HDPA (Greece) - 10/2024
| HDPA - 10/2024 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
| Type: | Other |
| Outcome: | n/a |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 2,955,140 EUR |
| Parties: | Hellenic Post |
| National Case Number/Name: | 10/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek |
| Original Source: | HDPA (in EL) |
| Initial Contributor: | Iliana Papantoni |
The DPA imposed a fine of €2,995,140 on the Hellenic Post for failing to implement appropriate security measures, which resulted in a data breach affecting over 4 million data subjects.
English Summary
Facts
On 23 March 2022, the Hellenic Taxydromia Anonymous Ltd, which is the Hellenic post office (controller), notified a personal data breach to the Hellenic DPA (HDPA) as a result of a cyberattack. The breached data included access to workstations and files of employees, passwords of network domain management accounts and miscellaneous folders, and was subsequently published on the Dark Web. In addition, the attackers installed malicious processes on the controller's system. Between 4,000,000 and 5,000,000,000 data subjects, including controller employees, executives, board members, lessors, customers, external partners, distributors, contractors, pensioners, borrowers and guarantors were estimated to have been affected.
On 19 May 2022, the HDPA requested a description of the actions taken by the controller in addressing the data breach as well as the actions taken in relation to the notification of data subjects concerned or any third party. The controller responded by providing a cybersecurity incident report. It stated that it informed the public about the personal data breach and the actions taken in response. The controller also announced the incident internally, informed bodies affected by the incident (the International Post Corporation, PostEurop, and Universal Postal Union), and informed relevant national authorities. The controller also shared its policies concerning its system, data security, and privacy by design an default.
On 27 July 2022, the controller notified the HDPA of a subsequent infringement incident, wherein the leaked of personal data was published on the dark web, as a consequence of the data breach. In response to a request for additional information from the HDPA, the controller shared with the HDPA further information concerning the dark web's publication of the data and a detailed analysis of the files posted on the website, including files and subfolder names and categories, categories of data subjects, types of personal data and description.
The HDPA invited the controller to a hearing held on 6 June 2023. The controller explain that the cyberattack took place at 1:30 A.M. and was detected at 6:30 A.M. It received no alerts from the Windows Management Instrumentation Command tool due to a network connection failure. Following confirmation of the threat, the system was taken offline and a process of investigation, logging, categorisation, classification and notification of the parties involved was initiated. The controller immediately informed corporate customers of the incident. Though some systems were encrypted and could not be recovered, the vast majority of systems were recovered. The controller argued that, at the time of the cyberattack, it was facing financial difficulties. It submitted balance sheets to the HDPA, which indicated financial losses in 2020, 2021 and 2022. Following the breach, the controller made significant resources available to shield the security of the system. The controller also stated that in order to better manage breach incident, it had launched staff training programs.
Holding
The HDPA found that the controller had not implemented appropriate technical and organisational measures, lacked appropriate data protection policies and failed to ensure confidentiality, availability and resilience of processing systems. As a result, it concluded that the controller breached Articles 5(1)(f) and 32 GDPR and imposed a €2,995,140 fine.
The controller's technical report revealed a failure to maintain adequate technical and security measures. The controller did not limit access to the data to authorised persons, creating vulnerabilities in the system's maintenance of confidentiality. In addition, the controller failed to regularly assess the effectiveness of its security measures and lacked adequate data protection policies. The insufficient security measures also failed to detect and prevent the cyberattacker's tracking activities and disabling of security measures using malware processes. As a result of these shortcomings, the HDPA determined that the controller violated Articles 5(1)(f) and 32 GDPR.
