, the Company has activated a new SIEM service, based on Microsoft technology (Sentinel). At the time the cyber attack occurred, the Company did not have personnel (internal or external) dedicated to the 24-hour analysis of the alerts generated by Microsoft's SIEM, awaiting the activation of a security operations center (SOC) service. provided by Leonardo S.p.a., which then took place in the first days of August 2021";
“At the time of the security incident, it was using Dell's Data Domain product as its backup management system. Specific backup management procedures had not been defined, but it was envisaged that each project representative would communicate, at the time of release into operation, using a specific template, among other things, information on the type and retention of the backups to be carried out. The periodicity of the backups was daily (starting at approximately 8.00 pm)”;
performed audits on the incident management process and provided copies of audit plans and reports;
"on an annual basis, carries out internal audit activities on each of the processes envisaged by the SGSI [...] The Company has planned, as part of the audit program for the year 2022, the execution of a specific audit activity on the accident of safety occurred at the end of July 2021, also in order to close the observation made by the certification body (Apave Certification Italia S.r.l.) during the surveillance visit for the maintenance of the ISO 27001 certification which took place on 26 and 29 November 2021".
1.2 The measures adopted following the violation
With reference to the measures adopted following the violation, the Company, with the supplementary notification dated XX, represented that:
"at the time of the accident, together with the systems being taken offline, corrective actions were implemented including: i) the creation of a crisis team; ii) the recruitment of external consultants expert in specialist incident response, cyber security and system remediation activities; iii) the reactivation of each application system subject to compatibility with the investigation activities and the verification of the security of the applications themselves also using bridge installations on Cloud environments provided by Agid certified CSP providers; iv) the activation of all activities and controls necessary to guarantee the physical and logical security perimeter of the data center; v) the identification of a series of remedial actions to increase the security of the systems and the consequent protection of personal data, despite the fact that the pre-attack security levels already met industry standards as the Company obtained ISO 27001 certification";
"in all cases a communication was made both on the institutional website of the Lazio Region and on that of Laziocrea to inform all users and interested parties of the actual extent of the disruption and the risks inherent to personal data";
“all applications both owned by Laziocrea and managed by Laziocrea as Manager of the Lazio Region or by other Owners have been restored [...]. The processing managed on behalf of the Region as Responsible [...] (REG 09 – RES065 in the processing area DSINF 45 - Development, Maintenance, Administration, User assistance of the Notice and Call Management system of the Lazio Region for Culture) is was restored from the back-up and for the Cine Produzione and Cine Promozione tenders, although it contained all the requests presented, it caused some problems with the restoration of the documentation attached to the aforementioned requests. The problem concerns the cases financed for the years 2017-2018-2019 and 2020 which are around 1,800, for some of these it was not possible to restore from the back ups all the attachments of the applications now archived [...]. However, there is the possibility that part of the documents cannot be restored because the restored file is corrupt";
“At the moment there is no evidence of exfiltration of structured data although we cannot exclude with absolute certainty that files containing information may not have been viewed or consulted during the attack. During the time span in which the ransomware spread, no external connections were observed which would suggest a possible uncontrolled transfer of information."
To carry out data and system restoration operations, the Company represented that, in the absence of tools for deciphering the "files encrypted by the ransomware", it recovered "portions of large files through the use of data tools carving”.
Furthermore, during the aforementioned inspection activities it declared that:
“following the incident, the double factor authentication procedure was activated, based on the use of username/password and a one time password (OTP)”;
“following the personal data breach, the password policies of accounts without administrative privileges were modified, increasing the minimum length to 10 characters”;
"based on the indications provided by the Region in terms of priority in restoring services and compatibly with the investigative needs expressed by the judicial authority, the Company has reinstalled all the servers of the domain, including the domain controllers, using the intact copies of the different applications. As part of this restoration activity, the Company also made use of the consultancy of Microsoft which certified the absence of cc.dd. “decoy users” on the Active Directory that could have been created by malicious actors during the cyber attack”;
“adopted a new backup management system based on Commvault technology, which is located on premises at the Company's data center, but which allows, where necessary, to also use the cloud service offered by the supplier. The new system allows for easier management and monitoring of data and system backups. It is still expected that each project representative communicates, at the time of release into operation, using a specific form, among other things, information on the type and retention of backups to be carried out";
“following the security incident, some services and systems were restored, and are still provided, in a cloud environment, in particular: on Amazon's AWS cloud (data center located in Lombardy) the healthcare service booking system (herein including anti-SARS-CoV-2 vaccines and swabs) and the regional vaccination registry; on the Microsoft Azure cloud (data center located in Ireland) the Identity and access management (IAM) system and various institutional web portals (e.g. Lazio Region portal)”;
“following the security incident that occurred at the end of July 2021 […] launched a series of initiatives aimed at reviewing and strengthening the filtering rules applied to communications between and towards server systems”;
“remote access to the systems and services present in the data center occurs via VPN (based on Pulse Secure technology). In this case, a first level of filtering policy is carried out by the VPN concentrators which apply different privileges and rules based on the domain groups of which the user is a member";
“has identified the (few) servers which, to guarantee the functioning of some legacy services, still use obsolete operating systems and has taken steps to adopt appropriate segregation measures, at network level, as well as monitoring security events”.
1.3 Documentation relating to the violation
With reference to the documentation on personal data violations that have occurred, kept pursuant to art. 33, par. 5 of the Regulation, the Company represented that it "maintains a register of security incidents that have occurred for the purposes of ISO 27001 certification, which is also used to record personal data violations" and provided an extract from the aforementioned register relating to the incident of security occurred at the end of July 2021 and some documents certifying the actions taken following the personal data breach that occurred.
Furthermore, the Company highlighted that "as required by both the ISO 27001 procedures and the privacy system, a technical table has been activated whose results, together with the reports produced by the various structures involved (not least those of the Leonardo consultant and the internal structure of IT Security and infrastructural architectures, already provided to this Authority), were brought to the attention of the corporate bodies (Board of Directors and Supervisory Body) by the President. These communications were made during the entire internal investigation, first verbally and by email immediately and then in writing with notes digitally signed by the President of the Company dated XX and XX. The results of all the activities, the documentation of the violations found and the assessments carried out including the corrective and remedial actions to be implemented were attached to these reports. In particular, the Company's final assessments regarding the violation found with reference to the risks for the protection of the rights of the interested parties were reported in the last report of the XX".
1.4 Information about the breach provided to data controllers
The Company provided a copy of the "notes sent to the Region [...], as well as the notes sent to the other Data Controllers", specifying that the "notes sent to Data Controllers other than the Region have the same content for which the three models [...] of the three different notes sent" and attaching a "list of the Data Controllers [...] who received said notes, with the indication of the organisation's references, the transmission dates and the LAZIOcrea protocol".
With reference to the Lazio Region, the Company represented that it had sent three communications to it:
with a note from the XX, sent in response to a request from the Region of the XX, provided some "clarifications and useful information regarding the IT incident which occurred at the Data Center of the Lazio Region on the night between 31 July and 1 August", highlighting that "the essential services relating to the emergency activities of 112, 118, blood transfusion centres, the Emergency Room and Civil Protection have never been interrupted or compromised" and that "all other services and applications resident in the data center have been restored or they will be restored in the next few days after having verified that any residual and/or possible contamination has been remediated and having reconfigured the systems with respect to the pre-existing security architecture"; the Company also represented that "checks were then carried out to evaluate whether the attack, which did not compromise the integrity and confidentiality of the data, had allowed the intruders to appropriate the same through exfiltration and/or transfer techniques", who "confirmed that exfiltration can currently be ruled out given that no outward data flows were detected during the period of the attack"; LAZIOcrea finally highlighted that "the technical details of the attack and of every single remedial action implemented will be more fully exposed in the final reports on the incident which are being drawn up both by the independent team of experts and by the corporate structures responsible for data security and protection";
with the note of the XX, sent in response to a request from the Region of the XX, it provided "information regarding the list of applications, treatments, categories of interested parties, types of data and dates of expected reactivation", confirming that "there was no compromise of the data managed by the applications and systems in operation in terms of integrity and confidentiality";
with the note of the XX, informed the Region that "all the application systems managed by LAZIOcrea both as owner and as data controller on behalf of the Lazio Region and/or other subjects have been restored" and that "some information websites are still being redesigned to improve security due to the obsolescence of the application platforms on which they were originally developed"; the Company also highlighted that "the information received from the investigative authorities (CNAIPIC, DIS and CSIRT) leads to the exclusion that the data breach resulted in the exfiltration of data linked to the processing carried out by LAZIOcrea both as Data Controller and as Processor", also in reason for the fact that "no data was published on the dark web even close to the deadline of the Hackers' ultimatum".
