HDPA (Greece) - 10/2024: Difference between revisions

HDPA - 10/2024
Authority:	HDPA (Greece)
Jurisdiction:	Greece
Relevant Law:	Article 5(1)(f) GDPR Article 32 GDPR
Type:	Other
Outcome:	n/a
Started:
Decided:
Published:
Fine:	2,955,140 EUR
Parties:	Hellenic Post
National Case Number/Name:	10/2024
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Greek
Original Source:	HDPA (in EL)
Initial Contributor:	Iliana Papantoni

The HDPA imposed a fine of €2,995,140 on the Hellenic Post for violation of Articles 5 (f) and 32 GDPR, following its personal data breach notifications.

English Summary

Facts

On 23 March 2022, the Hellenic Taxydromia Anonymous Ltd (controller) notified a personal data breach to the Hellenic DPA (HDPA) as a result of a cyberattack. The breached data included access to workstations and files of employees, passwords of network domain management accounts and miscellaneous folders, and was subsequently published on the Dark Web. In addition, the attackers installed malicious processes on the controller's system. Between 4,000,000 and 5,000,000,000 data subjects, including controller employees, executives, board members, lessors, customers, external partners, distributors, contractors, pensioners, borrowers and guarantors were estimated to have been affected.

On 19 May 2022, the HDPA requested a description of the actions taken by the controller in addressing the data breach as well as the actions taken in relation to the notification of data subjects concerned or any third party. The controller responded by providing a cybersecurity incident report. It stated that it informed the public about the personal data breach and the actions taken in response. The controller also announced the incident internally, informed bodies affected by the incident (the International Post Corporation, PostEurop, and Universal Postal Union), and informed relevant national authorities. The controller also shared its policies concerning its system, data security, and privacy by design an default.

On 27 July 2022, the controller notified the HDPA of a subsequent infringement incident, wherein the leaked of personal data was published on the dark web, as a consequence of the data breach. In response to a request for additional information from the HDPA, the controller shared with the HDPA further information concerning the dark web's publication of the data and a detailed analysis of the files posted on the website, including files and subfolder names and categories, categories of data subjects, types of personal data and description.

The HDPA invited the controller to a hearing held on 6 June 2023. The controller explain that the cyberattack took place at 1:30 A.M. and was detected at 6:30 A.M. It received no alerts from the Windows Management Instrumentation Command tool due to a network connection failure. Following confirmation of the threat, the system was taken offline and a process of investigation, logging, categorisation, classification and notification of the parties involved was initiated. The controller immediately informed corporate customers of the incident. Though some systems were encrypted and could not be recovered, the vast majority of systems were recovered. The controller argued that, at the time of the cyberattack, it was facing financial difficulties. It submitted balance sheets to the HDPA, which indicated financial losses in 2020, 2021 and 2022. Following the breach, the controller made significant resources available to shield the security of the system. The controller also stated that in order to better manage breach incident, it had launched staff training programs.

Holding

The HDPA found that the controller had not implemented appropriate technical and organisational measures, lacked appropriate data protection policies and failed to ensure confidentiality, availability and resilience of processing systems. As a result, it concluded that the controller breached Articles 5(1)(f) and 32 GDPR and imposed a €2,995,140 fine.

The controller's technical report revealed a failure to maintain adequate technical and security measures. The controller did not limit access to the data to authorised persons, creating vulnerabilities in the system's maintenance of confidentiality. In addition, the controller failed to regularly assess the effectiveness of its security measures and lacked adequate data protection policies. The insufficient security measures also failed to detect and prevent the cyberattacker's tracking activities and disabling of security measures using malware processes. As a result of these shortcomings, the HDPA determined that the controller violated Articles 5(1)(f) and 32 GDPR.

In calculating the fine, the HDPA took into consideration the large number of data subjects affected; the high level of damage resulting from extensive data leakage; the installation of malicious software and the disclosure of data to the dark web; the failure to implement the security policy; the inadequate security measures; the types of data affected; and the fact that no measures were taken to limit the uploading of data on the dark web. It also took into account mitigating factors, including the strengthening of the system security, the fact that no special categories of data were implicated, the restoration of service availability and of a significant part of the data volume and the controller's cooperation with the HDPA. The controller also considered the HDPA's difficult financial situation at the time that the attack occurred.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.