In calculating the fine, the HDPA took into consideration the large number of data subjects affected; the high level of damage resulting from extensive data leakage; the installation of malicious software and the disclosure of data to the dark web; the failure to implement the security policy; the inadequate security measures; the types of data affected; and the fact that no measures were taken to limit the uploading of data on the dark web. It also took into account mitigating factors, including the strengthening of the system security, the fact that no special categories of data were implicated, the restoration of service availability and of a significant part of the data volume and the controller's cooperation with the HDPA. The controller also considered the HDPA's difficult financial situation at the time that the attack occurred.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 28-02-2024
Original No: 667
Decision 10/2024
The Personal Data Protection Authority met at the invitation of its Chairperson in a meeting in person on 26.09.2023 at 10:00, in order to examine the case mentioned in the background of this document. Present were Konstantinos Menoudakos, President of the Authority, Christos Kalloniatis as rapporteur, Spyridon Vlahopoulos, Konstantinos Lambrinoudakis, Ekaterini Iliadou, and Gregorios Tsolias as full members and Nikolaos Livos
alternate member of Charalambos Anthopoulos, who, although legally invited in writing, did not attend due to his inability to attend. Panagiotis Tsoepelas, Leonidas Roussos, experts - auditors as assistant rapporteurs and Irini Papageorgopoulou, an official of the Authority's Administrative Affairs Department, attended the meeting, by order of the President without the right to vote.
The Authority has taken note of the following:
The company "HELLENIC TAXYDROMIA ANONYMOUS LTD", (hereinafter referred to as
ELTA) submitted to the Authority, based on Regulation (EU) 2016/679 (General Data Protection Regulation - hereinafter referred to as GDPR), the applications no. C/EIS/9170/27-07-2022 notifications of breach incidents concerning software encryption on the company's system, as a result of a malicious attack by third parties, and leakage of personal data which, in a subsequent phase, were published on the Dark Web. Further analysis of the cyber-attack shows that, as part of the breach of the system of the data
controller, actions of unauthorised remote access to workstations and files, the attacker's discovery of the
2
passwords of network domain management accounts, unauthorized access to files and folders, and installation of malicious processes.
The Authority, after examining the initial notification, sent the document with ref. no.C/EXE/1208/19-05-2022 to ELTA, requesting the description of the actions that have taken place in the framework of the investigation/response of the incident in question and any relevant information and reports (e.g.(e.g. reports to/from other competent authorities or third party companies), as well as the actions that the Post Office has taken in relation to
informing the affected data subjects and any third parties.
The Post Office replied by e-mails C/EIS/7610/01-06-2022 and C/EIS/7660/02-06-2022, which included a technical report of a cybersecurity incident, the main points of which are described in detail in Annex A of the Decision and which stated the following:
1. Communications were made by the controller to the public to inform them about the breach (21.03.2022 and 23.03.2022), as well as about the actions to be taken after the breach (24.03.2022 and 07.04.2022).
2. There was an internal communication from a data controller specifying the actions to be taken to restore the system.
3. International Post Corporation, PostEurop, and Universal Postal Union affected by the incident have been informed (22.03.2022 and 23.03.2022).
4. The Communications Privacy Authority (24.03.2022), the National
Telecommunications and Postal Commission (22.03.2022) and the National
Cybersecurity Authority (30.3.2022) have been informed.
5. A briefing was given to the Capital Water and Sewerage Network Company. This company has also submitted an initial notification report on the incident under No.
G/EIS/5224/25-03-2022 and a final one under No. G/EIS/8266/24-06-2022.
6. A supplementary breach notification was submitted, with the new information
obtained during the investigation of the incident.
3
Subsequently, the Authority, having examined the above reply, requested by document C/EXE/1499/21-06-2022 the IT and information security policies and procedures of the entity and how these policies and procedures were implemented in the context of the response to the breach in question. The Post Office replied by document C/EIS/8566/06-07- 2022, submitting the following:
I. The systems & data security policy, as approved at the 1753/01.06.2018 meeting of the company's board of directors, the main points of which are described in detail in Annex A of the decision.
II. The privacy by default and by design policy, as approved at the 1868/29.12.2021(item 2) Meeting of the Board of Directors, which, inter alia, states the following:
α. The company applies data protection by design by implementing appropriate
technical measures on a case-by-case basis and for the intended purpose in
relation to the potential risk.