With reference to the other data controllers involved, the Company represented that it had sent three communications to them:
with note dated XX, provided "information in relation to the cyber attack on the Data Center of the regional Administration perpetrated by unknown cyber criminals on 31 July 2021/1 August 2021", "communicated so that the recipients have the elements to proceed independently to a preliminary notification of the data breach to the Guarantor for the protection of personnel"; the Company highlighted that "the services and applications resident in the data center have been restored or will be restored in the next few days after having verified that they have been cleaned of any residual and/or possible contamination and having reconfigured the systems with respect to the security architecture pre-existing. Starting from August 16th. third party application providers resident in the data center will have the possibility to reinstall their systems to resume the provision of related services" and communicated a series of corrective actions adopted following the incident; this Company also represented that "checks were then carried out to evaluate whether the attack, which did not compromise the integrity and confidentiality of the data, had allowed the intruders to appropriate the same through exfiltration and/or transfer techniques", who "confirmed that to date exfiltration can be excluded given that during the period of the attack there were no external data flows", highlighting that "the technical details of the attack and of every single remedial action implemented they will be more fully exposed in the final reports on the incident which are being drawn up both by the independent team of experts and by the company structures responsible for security and data protection";
with note dated XX, provided "further information in relation to the cyber attack on the Data Center of the Regional Administration perpetrated by unknown cyber criminals on 31 July 2021/1 August 2021", highlighting that "the investigations conducted have ascertained only the compromise and loss of confidentiality [of ...] two company accounts with the exclusion of any compromise of the data managed by the applications and systems in operation in terms of integrity and confidentiality";
with the notes of the XX and XX (the latter sent only to the Casa di Cura Sant'Anna - Policlinico Città di Pomezia S.p.a.), represented that "all the application systems managed by LAZIOcrea both as owner and as manager of the processing on behalf of the Lazio Region and/or other subjects" and that "some information websites are still being redesigned to improve their security due to the obsolescence of the application platforms on which they were previously developed"; the Company also highlighted that "the information received from the investigative authorities (CNAIPIC, DIS and CSIRT) leads to the exclusion that the data breach resulted in the exfiltration of data linked to the processing carried out by LAZIOcrea both as Data Controller and as Processor", also in reason for the fact that "no data was published on the dark web even close to the deadline of the Hackers' ultimatum".
During the investigation, it also emerged that several data controllers, after learning of the cyber attack through press reports, proceeded to ask the Company for information in this regard. In particular:
the Roma 2 Local Health Authority, with note dated XX, asked the Company to "receive [...], as quickly as possible, a specific report describing at least the nature of the violation of personal data including, where possible, the categories and the approximate number of data subjects concerned as well as the categories and approximate number of personal data records concerned; the probable causes and consequences of the personal data breach; the measures taken or proposed to be taken to remedy the personal data breach and also, where appropriate, to mitigate its possible negative effects; as well as [...] the contact details of your data protection officer or other contact point from which to obtain more information" (see company notification of XX) and, with subsequent note of XX, requested the transmission of a “full conclusive breach report”;
the Roma 3 Local Health Authority, with a note dated XX, asked the Company for information about "which and how much personal data relating to the interested parties/patients/users of the [...] Company were, and in what way, involved in the data breach" ;
the Roma 4 Local Health Authority, with a note from the XX, asked the Company "which and how many personal data relating to the interested parties/patients/users of the undersigned Company were, and in what way, involved in the data breach. The undersigned Company has already forwarded a preventive and precautionary communication to the Guarantor for the Protection of Personal Data in relation to the privacy accident that occurred; however, the aforementioned communication would require specific indications - as required by the GDPR and the Privacy Code - which we have reserved the right to specify following your response to this letter. In fact, the news of the data breach in question has made this last "fact known" but it is not yet known the real dynamics in relation to the cyber attack and the effects suffered. Therefore, if the investigations are still in progress, even if we understand the moment of emergency, we still ask you to inform us of what has already been ascertained and to update us on what will still be ascertained later";
the Roma 5 Local Health Authority, with a note from the XX, asked the Company "which and how many personal data relating to the interested parties/patients/users of the undersigned Company were, and in what way, involved in the data breach. The undersigned Company has already forwarded a preventive and precautionary communication to the Guarantor for the Protection of Personal Data in relation to the privacy accident that occurred; however, the aforementioned communication would require specific indications - as required by the GDPR and the Privacy Code - which we have reserved the right to specify following your response to this legalmail. In fact, the news of the data breach in question has made this last "fact known" but it is not yet known the real dynamics in relation to the cyber attack and the effects suffered. Therefore, if the investigations are still in progress, even if we understand the moment of emergency, we still ask you to inform us of what has already been ascertained and to update us on what will still be ascertained later";
the Roma 6 Local Health Authority, with a note dated XX, asked the Company to "provide, as quickly as possible, a specific report describing with the greatest level of detail possible, at least the nature of the violation of personal data including, where possible, the categories and approximate number of data subjects involved as well as the categories and approximate number of personal data records; the probable causes and consequences of the personal data breach; the measures adopted or proposed to be adopted to remedy the personal data breach and also, where appropriate, to mitigate its possible negative effects", as well as "the data of the appropriate contact point from which to obtain more information";
the Rieti Local Health Authority, with a note dated XX, asked the Company to "receive [...], as quickly as possible, a specific report describing at least the nature of the violation of personal data including, where possible, the categories and the the approximate number of data subjects concerned as well as the categories and approximate number of personal data records concerned; the probable causes and consequences of the personal data breach; the measures taken or proposed to be taken to remedy the personal data breach and also, where appropriate, to mitigate its possible negative effects; as well as [...] the contact details of your data protection officer or other contact point from which to obtain more information" (see company notification of XX) and, with subsequent note of XX, requested the transmission of a “full conclusive breach report”;
the Sant'Andrea University Hospital, with a note dated XX, asked the Company to "provide, as quickly as possible, a specific report describing with the greatest possible level of detail, at least the nature of the violation of personal data including , where possible, the categories and approximate number of data subjects involved as well as the categories and approximate number of personal data records; the probable causes and consequences of the personal data breach; the measures adopted or proposed to be adopted to remedy the personal data breach and also, where appropriate, to mitigate its possible negative effects", as well as "the data of the appropriate contact point from which to obtain more information";
the San Camillo Forlanini Hospital Company, with a note dated XX, asked the Company for a "report on the violation in question";
the PTV Policlinico Tor Vergata Foundation, with a note dated XX, asked the Company to "provide, as quickly as possible, a specific report describing with the greatest level of detail possible, at least the nature of the violation of personal data including, where possible , the categories and approximate number of data subjects involved as well as the categories and approximate number of personal data records; the probable causes and consequences of the personal data breach; the measures adopted or proposed to be adopted to remedy the personal data breach and also, where appropriate, to mitigate its possible negative effects", as well as "the data of the appropriate contact point from which to obtain more information";
the European Hospital S.p.a., with PEC of the XX, asked the Company for "all the information necessary to be able to correctly frame the type and ownership of the data involved in the incident, in order to be able to evaluate whether or not to proceed or not notify the incident to the Guarantor for the protection of personal data and/or interested parties", highlighting how "in the state of the information provided by you, the Structure is not in a position to be able to evaluate whether the incident involves data of which it would be the Owner, thus being able to separate them from data that would fall into the ownership of other subjects such as, for example, the Region or ASL which, as you know, often collect data referring to services provided by the Health Facilities without, however, this being able to attribute such data to the ownership of the Facilities themselves. From this substantial assumption and from the absolute unavailability of any information regarding the concrete type of data involved, it also follows that the Structure cannot even proceed with any assessment regarding the actual risk that would have affected such hypothetical data. From all of the above it follows that the Structure is not currently in a position to evaluate the possible actual need to proceed or not to notify the Guarantor for the protection of personal data and/or the interested parties of the incident";
the religious Province of St. Peter of the Hospitaller Order of St. John of God, with a note of the XX, asked the Company to "provide all useful information relating to the cyber attack suffered in July 2021, as well as to adopt all the procedures envisaged from the art. 33 GDPR".
In addition to the aforementioned inspection activity carried out against the Company, in the months of XX, XX, XX, XX and XX, further investigative activities were carried out through the acquisition of information from some data controllers who, on the basis of the documentation provided by the Company , were involved in the violation of personal data.
From the documentation in the documents it can be seen that, following the cyber attack in question, the aforementioned healthcare facilities reported having suffered the temporary unavailability of numerous information systems through which data on the health of their patients are processed (e.g. systems responsible for health reservations, Covid-19 vaccination, teleconsultation, management of transfusion activities, transmission of radiological reports). The lack of access to the data stored on the aforementioned systems, which constitutes a violation of personal data, was, on the one hand, a direct consequence of the cyber attack (which, by encrypting the contents of some server systems, made them unavailable) and, on the other hand, an indirect consequence deriving from LAZIOcrea's choice to shut down all server systems in the impossibility of determining which ones were compromised and, given the absence of their segregation, to avoid further propagation of the malware.