β. The company ensures by default that access to personal data is restricted to authorized persons only.
c. The company, in the context of privacy protection as a default, ensures that personal data is automatically protected.
Subsequently, the ELTA submitted the notification of an infringement incident
(C/EIS/9170/27-07-2022), which was supplemented by the notification C/EIS/12894/29-12-2022. It is stated that, as a follow-up to the above incident, the perpetrators published on the Dark Web personal data intercepted during the breach of the controller's system. The Authority, after examining the relevant notification, sent the document under No. C/EXE/231/26-01-2023 to the Postal Service, requesting the onion hyperlinks of the Vice Society group, where the personal data posted on
4
related to the case in question, as well as any additional report available in this regard. ELTA replied by letter C/EIS/1308/21-02-2023, i n which the following was submitted:
1. The group's hyperlink to the dark web through which the data is accessed1 .
2. Investigation report by Netbull, which states that the Ransomware Group "Vice Society", which is associated with the attack of March 20, 2022, has posted, on May 04, 2022, on the website it maintains on DarkWeb (Hacker Forum), data related to the attack. The report includes the contents of the subdirectory tree and files posted on the website.
3. A detailed analysis of the files uploaded on the website including subfolder name, file name, file name, file category, category of data subjects, types of personal data and description.
The ELTA was invited to a hearing on 29.11.2022, by the Authority's document
C/EXE/2888/15- 11-2022. The Post Office submitted a request for adjournment of the hearing on the ground that a process of thorough scrutiny of the records leaked on the dark web is in progress, which was granted. The Authority re-issued a summons for hearing on 09.05.2023 vide document No. C/EXE/1091/02-05-2023, for which the Post Office submitted, vide document No. C/EIS/3260/04-05-2023, a request for adjournment of the meeting on the ground of change of legal adviser to the management. The request was granted and the hearing was adjourned to 06.06.2023.
The meeting of 06.06.2023 was attended on behalf of the controller by Ioannis
Giannakakis with MDSA ..., A from the General Directorate ..., B, Head ..., Hara Zerva with MDSA ... and Stergios Konstantinou with MDSA ..., who defended the following:
1. At the time of the cyber attack, the organisation was facing
1 http://vsociet***.onion/
5
serious financial difficulties. The security measures were not working because of this financial constraint.
2. The cyber attack started at 1:30am and was detected at 6:30am. Following
confirmation of the existence of the threat, the system was taken offline and a process of investigation, logging, categorisation, classification and notification of the parties involved was initiated.
3. In order to better manage breach incidents, staff training programmes have been launched.
4. Following the incident, significant resources were made available to shield the security of the system. The actions taken after the incident relate to strengthening the technical and organisational vulnerabilities of the system and not to changing the regulatory framework in which the company operates.
5. There were no alerts from the Windows Management Instrumentation Command
(WMIC) tool process activity due to a network connection failure.
Finally, the ELTA submitted, the memo No. C/EIS/4815/28-06-2023 in which the following are mentioned:
1. Additional technical clarifications regarding cyber-attack, the main points of which are described in Annex A of the Decision.
2. The vast majority of systems were recovered from backups (magnetic tapes) that were not encrypted and from backups that were located outside the attacked infrastructure. Some systems that were encrypted could not be recovered, but hosted historical data of legacy applications.
3. As soon as the cyber-attack incident became known, the ELTA proceeded to
immediately inform all corporate customers, who in the context of their cooperation with the ELTA may (depending on the type of services provided to them) act either as data controllers or as processors. In particular, with regard to the cooperation of the Post Office with the Water Supply and Waste Water Treatment Company of Porteyousis, Inc.