1.5 The procedure initiated by the Authority
On the basis of the above, with note dated XX (prot. n. XX) the Office issued a notification of violation pursuant to art. 166, paragraph 5, of the Code to LAZIOcrea S.p.a. as it has been found that the processing of personal data in question was carried out:
in violation of the obligations set out in the art. 33, par. 1, of the Regulation by the Company in relation to the processing carried out as owner;
in violation of the obligations set out in the art. 33, par. 5, of the Regulation by the Company in relation to the processing carried out as owner;
in violation of the obligations set out in the art. 33, par. 2, of the Regulation by the Company in relation to the processing carried out in its capacity as data controller on behalf of the data controllers;
in a manner that does not comply with the principle of "integrity and confidentiality", in violation of the art. 5, par. 1, letter. f), of the Regulation, by the Company in relation to the processing carried out in its capacity as owner and manager on behalf of other owners;
in violation of the obligations regarding processing security, in violation of the art. 32 of the Regulation by the Company in relation to the processing carried out in its capacity as owner and manager on behalf of other owners;
in a manner that does not comply with the principle of "data protection by design" referred to in art. 25, par. 1, of the Regulation by the Company in relation to the processing carried out as owner.
With note dated XX, the Company requested an extension of the deadline for submitting the defense briefs, which was granted by the Office due to the declared "complexity of the systems and services managed by LAZIOcrea on behalf of the Lazio Region and the other owners" .
With note dated XX, the Company sent its defense briefs, in which it contested - on a preliminary basis - the late initiation of the proceedings by the Authority since "from the documents received during access to the documents it is clear that the latest information was acquired by the Guarantor on XX. Even taking into account the weekday suspension, therefore, the Communication had to be made by the twentieth".
With the same note, compared to what has already been indicated in the documents, it was further highlighted that:
“the hackers had to carry out a complex decoding of the memory dumps of a server to take over an account with administrative privileges which was in turn protected by a 20-character password according to the rules established by LAZIOcrea in compliance with the security standards considered to be of high level also high by the AgID provisions";
“proof that citizens' data have never been compromised is found not only in the failure to exfiltrate them, but also in the prompt restoration of the most important applications and in particular, of the tools supporting vaccination and booking healthcare services”;
“LAZIOcrea S.p.A. is, therefore, included in the list of public administrations included in the consolidated income statement5 identified pursuant to article 1, paragraph 3 of law no. 31 December 2009. 196 and subsequent amendments. (Accounting and Public Finance Law). LAZIOcrea, therefore, despite being established in the form of a joint-stock company, is a subsidiarity instrument of the Region for the pursuit of public objectives financed, without pursuing profit-making objectives, with funds from the regional budget according to the criterion of mere reimbursement of costs incurred" ;
the dispute regarding the violation of the obligations referred to in the art. 33, par. 1 of the Regulation is unfounded because:
“LAZIOcrea became aware of the Incident following the malfunction of some regional application systems, hosted on the contaminated virtual machines. Said malfunction concerned IT applications used in the context of the processing delegated by the Lazio Region and, therefore, carried out by the undersigned as data controller [...] LAZIOcrea was perfectly aware that the Lazio Region, as data controller, was promptly by notifying the Supervisory Authority [...] with reference to the processing owned by LAZIOcrea, symptoms of malfunction were absent [...] The technical investigations, in order to verify whether there had been a data breach (owned by LAZIOcrea), could only be started after the completion of the preparatory actions for the restoration of regional services made unavailable following the precautionary isolation of the data center";
"only in the 20th century - after the events being discussed - was the EDPB recommended notification in the event of ransomware even in cases of temporary unavailability, even without data exfiltration and in the presence of back-ups (but also this hypothesis - to follow the example contained in the new Guidelines - if there has in any case been encryption of the personal data by the attacker, encryption which in our case there was not)”;
"excluding that the notification constitutes a formalism as an end in itself (being rather a functional fulfillment of the possible intervention of the Authority within the scope of its tasks and powers as clarified by Recital 87 of the GDPR), the Authority was in short perfectly aware of the evolution of the situation well before 12 August, so much so as to exercise its powers to request information";
the dispute regarding the violation of the obligations referred to in the art. 33, par. 5 of the Regulation is unfounded because:
"the rule, therefore, identifies as the purpose that of documenting the Incident, leaving the owner full discretion regarding the form and means of this fulfillment";
“has demonstrated that it has correctly fulfilled this obligation, indicating all the information required by the art. 33, par. 5 of the GDPR within the multiple and highly descriptive technical reports (already acquired by the Authority), drawn up by the internal functions and/or external consultants who carried out the forensic analyses";
"it is therefore considered completely irrelevant with respect to the purposes of the provision (which requires documentation and not a formal documentation method) that not all such information has also been included in the register of security incidents kept by the company according to its internal procedure management of violations. Nor is the circumstance that the inclusion of said information in the accident register kept by the company was required by the internal procedure for the management of violations";
the dispute regarding the violation of the obligations referred to in the art. 33, par. 2 of the Regulation is unfounded because:
"it is not clear what usefulness there could be in further formal communications from LAZIOcrea, once the existence of the notification from the Region is perfectly known to the person in charge";
with reference to the other bodies of the regional health service, "these are operational processes which, although involving actors other than the Region, have the Region as the connecting subject and decision-making centre. These are therefore IT tools prepared by the Region through LAZIOcrea and for which the Region itself maintains a leading role and provision of technical and economic resources";
“the malfunction concerned the same systems used by the Region and it cannot be assumed that the SSR bodies were not informed of the Incident from the moment it occurred. To assume that these entities were unaware of the Incident until August 12 is frankly unrealistic. Moreover, the same objections in the Opening Communication report letters from ASL or hospitals which before 12 August (ASL Rieti on 5 August, ASL Roma 2, Sant'Andrea, Forlanini on 6 August, for example) requested information on the investigations carried out in about the Accident. Such letters could not be explained except in the light of an already developed knowledge of the Incident. Then there is the fact that all users of the regional systems immediately learned of the unavailability of the systems, as did the interested parties, from the screens prepared by LAZIOcrea in agreement with the Region when a user tried to reach the specific IT resource on the network (whether it is a website or an intranet portal for accessing an application)”;
with reference, more generally, to the dispute regarding the violation of the principle referred to in the art. 5, par. 1, letter. f), and the obligations referred to in art. 32 of the Regulation:
“the security measures adopted and implemented by LAZIOcrea to guarantee the protection of processing operations were adequate and perfectly in line with the mitigation measures defined following the risk analysis at the time they were implemented as part of a correct cost/benefit ratio with respect to the economic resources available and, therefore, in compliance with the art. 32 which - not surprisingly - has as its incipit: "Taking into account the state of the art and implementation costs"";
“the inauguration of the new regional Data Center, made possible by community and national investments, officially took place on 9 November 2019, just a few months before the outbreak of the pandemic. The topic of cyber security was placed at the basis of the project for the construction of the new Data Center from the beginning and was the subject of an ISO 27001 certification process in order to verify compliance with the security standards for the protection of information [ …] the certification process of the Information Security Management System (SGSI), specifically also referring to the management of the Data Center infrastructure and the provision of services, concluded with the inspection visit of the XX days and with the obtaining certification on XX”;
“The Incident we are dealing with is, if not exclusively, largely attributable to the temporary unavailability of a part, and following the implementation of security procedures, of the entire Data Center. This measure was necessary to react to the supervised attack that the hackers were conducting on the application layer. The temporary unavailability of some applications was set by LAZIOcrea operators to follow correct recovery procedures using off-line copies of the back-ups. Copies that have been temporarily restored on virtual machines certified on AgID certified CSPs";
with reference, in particular, to the complaint regarding the failure to adopt adequate measures to promptly detect the violation of personal data:
“LAZIOcrea, already before the GDPR, had carried out an assessment of the risks connected to the processing and had equipped itself with a system for managing the security events generated by the hardware devices, operating systems and applications (Security Information and Event Management - SIEM) present in the Data Center. The SIEM system used at the time of the first certification in 2020 was based on the Q-Radar product. The analysis of the logs produced by the SIEM was entrusted to an internal Security Operation Center made up of Company personnel active during working hours from Monday to Friday from 8am to 8pm and with an on-call presence for the remaining time missing to cover 24 hours”;