6
(hereinafter referred to as EYDAP), the company proceeded to thoroughly inform the counterparty of both the availability restriction incident and the confidentiality restriction incident. In particular, the ELTA informed in this respect and EYDAP that they act as processor on its behalf only in respect of the services referred to in Article 1, subpara. (e) of the relevant contract between them: 'EIFADAP Information Procedure S.A.', while for the other processing operations carried out by the ELTA, namely the fulfilment of the universal postal service, the ELTA acts as an independent controller.
4. As can be seen from the balance sheets for 2020, 2021 and 2022, the ELTA has made losses in the last 3 years. Specifically: Turnover in 2019 amounted to 355,647,000. In 2020, turnover amounted to 318,467,000, a decrease of 10.5%. οIn 2021, turnover amounted to 299,514,000, a decrease of 6%, and in the first half of 2022, turnover amounted to 140,051,000, a decrease of 5.4% compared to 2021.
THOUGHT IN ACCORDANCE WITH THE LAW
1. According to Article 5(1)(f) of the GDPR, personal data "shall be processed in a way that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or deterioration, using appropriate technical or organisational measures ('integrity and confidentiality')."
2. In accordance with Article 32 of the GDPR:
"1. Taking into account the latest developments, the cost of implementation and the
7
the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure an appropriate level of security against the risks, including, inter alia, where appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the confidentiality, integrity, availability and reliability of
the processing systems and services on a continuous basis,
(c) the possibility of restoring availability and access to personal data in due time in the event of a physical or technical incident,
(d) a procedure for the regular testing, assessment and evaluation of the
effectiveness of technical and organisational measures to ensure the security of processing;
2. When assessing the appropriate level of security, particular account shall be taken of the risks arising from the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data transmitted, stored or otherwise processed.
(...)
4. The controller and the processor shall take measures to ensure that any natural person acting under the supervision of the controller or the processor who has access to personal data processes them only on the instructions of the controller, unless required to do so by Union or Member State law."
8
3. In the present case, the examination of the technical report of the cybersecurity incident shows that the Post Office did not maintain adequate technical security measures on the system, as described in detail in Annexes D and E to the Decision, in breach of Article 32 of the GDPR.
4. In addition, the examination of the security policy reveals the incorrect application of policies as described in detail in Annex F to the Decision, in breach of Article 32 of the GDPR.
5. Furthermore, from the notification of an incident of infringement
No.C/EIS/9170/27-07-2022, it is clear that the restriction of access only to
authorised persons, as described in detail in Annexes D and E of the decision, was not ensured, in violation of Article 5 par. 1(f).
6. Moreover, the examination of the technical report of the cybersecurity incident shows that the perpetrator's tracking and identification activities and the disabling of security mechanisms as a consequence of the execution of malware processes, as described in detail in Annexes D and E of the Decision, were not detected and prevented, in violation of Article 32 of the GDPR.
7. In particular, in relation to the infringements referred to in paragraphs 3-6 above, from all the evidence in the file and the hearing, it appears that the ELTA:
α. They have not ensured, by implementing the required technical and
organisational measures, the protection of personal data against
unauthorised or unlawful processing, resulting in the loss of the right to the
protection of personal data pursuant to Article 5(5)(a) of the GDPR. 1(f) of
the GDPR.
β. They have not implemented appropriate data protection policies to ensure
t h a t t h e y a r e a b l e t o demonstrate that they have carried out
processing in accordance with the definitions in Article 32 of the GDPR.
c. They did not ensure the confidentiality, availability and reliability of the systems and processing services on an ongoing basis and the integrity of the procedures for the regular testing, assessment and evaluation of the
effectiveness of technical and organisational measures for the security of
processing, so as to ensure an appropriate level of security against risks to
the rights of data subjects, as referred to in Article 32(2)(a), (b), (c) and (d). 1(b) of the GDPR.