"from reading Annex B to the POA for the year 2021 it can be seen that the implementation service of the new SOC H/24, although not yet financed, was included as an activity to be finalized subject to coverage by the end of the second half of 2021";
“Although the 24-hour SOC is not a mandatory measure for public administrations, LAZIOcrea and the Region have cooperated to accelerate the implementation of such a control more frequently than the existing one (and judged adequate by the certifier) by making contact in advance already in the first months of 2021 with the supplier Leonardo S.p.A. for carrying out preliminary analyses, drafting the needs plan and configuring the supply order pursuant to the Consip Agreements with the commitment to formalize everything when the funds are allocated by the Region. Thus bringing forward the operational start of the new SOC to the first months of the second half of 2021";
“Although the Incident occurred before the 'grounding' of the new SOC, the behavior with which the Manager and Owner operated to increase the security of the systems with the advancement of the technologies and tools available to hackers cannot be accused of belatedness . The times, in any case in compliance with public spending rules, were even brought forward compared to the administrative and operational path that the action of the Public Administration normally requires";
with reference, in particular, to the complaint regarding the failure to adopt adequate measures to guarantee the security of the networks:
“LAZIOcrea had put in place measures to segregate the systems present within the Data Center, certifying the servers that host the various databases to segregated networks with respect to other networks. It is precisely thanks to the efficiency of this segregation that the attack did not involve the databases stored within the data center. Similar segregation measures were applied to servers that provide particularly critical or dedicated services to specific customers, such as essential services relating to the emergency activities of 112, 118, blood transfusion centres, emergency rooms and civil protection, which were not compromised by the attack, as they are also physically segregated from other applications";
“the manager of the network systems who, as direct manager of the function, declares and certifies the existence already at the time of the Attack of careful configurations of the access and segregation rules of the networks through: (i) the preparation of various logical subnets; (ii) a first level of filtering rules to divide the networks on which the workstations are located and those where the server systems are located; (iii) a second level of filtering rules to divide the communications traffic to and from the data center from that of communications between the networks on which the server systems are located; (iv) firewalling and filtering rules to divide traffic based on the application context (front end, back end, database); (v) dedicated and physically separate networks from other systems. We have already talked about the segregation of databases. To this must be added the rules of the VPN concentrators which applied different privileges and access rules based on the domain groups to which the user belonged";
“It cannot therefore be argued that there were no "adequate" access and filtering rules for communications and networks. Furthermore, if the networks had not been correctly configured and architecturally structured, the consequences of the attack would have been much more significant with a impact of a more than high level on the rights and freedoms of the interested parties. In fact, the hackers would have easily had access to the databases containing the personal data, as unfortunately happened in many other attacks that were launched in periods following that of the Incident. occupies us”;
with reference, in particular, to the dispute regarding the obsolescence of the basic software installed on some processing systems:
“The outdated operating system that facilitated the attack was Windows Server 2008 R2 Standard, for which security updates were no longer available from the manufacturer. This system was not immediately visible from the internet (it was not an exposed service but called up by other applications) because it was only used as an internal service within the domain of accessible systems. Access was possible only after passing the barrier implemented by the VPN. This system was installed and used for the management of school building projects in the Lazio Region. It was a system developed on a programming language and platform that is now obsolete and not available for the most recent server operating systems. The application, which mostly concerned the use of common data (certainly not citizens' personal data), would have to be completely rewritten and designed using new platforms";
“the timing relating to the adoption and implementation of new technologies by public administrations, which act within a specific regulatory framework of reference, are not always compatible with the needs for continuity of services. Activities for which no regional funding was currently available";
with reference, in particular, to the complaint regarding the failure to adopt adequate measures to ensure the availability and resilience of processing systems and services:
“in reality, if LAZIOcrea carried out improvements after the Accident, equipping itself with new back up procedures, this does not mean that the back up management implemented at the time of the Accident was inadequate, much less that there were no back ups . The backups, as we will see, were perfectly functional, otherwise it would not even have been possible to reinstall from scratch, in a short time, the applications involved in the Incident";
“LAZIOcrea assessed that the backup system was adequate to guarantee the availability and resilience of the systems, efficiently carrying out the task of data storage and recovery. Also on this point, the certifying body did not identify critical issues with reference to the backup system, which was therefore to be considered adequate, despite being aware of implementing the improvement observations indicated, as already mentioned, by the certifying body in its Audit report of 24-26 November 2020";
with reference, in particular, to the dispute of the violation of the principle referred to in the art. 25, par. 1, of the Regulation:
"this is obviously an irregular dispute as the Authority did not describe the facts, understood as the actions or omissions attributable to the Company, from which the alleged violation of the aforementioned regulatory precept would derive";
“in this regard it is worth observing that the art. 25, par. 1 GDPR contains a case distinct from that referred to in art. 32. It refers to the design of the processing which must be set up by the owner in such a way as to minimize the risks to the rights and freedoms of the interested party. Failure to adopt adequate security measures is one thing, planning treatment in a manner that disrespects the rights and freedoms of natural persons is another thing. It is no coincidence that so far the application of art. 25 concerned situations very different from a data breach (the cases of geolocation treatments provided by employers on company cars which were not designed in such a way as to be deactivated as soon as working hours were over are well known) in which the only relevant data, adequate and limited to what is necessary to achieve the purpose of the processing";
“conduct that would hypothetically violate the art. 25 must have their own specific indication which the contesting Authority must ritually illustrate in a sanctioning proceeding. The preventive contestation of the charge belongs to the irreducible core of the guarantees of the intra-procedural adversarial process, the failure of which, by the proceeding Administration, causes ex se, the illegitimacy of the sanctioning measure eventually issued and requires its annulment in the proceedings of opposition before the competent jurisdictional authority (see Civil Cassation, Section 2 - Sentence no. 4521 of 11/02/2022)”;
regarding the elements for the assessments referred to in the art. 83, par. 2, of the Regulation:
“The Incident did not lead to violations of the integrity and confidentiality of personal data, least of all those belonging to citizens of the Lazio region. […] the Incident, in fact: • did not lead to any exfiltration of personal data • did not lead to any loss of personal data • did not lead to any encryption of personal data • did not lead to any damage to the confidentiality and integrity of data personal • was resolved promptly thanks to the existence of adequate back ups [...] the only concrete effect that the Incident had on the interested parties concerned the temporary unavailability of some regional services following the deactivation of the relevant applications, an effect which, on closer inspection, is foreign to the public interests in the protection of personal data which this Authority supervises";
"no element of guilt can be attributed to itself considering what has been illustrated above regarding the certification of the security measures and the maximum timeliness with which the certifier's suggestions were adopted, as well as regarding LAZIOcrea's perfect knowledge of the existence of the notification of the region";
“to mitigate the damage suffered, LAZIOcrea reacted from the moment of the attack - as illustrated above - by immediately deactivating the systems and restarting the Data Center in complete safety. […] The Data Center is now also accredited by ACN to the highest levels of IT security. All certifications can be found on the accreditation body's website at the following link https://services.accredia.it/. Finally, LAZIOcrea has strengthened the internal privacy structure with greater oversight on the issue and the appointment of a new DPO";
the "company has not, in the past, been the subject of disputes or the recipient of corrective measures from this Authority";
the "company believes that it has maintained a fully collaborative and transparent attitude during all the investigative activities carried out so far by it since the time of the accident which occurred on August 1st, involving a substantial number of resources (function managers, technicians , external consultants) and making available in an absolutely transparent manner all necessary information in the context of the investigation";
“LAZIOcrea does not operate for profit and that the sums received by the Region are exclusively to be used in public accounting as reimbursement of costs incurred. It is even questionable whether it can be considered a commercial enterprise for the purposes of the criteria for measuring the economic advantages referred to in the provision of the letter. k). From this perspective, LAZIOcrea did not enjoy any economic benefit due to the possible "savings".
2. Outcome of the preliminary investigation.
With reference to the applicable regulations, it is noted that:
pursuant to the Regulation, personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his or her state of health are considered "data relating to health" (art. 4, par. 1, n. 15, of the Regulation). Recital no. 35 of the Regulation then specifies that data relating to health "include information on the natural person collected during his registration for the purpose of receiving health care services"; “a number, symbol or specific element attributed to a natural person to uniquely identify him or her for health purposes”;
the Regulation provides that personal data must be "processed in a manner that guarantees adequate security [...] including protection, through adequate technical and organizational measures, from unauthorized or illicit processing and from accidental loss, destruction or damage ( «integrity and confidentiality»)” (art. 5, par. 1, letter f), of the Regulation);
by virtue of the aforementioned principle of "integrity and confidentiality" (art. 5, par. 1, letter f), of the Regulation), the data controller must (see the "Guidelines 4/2019 on article 25 - Data Protection by design and by default”, adopted by the European Data Protection Board – hereinafter “Committee” – on 20 October 2020, spec. point 85):
evaluate the risks to the security of personal data, considering the impact on the rights and freedoms of the interested parties, and effectively counter those identified;
take safety requirements into account as soon as possible in the design and development of the system, continuously integrating and carrying out relevant tests;
define data processing in such a way that a minimum number of people need access to personal data to carry out their functions, and limit access accordingly;
protect personal data from unauthorized and accidental modifications and access, both during their transfer and during their storage;
recording events relevant to information security and monitoring them to detect any security incidents in a timely manner;
guarantee the restoration of IT systems in the event of a disaster and operational continuity, ensuring the availability of personal data following significant security incidents;
have adequate procedures in place to handle personal data breaches, including procedures for documenting them;
the art. 33 of the Regulation establishes that "in the event of a personal data breach, the data controller shall notify the supervisory authority [...] without unjustified delay and, where possible, within 72 hours of becoming aware of it, unless that the violation of personal data is unlikely to present a risk to the rights and freedoms of natural persons [...]" (para. 1) and that "if and to the extent that it is not possible to provide the information at the same time, the information may be provided in successive stages without further unjustified delay" (para. 4);
the “Guidelines 9/2022 on notification of personal data breaches under the GDPR” (hereinafter “Notification Guidelines”), adopted by the Committee on 28 March 2023, highlight that “a security incident resulting in the unavailability of personal data for a certain period of time constitutes a violation, as the lack of access to the data can have a significant impact on the rights and freedoms of natural persons” (section I.B.2);
the same Guidelines recall that "depending on the nature of the violation, the data controller may need to carry out further investigations to establish all the relevant facts relating to the incident [...]. This means that the Regulation takes note of the fact that the data controller does not always have all the necessary information about a breach within 72 hours of becoming aware of it, as complete and detailed details are not always available within that period. exhaustive information about an accident. Therefore, the Regulation allows for phased notification. This is more likely to occur in the case of more complex breaches, such as certain types of cybersecurity incidents in the context of which, for example, an in-depth forensic investigation may be required to fully establish the nature of the breach and the extent of the compromise of personal data. As a result, in many cases the controller will need to investigate further and follow up on the notification by providing additional information at a later date. This is permitted provided that the data controller indicates the reasons for the delay, in accordance with article 33, paragraph 1” (section II.B.2). This is also in order to allow the Supervisory Authority to evaluate the adequacy of the decisions taken by the owner regarding the communication to the interested parties and the measures adopted to remedy the violation;
the aforementioned art. 33 of the Regulation provides that "the data controller documents any violation of personal data, including the circumstances relating to it, its consequences and the measures taken to remedy it" (para. 5);
with regard to documentation of the breach, the Notification Guidelines establish that “regardless of whether a breach must be notified to the supervisory authority, the data controller must maintain documentation of all breaches”, that “this obligation is connected to the principle of responsibility”, referred to in the art. 5, par. 2, of the Regulation and that "the purpose of keeping records of non-notifiable violations, in addition to the notifiable ones, is also linked to the obligations of the data controller pursuant to Article 24, and the supervisory authority may request to consult these registers. Consequently, the data controller is encouraged to create an internal register of violations, regardless of whether he is required to notify or not” (section V.A);
the same Notification Guidelines specify that “although it is up to the data controller to determine which method and structure to use to document a breach, certain key information should always be included”, that the data controller is required to “record details relating to the breach , including the causes, facts and personal data involved. It should also indicate the effects and consequences of the breach and the steps taken to remedy them” and recommend “also documenting the reasoning behind decisions taken in response to a breach. In particular, if a violation is not reported, a justification for this decision should be documented. The justification should include the reasons why the controller considers that the breach is unlikely to present a risk to the rights and freedoms of natural persons. Alternatively, if the controller considers that one of the conditions referred to in Article 34(3) is met, he should be able to provide adequate evidence that the circumstance exists in the specific case. If the data controller notifies a breach to the supervisory authority, but the notification occurs late, the data controller must be able to provide the reasons for the delay; the documentation relating to this circumstance could help demonstrate that the delay in reporting is justified and not excessive” (section V.A);
the “Guidelines 01/2021 on examples regarding the notification of a personal data breach” (hereinafter “Guidelines on cases of personal data breach”), adopted by the Committee on 14 December 2021, recalling the Guidelines on notification , specify that the internal documentation of a violation is an obligation independent of the risks associated with the violation itself and must be prepared in each individual case (point 15);
the art. 33, par. 2 of the Regulation establishes that "the data controller informs the data controller without unjustified delay after becoming aware of the violation". In this regard, the Notification Guidelines clarify that “if the data controller uses a data controller and the data controller becomes aware of a personal data breach that he or she is processing on behalf of the data controller, the data controller must notify it to the data controller "without unjustified delay" [... without] assessing the likelihood of risk deriving from the violation before notifying it to the data controller". Therefore, “the controller only needs to establish whether a breach has occurred and then notify the controller” to enable the controller “to address the breach and to determine whether it needs to notify the supervisory authority pursuant to the 'Article 33, paragraph 1, and to the natural persons concerned pursuant to Article 34, paragraph 1.' Even if "the regulation does not set an explicit deadline within which the data controller must notify the data controller, except to specify that he must do so "without unjustified delay"" the aforementioned Guidelines recommend the data controller to "notify the data controller promptly, subsequently providing any further information on the violation of which he becomes aware. This is important in order to help the data controller comply with the obligation to notify the supervisory authority within 72 hours" and specify that "if it provides services to multiple data controllers all affected by the same incident, the data controller must report the details of the incident to each data controller" (section. II.B.1);
the art. 32 of the Regulation, concerning the security of the processing, establishes that "taking into account the state of the art and the costs of implementation, as well as the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons, the data controller and the data processor shall implement adequate technical and organizational measures to guarantee a level of security appropriate to the risk [...]" (para. 1) and that "in evaluating the adequate level of security takes into account in particular the risks presented by the processing which derive in particular from the destruction, loss, modification, unauthorized disclosure or access, accidentally or illegally, to personal data transmitted , stored or otherwise processed” (para. 2);
art. 25, par. 1 of the Regulation provides that "taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purposes of the processing, as well as risks with different probabilities and severity for the rights and the freedoms of natural persons constituted by the processing, both at the time of determining the means of processing and at the time of the processing itself, the data controller [must implement] adequate technical and organizational measures, such as pseudonymisation, aimed at implementing in the principles of data protection, such as minimisation, in an effective manner and to integrate the necessary guarantees into the processing in order to satisfy the requirements of this regulation and protect the rights of interested parties" (see also paragraphs 75 and 78 of the Regulation);
on the basis of the aforementioned principle of "data protection by design", the owners should carry out periodic reviews of the security measures put in place to safeguard and protect personal data, as well as the procedure for managing data breaches. The obligation to maintain, verify and update, where necessary, the processing also applies to pre-existing systems. This implies that systems designed before the entry into force of the Regulation must be subjected to checks and maintenance to ensure the application of measures and guarantees that implement the principles and rights of interested parties effectively. This obligation also extends to processing carried out through a data controller. In fact, the processing operations carried out by a manager should be regularly examined and evaluated by the owner to ensure that they continue to respect the principles and allow the owner to fulfill the obligations established by the Regulation (see the aforementioned "Guidelines 4/2019 on article 25 - Data protection by design and by default", spec. points 7, 38, 39 and 84).