8. On the basis of the above, the Authority considers that there have been
infringements of the obligations under Articles 5(5)(a) and (b) of the EEA
Agreement. 1(f) and 32 of the GDPR. For the breaches of those articles, which
constitute separate infringements, there is a case for the exercise of the Authority's remedial powers by imposing, pursuant to Article 58(5)(a) and (b) of the General Data Protection Regulation, the imposition of a penalty in accordance with Article 58(3)(a) of the GDPR. 2(i) of the GDPR, on the basis of the circumstances found, an effective, proportionate and dissuasive administrative fine pursuant to Article 83 of the GDPR.
9. For the calculation of the fine, the following criteria are taken into account in accordance with the 4/2022 guidelines of the NAPC for the calculation of administrative fines:2
I. Turnover data, in particular:
a. Latest available turnover: 140.051.0003 € (01/01/2022- 30/06/2022).
b. Latest available annual turnover 2021: 299.514.0004 € (01/01/2021-31/12/2021).
c. Turnover decrease of 5.4% between the six months
01/01/2021-30/06/2021 and 01/01/2022-30/06/2022.5
II. That the gravity of the infringements found is i n all cases considered to be high, taking into account:
2 https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042022-calculation-
administrative-fines-under_en - version 2.0, after consultation.
3 Γ/ΕΙΣ/4815/28-06-2023
4 Γ/ΕΙΣ/4815/28-06-2023, https://publicity.businessportal.gr/company/1092101000
5 Γ/ΕΙΣ/4815/28-06-2023
9
a. the wide range of persons affected, i.e. 4.000.000 - 5.000.000.000,
including ELTA employees, executives, board members, lessors, customers, external partners, distributors, contractors, pensioners, postal agents, borrowers, guarantors and
β. The high level of damage, i.e. extensive data leakage involving personal
data, financial data, etc. and loss of service availability.
c. That a breach of the controller's system, unauthorised access to resources,
installation of malicious software and disclosure of data on the dark web
has taken place, as described in detail in Annexes C, D, E and F.
δ. That there were failures to implement the security policy, failure to secure access to data by unauthorised users, insufficient technical
documentation on the issues of collecting domain passwords and failure to use the unusual activity warning messages by the protection mechanisms, as detailed in Annexes D and E.
ε. That categories of personal data of particular importance were affected,
such as financial data of the controller and affected companies/providers,
employee data, correspondence, competitions, board minutes, personal and customer file photos, witness summons data, witness testimony report, universal inspection report, database records, list of OGA pensioners, customer/supplier data, affidavits/authorisations.
f. The fact that no historical application data was recovered. No measures
were taken to limit the posting of data on the dark web.
10
III. The Authority will take into account the following as mitigating circumstances:
α. Following the incident, the security of the system was reinforced by taking
both technical and organisational measures.
β. There was no leakage of sensitive personal data.
c. The controller has contracted a third party company to carry out a standard
incident management and response procedure and has implemented all
steps of the procedure.
δ. There was a significant amount of data restoration from backups. There was a restoration of service availability.
ε. The controller has submitted an additional breach notification which includes details of the data leakage to the dark web.
f. At the time the attack occurred, the controller was in a difficult financial situation. The company was experiencing a loss in turnover until 30/6/2022.
10. After taking into account the above aggravating and attenuating circumstances (paragraph 9(ii) and (iii) above), as well as the turnover data of the HR (paragraph 9(i) above), the Authority considers that a fine should be imposed on the company called "HELLENIC TEXT PROPERTIES ANONYMOUS COMPANY" close to the lower end of the static range set by the Guidelines 4/2022 of the CPC for the type of infringements with high gravity and equal to 1% of the last available annual turnover of the SO.
FOR THESE REASONS
The Authority
Exercising the corrective powers under Article 58(1)(b) of the Treaty. 2(i) of the GDPR, impose a fine of two million nine hundred and ninety-five thousand nine hundred and fifty-five thousand one hundred forty euros (2.995.140) to the company called 'HELLENIC TEXT PROPERTIES S.A.', for the
reasons set out in detail in the grounds.