Having taken note of what is represented by the Company in the documentation in the documents and in the defense briefs, it is noted that:
with reference to the disputed lateness of the initiation of the procedure by the Authority, it is highlighted that, contrary to what was asserted by the Company, the Office notified the same within the legal deadlines (XX) given that the acquisition of some information relevant to the for the purposes of a complete assessment of the conformity of the complex of treatments in question was completed only in the month of XX; this, also in consideration of the fact that the investigation in question presents profiles of particular complexity, including of a technological nature, with reference to which copious documentation was provided, and involved approximately 35 subjects involved in various capacities in the processing;
with reference to the violation of the obligations referred to in the art. 33, par. 1, of the Regulation:
the Company became aware of the violation on 1 August 2021 and notified it only on XX, highlighting that the delay was due to "(i) the need to acquire the minimum elements necessary to provide as complete information as possible ( ii) the need to primarily restore essential services to the citizens of the Lazio Region and (iii) to ascertain the actual extent of the incident with the collaboration of cyber security companies and the judicial police authorities";
the reasons given do not allow us to justify the delay in notifying the violation of personal data since, despite not having all the information referred to in the art. 33, par. 3 of the Regulation, the Company, with reference to the processing of which it is the owner, should have notified the violation within 72 hours from the moment it became aware of it, providing the information in its possession and making use of the right to proceed with a “phased notification”;
considering what is specified in the defense briefs produced by the Company, in sharing that the notification does not constitute "a formalism as an end in itself", it represents the main means through which the Authority is promptly made aware of a violation of personal data and , therefore, in the condition to carry out the tasks envisaged by the Regulation; in the present case, however, the Guarantor acted ex officio following press reports regarding the facts in question and the receipt of notifications presented by other data controllers involved;
considering what the Company asserted in the defense briefs regarding the fact that "only in December 2021 - after the facts under discussion - notification was recommended by the EDPB in the event of ransomware even in cases of temporary unavailability, even without data exfiltration and in the presence of back-ups”, already in 2017, the “Guidelines on the notification of personal data breaches pursuant to Regulation (EU) 2016/679” of the Article 29 Data Protection Working Group of 3 October 2017 – recently replaced by the Committee's Notification Guidelines – clarified that “a security incident resulting in the unavailability of personal data for a certain period of time constitutes a breach, as the lack of access to the data can have a significant impact on the rights and freedoms of natural persons”, requesting in this case notification to the supervisory authority;
with reference to the violation of the obligations referred to in the art. 33, par. 5, of the Regulation:
the Company did not adequately document the violation. In particular, in the security incident register kept by the Company, in relation to the incident of 31 July 2021, not all the information required therein is included (e.g. date and time of closure of the incident, date and time of resolution of the incident, person who detected the incident, other Organizations contacted), and some of those present are inaccurate (e.g. start date of the incident) or not very detailed (e.g. description of the incident, response actions carried out);
even taking into account what is stated in the defense briefs, the documentation in the documents is devoid of the key information indicated in the Guidelines on notification such as, for example, the effects and consequences of the violation for the interested parties, the reasoning behind the decisions taken, the assessment of the risk deriving from the violation, as well as the reasons justifying the delay in notifying the Guarantor. Furthermore, this behavior is not fully in line with what is indicated in the "Management of violations - Data Breach" procedure adopted by the Company, which provides for the keeping of a register of events in which to record the information relating to reports of alleged violations (e.g. date of the communication, description of the event, type of personal data involved, details of notification to the Guarantor, containment measures, classification, status) and the compilation of an analysis report, to be attached to the aforementioned register, also containing the opinion of the specialists and risk assessment;
with reference to the violation of the obligations referred to in the art. 33, par. 2, of the Regulation:
the Company, having become aware of the violation on 1 August 2021, in its capacity as data controller, late informed:
- the Lazio Region with the communications of the XX and XX following specific requests from the same Region (of the XX and XX respectively) and of the XX, at the conclusion of the restoration activities;
- the other data controllers involved with the communications of XX, XX, XX and X;
the Company informed the Region and the other data controllers involved - also following specific requests for information sent by them, which were however not found in a timely manner - approximately 2 weeks after the incident occurred. In this regard, it is believed that the Company, although not having detailed information during the first stages of management of the incident, should have nevertheless promptly informed the owners by providing them with the elements of which it was aware, in order to allow the same owners to evaluate the risks to the rights and freedoms of natural persons deriving from the violation and to fulfill the obligations set out in the articles. 33 and 34 of the Regulation;
as clearly evident from the documentation in the documents, the Company's subsequent communications to the data controllers were also sent after some time and those addressed to data controllers other than the Region, as well as general information on the violation of personal data (nature, measures adopted or in the process of being adopted with relative timing), did not even contain specific references to the processing systems and services involved, useful for each owner to limit the perimeter of the violation and assess the risks; the Company has not provided adequate justifications regarding the reasons for the aforementioned delays;
what is claimed by the Company in the defense briefs regarding the uselessness of "further formal communications by LAZIOcrea" to the data controllers cannot be considered admissible since they are already informed of the facts, since, in cases like the one in question, it is up to the person in charge to provide them the details of the accident; so much so that the majority of owners, in the absence of communications from the Company, felt the need to ask the latter for specific information on the violation;
with reference to the violation of the principle referred to in the art. 5, par. 1, letter. f), and the obligations referred to in art. 32 of the Regulation:
the treatments carried out in the context in question require the adoption of the highest security standards in order not to compromise the confidentiality, integrity and availability of personal data, including health data, of millions of interested parties assisted. This, also taking into account the purposes of the processing and the nature of the personal data processed, also belonging to particular categories. On this basis, the safety obligations imposed by the Regulation require the adoption of rigorous technical and organizational measures, including, in addition to those expressly identified by the art. 32, par. 1, letter. from a) to d), all those necessary to mitigate the risks that the treatments present;
in general, with reference to the recurring arguments based on the possession, by the Company, of the certification of the information security management system (SGSI) in compliance with the UNI CEI EN ISO/IEC 27001:2017 standard, with extension to the controls of ISO 27017 and ISO 27018, it should be noted that this certification is not, at the moment, among those provided for by the art. 42 of the Regulation. In any case, the certification pursuant to art. 42 of the Regulation, although it can be used by owners or managers as an element to demonstrate compliance with the obligations of the Regulation, it does not automatically imply compliance. Furthermore, it must be considered that the certification of an SGSI can be limited to specific areas (services and/or offices) of the organization (summarized in the certificate issued by the certification body) and that the certification process of an SGSI, based mainly on the results of the audits (documentary and field checks), contains elements of uncertainty both because it is linked to the concept of risk and because it is carried out on a sample of the processes that the organisation, without prejudice to its good faith, submits for certification. The certification of an ISMS based on ISO/IEC 27001, therefore, does not guarantee, in itself, safety levels, controls or security measures established or fixed a priori, but ensures the adoption of the controls that the organization has identified and deemed adequate based on its own risk assessment;
on the failure to adopt adequate measures to promptly detect the violation of personal data:
- on July 31, 2021, from 4.49 pm the malicious actors carried out a series of preparatory operations for the cyber attack, following which, at 9.12 pm, "the Microsoft security platforms generated a severity security incident High called Multi-stage incident involving Execution & Command and control on multiple endpoints reported by multiple sources, consisting of a total of 2189 alarms. The incident signaled the detection of malicious activity on multiple systems." From 00:00 on 1 August 2021, the system encryption routine was "started";
- the Company had "evidence in the early hours of the morning of August 1st when some virtual machines were found to be unusable"; in this regard, it stated that "following the detection of "hostile activities" (2,189 alarms) by the "Microsoft Windows Defender ATP console" on the evening of 31 July 2021, [...] this monitoring tool was not manned 24 hours a day ” and, therefore, “it was not possible to manage these alarms with “greater” timeliness””. This is also because at the time the cyber attack occurred the Company "did not have personnel (internal or external) dedicated to the 24-hour analysis of the alerts generated by Microsoft's SIEM, awaiting the activation of a security service operations center (SOC) provided by Leonardo S.p.a., which then took place in the first days of August 2021" (see minutes of the XX, pp. 5 and 6, and of the XX, p. 2);
- it is therefore established that the inadequate management of the aforementioned alarms did not allow the Company to promptly become aware of the personal data breach that occurred; in this regard, in fact, what is claimed by the Company in the defense briefs regarding the fact that "the 24-hour SOC [did not constitute] a mandatory measure for public administrations" is not relevant, since, from the point of view of data protection, the Regulation , in compliance with the principle of accountability, delegates to the owner and manager the task of identifying and adopting technical and organizational measures suitable to guarantee a level of security adequate to the risks presented by the processing, which in this case were high due to the nature of the data processed, of the large scale of interested parties, including vulnerable ones, involved, as well as, in case of violation, of the possible negative consequences towards the interested parties with particular reference to the exercise of the right to access healthcare;
with regard to the failure to adopt adequate measures to guarantee the security of the networks:
- the Company had not adopted adequate measures to segment and segregate the networks on which the workstations of its employees were located, those of the employees of the Lazio Region, as well as the systems (servers) used for the processing carried out in the capacity of manager (for account of the different owners) or owner. In particular, the filtering rules configured on the firewall systems present in the data center managed by the Company, limited only to specific critical systems or services, did not prevent the propagation of the malware on approximately 180 systems;
- as part of the analysis activities conducted by Leonardo S.p.a. in relation to the personal data breach in question, a “Mitigation, Eradication & Improvement Plan” (hereinafter “Plan”) which provides for the adoption, among others, of specific actions aimed at segregating and securing the various systems managed by the Company. In particular, these actions involve the "segmentation of networks, avoiding excessively large subnets and effectively limiting the possibility for a potential attacker to carry out lateral movements", the "complete reinstallation of all server systems and simultaneous positioning in divided network segments by security layer (Tier), with limited access and manageable only by a limited number of workstations, in turn isolated from other networks (PAW, Privileged Access Workstation)", as well as the "redesign of the network [...] favoring the principle of least privilege”;
- moreover, at the time the personal data violation occurred, remote access, via VPN, to the Company's network was carried out through an IT authentication procedure based only on the use of username and password. In relation to this aspect, the Company itself, following the accident, deemed it necessary to activate a procedure with a double authentication factor (see minutes of the XX, p. 3), as also envisaged by the aforementioned Plan;
- what is claimed by the Company in the defense briefs does not allow the critical issues identified in the initiation of the proceedings to be overcome since, as declared by the Company itself during the inspection, at the time of the violation, it was possible to reach the server systems, which they were then compromised, starting from the network used for VPN access by employees of the Lazio Region;
with regard to the obsolescence of the basic software installed on some treatment systems:
- from the documentation in the documents it emerged that the server with hostname "RLWSIRIFT01" was "one of the main hubs used by the attacker in the final phase of the cyber attack" underlying the violation of the personal data in question. The same Company highlighted that on the "server with hostname "RLWSIRIFT01" [...] basic software was installed for which updates or security patches from the manufacturer were no longer available. This circumstance was due to the need to guarantee the functioning of a legacy web application that required a particular version of the operating system and application server. By exploiting known vulnerabilities in the basic software present on the aforementioned server, the malicious actors managed to come into possession of authentication credentials with administrative privileges [...] used in the subsequent phases of the cyber attack". In particular, it emerged that the processing system in question had an obsolete operating system installed (Windows Server 2008 R2 Standard) for which the manufacturer (Microsoft) had stopped distributing security updates. This made patching this system particularly difficult, requiring the adoption, realistically not timely, of any ad hoc measures capable of dealing with new vulnerabilities;
- only following the violation of personal data, the Company "identified the (few) servers which, to guarantee the functioning of some legacy services, still use obsolete operating systems and took steps to adopt appropriate segregation measures at network level , as well as monitoring security events”;
- what was stated by the Company in the defense briefs does not allow it to overcome the Office's findings regarding the use of obsolete basic software, for which security updates are no longer available, also considering the fact that the server systems on which such software was installed and was not adequately isolated from other server systems through which data processing was carried out, including data relating to the health of patients of the Regional Health Service;
with regard to the failure to adopt adequate measures to ensure the availability and resilience of processing systems and services:
- the Company, at the time of the security incident, was using a backup management system and that "specific backup management procedures had not been defined, but it was expected that each project contact would communicate, upon release into operation, through a specific template, among other things, also information on the type and retention of backups to be carried out. The periodicity of the backups was daily”;
- backup management was carried out using a "table containing the list of projects for which the backup was carried out with the indication of the contact persons, the name of the scheme, the hosts and the related retention policies" (see minutes of the XX , p. 3);
- only following the violation of personal data, the Company has adopted a new backup management system which allows simpler management and monitoring of data and system backups based on what is indicated by each project contact person, at the time of release into operation;
- what was stated by the Company in the defense briefs does not allow it to overcome the findings of the Office regarding the methods adopted to ensure the availability and resilience of the processing systems and services, including backup management, as the same were not in in line with the best practices in the sector and not suitable for the context of the treatments carried out on behalf of the Lazio Region and numerous regional health service bodies;
- the violation resulted in the unavailability of a large part of the information systems responsible for the processing of personal data for the Lazio healthcare structures, i.e. the impossibility of using many information systems that process health data and through which the aforementioned structures provide health services to their patients. In particular, we would like to point out the unavailability of the following information systems and the health data processed therein: Creation of patient records; new RECUP: Management of reservations, acceptances, cancellations; collection of reports via ESCAPE; payments for services relating to specialist outpatient activities including online payments via PAGO PA; Regional system sending flows for information debt relating to specialist services managed by the NHS, intramoenia services, home services and services carried out at consultants, hospital admissions, emergency room accesses; Regional vaccination registration system; Dematerialized prescription registration system for drug prescriptions and outpatient services; Issue of STP-ENI code for foreigners temporarily present in the territory, or for Europeans not registered with the Health Service, to guarantee access to health services; screening activities: system for managing and taking care of users belonging to certain age groups in the mammographic - cytological and colorectal screening processes; Viewing and printing a summary sheet of all vaccinations carried out by the user; TS system: Health card management, sending of Sogei flows, issuing of Covid-19 certificates, insertion of rapid and molecular tests, activation of the user's health card; Regional Covid-19 surveillance platform; Patient treatment plan management system with drug distribution; Regional system for online transmission of laboratory analysis reports; TELEMED: remote emergency reporting; ADVICE: Teleconsultation system for consultancy towards second level DEAs (impossibility to forward or receive consultancy requests); EMONET: Management system of the Transfusion Centers and Immunotransfusion Medicine Departments of the Lazio Region (impossibility of using the Emonet system); S.I.A.T.: Territorial Home Care Management System; request for Covid-19 beds; AVR System – Regional Vaccination Registry (impossibility of registering and booking vaccinations); dematerialized prescription integration system (impossibility of taking charge and issuing dematerialized prescriptions), with impact on all outpatient admissions, including drive-in and sampling center; Real-time data collection from the Emergency Department (lack of real-time alignment of the data with the region); Real-time data collection from ADT systems (lack of real-time alignment of admissions, discharges and transfers with the region); RIS-REFERTI (System for transmitting radiological reports to the regional portal), S.I.R.D. (Regional dependency management system (see notifications of violation of personal data of the S. Andrea hospital, of the Campus Biomedico University, of the ASL Roma 2, of the Rieti ASL, of the Fondazione Policlinico Tor Vergata, of the S. Andrea University Hospital, of ASL Roma 6);
- the aforementioned information systems, through which data on the health of the patients of the regional health service are processed, were unavailable to the regional health structures for a period of time ranging from a few hours (48) to a few months; the Lazio crea company has in fact taken steps to restore them, in a cloud environment, gradually giving priority to the most critical ones (e.g. Covid-19 vaccination) to complete the complete restoration at the end of October 2021 (see notifications of the LAZIOcrea company of the XX and XX, reservations of the report of the inspection checks of the XX);
- the unavailability of access to the data stored on the aforementioned systems has been determined:
i) directly from the cyber attack which, by compromising the application layer of the virtualization system, therefore made approximately 180 virtual server systems unavailable and the data processed therein inaccessible;
ii) indirectly by LAZIOcrea's choice to shut down all server systems as, at the time of the cyber attack, it was neither able to determine which were compromised nor to avoid further propagation of the malware given the absence of segregation of the networks on which they were certified;
- therefore, if LAZIOcrea had taken steps to adequately segregate the networks on which the server systems and the workstations of its employees and the Lazio Region were located, the Company itself would not have had to proceed with the shutdown of the aforementioned server systems, and therefore the structures health workers would not have suffered the unavailability of access to numerous information systems and related data;
- the segregation of networks is also one of the most common measures adopted in the context of data centers that host IT systems responsible for the processing of different categories of personal data, also relating to the state of health, which LAZIO creates - as a company operating in the ICT sector according to the in house providing model - would certainly have had to ensure taking into account the context and characteristics of the treatments in relation to which it was designated responsible by the Region and the health structures;
with reference to the violation of the principle referred to in the art. 25, par. 1, of the Regulation:
the art. 25 of the Regulation does not require the implementation of specific technical and organizational measures, but rather that the measures and guarantees identified and adopted by the owner are specifically connected to the implementation of the data protection principles in the context of the processing actually carried out; the measures and safeguards must be designed to be robust and the controller must be able to implement additional ones in order to address any increase in risks. The effectiveness or otherwise of the measures depends on the context of the processing and the other elements that the owner must take into consideration when determining the means of processing;
in light of what is represented by the Company in the defense briefs, the findings regarding the violation of the principle of data protection by design have been overcome, as the assessments carried out by the Company regarding the adequacy and effectiveness of the measures adopted in relation to the context and scope of the processing carried out as owner;
although it is not directly addressed to the provisions of the art. 25 of the Regulation, the data controller also represents an essential figure for the purposes of data protection by design and by default and should be aware of the fact that the data controller is required to process personal data only using systems and technologies that integrate data protection principles. The person responsible, in fact, when processing the data on behalf of the owners, should use his/her skills to establish a climate of trust and orient the latter towards design solutions that integrate data protection into the processing (see the aforementioned "Guidelines 4 /2019 on Article 25 - Data protection by design and by default”, points 94 and 95).
3. Conclusions.
In light of the assessments mentioned above, taking into account the declarations made by the LAZIOcrea company during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents, he is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor", the elements provided in the defense briefs do not allow to overcome all the findings notified by the Office with the act of starting the procedure, as none of the cases provided for in the art. 11 of the Guarantor Regulation n. 1/2019.
For these reasons, we note the illegality of the processing of personal data carried out by the company LAZIOcrea, in the terms set out in the motivation, in violation of:
a) the obligations referred to in the art. 33, par. 1 and 5 of the Regulation in relation to the processing carried out as owner;
b) the principle of "integrity and confidentiality" referred to in art. 5, par. 1, letter. f), of the Regulation, and the obligations regarding processing security, in violation of the art. 32 of the Regulation, in relation to the processing carried out as owner;
c) the obligations referred to in the art. 33, par. 2, of the Regulation in relation to the processing carried out in the capacity of data controller on behalf of the data controllers;
d) the principle of "integrity and confidentiality" referred to in art. 5, par. 1, letter. f), of the Regulation, and the obligations regarding processing security, in violation of the art. 32 of the Regulation, in relation to processing carried out as a data controller on behalf of other data controllers.
In this framework, considering that measures have been adopted aimed at overcoming the critical issues described above, the conditions for the adoption of the corrective measures referred to in the art. 58, par. 2, of the Regulation.
4. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).
Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i), and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).
In this case, the Company has implemented four distinct behaviors, which must, therefore, be considered separately for the purposes of quantifying the administrative sanctions to be applied.
The aforementioned pecuniary administrative sanctions imposed, depending on the circumstances of each individual case, must be determined in amount taking due account of the elements provided for by the art. 83, par. 2, of the Regulation.
4.1. In this regard, taking into account the art. 83, par. 3 of the Regulation, the violation of the provisions cited in par. 3, letter. a), of this provision (art. 33, par. 1 and 5, of the Regulation) is subject to the application of the pecuniary administrative sanction provided for by the art. 83, par. 4, of the Regulation.
With specific regard to the nature and severity of the violations, as well as the degree of responsibility of the owner (art. 83, par. 2, letters a) and g) of the Regulation), it must be considered that the personal data subject to the violation, not belonging to particular categories, referred to a limited audience of interested parties (e.g. Company employees).
In light of these circumstances, it is believed that, in the present case, the level of severity of the violations committed by the data controller is low (Guidelines 04/2022 on the calculation of administrative fines under the GDPR, adopted by the Committee on 23 May 2023 , point 60).
Added to this, pursuant to art. 83, par. 2, letter. e), of the Regulation, the Company has not been the recipient of previous corrective and sanctioning measures.
Furthermore, pursuant to art. 83, par. 2, letter. h), of the Regulation, the Authority initially became aware of the event from some press news and notifications sent by other owners involved and, only subsequently, from the notification sent by the Company.
In a sense favorable to the owner it is however necessary to consider, pursuant to art. 83, par. 2, letter. f), of the Regulation, that the Company has cooperated with the Authority.
On the basis of the aforementioned elements, evaluated as a whole, and the ordinary financial statements of the Company, it is deemed necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 3 and 4 of the Regulation in the amount of 16,000.00 (sixteen thousand) euros for the violation of the art. 33, par. 1 and 5 of the Regulation, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.
4.2. In this regard, taking into account the art. 83, par. 3 of the Regulation, the violation of the provisions cited in par. 3, letter. b), of this provision (articles 5, paragraph 1, letter f), and 32 of the Regulation) is subject to the application of the pecuniary administrative sanction provided for by the art. 83, par. 5, of the Regulation.
With specific regard to the nature and seriousness of the violations, as well as the degree of responsibility of the owner (art. 83, par. 2, letter a), d) and g) of the Regulation), it must be considered that, despite being the personal data subject of violation not belonging to particular categories and referring to a limited audience of interested parties (e.g. Company employees), the measures in place at the time of the events in question were not adequate to guarantee the security of the processing. In this regard, it should also be considered that the Company, among its main activities, deals with the design, creation and management of IT systems.
In light of these circumstances, it is believed that, in the present case, the level of severity of the violations committed by the data controller is low (Guidelines 04/2022 on the calculation of administrative fines under the GDPR, adopted by the Committee on 23 May 2023 , point 60).
Added to this is that, pursuant to art. 83, par. 2, letter. e) and f), of the Regulation, the Company has not been the recipient of previous corrective and sanctioning measures and has cooperated with the Authority.
Furthermore, pursuant to art. 83, par. 2, letter. c), of the Regulation, the Company, at the time the personal data breach occurred, had already planned the implementation of some interventions to increase the level of security of the processing carried out.
Based on the aforementioned elements, evaluated as a whole, and the ordinary financial statements of the Company, it is deemed necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 3 and 5 of the Regulation in the amount of 25,000.00 (twenty-five thousand) euros for the violation of the articles. 5, par. 1, letter. f), and 32, of the Regulation, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.
4.3. In this regard, taking into account the art. 83, par. 3 of the Regulation, the violation of the provisions cited in par. 3, letter. c), of this provision (art. 33, par. 2, of the Regulation) is subject to the application of the pecuniary administrative sanction provided for by the art. 83, par. 4, of the Regulation.
With specific regard to the nature and severity of the violations, as well as the degree of responsibility of the data controller (art. 83, par. 2, letter a), d) and g) of the Regulation), it must be considered that among the personal data subject of violation there were data belonging to the particular categories that referred to subjects assisted by the regional health service. It should also be highlighted that the Company, in addition to informing the owners two weeks late, sent partial communications without indicating the specific processing systems and services involved, which are useful for each owner to limit the perimeter of the violation and assess the risks.
In light of these circumstances, it is believed that, in the present case, the level of severity of the violations committed by the data controller is high (Guidelines 04/2022 on the calculation of administrative fines under the GDPR, adopted by the Committee on 23 May 2023 , point 60).
Added to this, pursuant to art. 83, par. 2, letter. e), of the Regulation, the Company has not been the recipient of previous corrective and sanctioning measures.
On the basis of the aforementioned elements, evaluated as a whole, and of the Company's ordinary financial statements, it is deemed necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 3 and 4 of the Regulation in the amount of 90,000.00 (ninety thousand) euros for the violation of the art. 33, par. 2, of the Regulation by the Company as data controller, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.
4.4. In this regard, taking into account the art. 83, par. 3 of the Regulation, the violation of the provisions cited in par. 3, letter. d), of this provision (art. 5, par. 1, letter f), and 32 of the Regulation) is subject to the application of the pecuniary administrative sanction provided for by the art. 83, par. 5, of the Regulation.
With specific regard to the nature and severity of the violations, as well as the degree of responsibility of the data controller (art. 83, par. 2, letter a), d) and g) of the Regulation), it must be considered that among the personal data subject of violation there were data belonging to the particular categories that referred to subjects assisted by the regional health service. In this regard, it is also noted that the Company, acting as data controller of numerous regional health service bodies, has a fundamental and strategic role in the identification and adoption of security measures suitable for mitigating the risks presented by data processing personal data of millions of interested parties.
In light of these circumstances, it is believed that, in the present case, the level of severity of the violations committed by the data controller is high (Guidelines 04/2022 on the calculation of administrative fines under the GDPR, adopted by the Committee on 23 May 2023 , point 60).
It is also noted that, pursuant to art. 83, par. 2, letter. c), f) and k) of the Regulation, the Company cooperated with the Authority by introducing - in conjunction with the Covid-19 emergency context - suitable measures to overcome the critical issues highlighted above.
Added to this is that, pursuant to art. 83, par. 2, letter. e) of the Regulation, the Company has not been the recipient of previous corrective and sanctioning measures.
On the basis of the aforementioned elements, evaluated as a whole, and of the Company's ordinary financial statements, it is deemed necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 3 and 5 of the Regulation in the amount of 140,000.00 (one hundred and forty thousand) euros for the violation of the articles. 5, par. 1, letter. f), and 32 of the Regulation, by the Company as data controller, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.
4.5. Based on what was assessed in the previous paragraphs. 4.1, 4.2, 4.3 and 4.4 of this provision, it is deemed necessary to determine the total amount of the pecuniary sanction imposed on the Company in the amount of 271,000.00 (two hundred and seventy-one thousand) euros in relation to the set of violations previously described.
Taking into account that the violations committed are of significant severity, also taking into account the number of interested parties involved (including health service patients), the type of personal data subject to the violation and the extent and impact on the availability of services affected, it is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7, of the Code and art. 16 of the reg. of the Guarantor n. 1/2019.
Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
ALL THIS CONSIDERING THE GUARANTOR
declares the unlawfulness of the processing of personal data carried out by the company LAZIOcrea S.p.a. for the violation of the articles. 5, par. 1, letter. f), 32 and 33, pars. 1, 2 and 5 of the Regulation within the terms set out in the justification.
ORDER
pursuant to the articles 58, par. 2, letter. i), and 83 of the Regulation, as well as art. 166 of the Code, to the company LAZIOcrea S.p.a., tax code 13662331001, in the person of the legal representative pro tempore, to pay the sum of 271,000.00 (two hundred and seventy-one thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.
ORDERS
to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €271,000.00 (two hundred and seventy-one thousand) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.
HAS
pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, letter. u), of the Regulation, of violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation.
Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.
Rome, 21 March 2024
PRESIDENT
Stantion
THE SPEAKER
Stantion
THE GENERAL SECRETARY
Mattei