The Office for Personal Data Protection (UODO) has fined a company, that sells including anti-burglary doors, a penalty exceeding 350,000 PLN. The fine was imposed due to a series of oversights related to the violation of personal data protection, which was revealed as a result of a hacker attack. In addition, the partners of the civil partnership, to which the data administrator entrusted the processing of data, were also fined a penalty of 9,800 PLN.
Ransomware Attack and Administrator Mistakes
The company reported that as a result of a ransomware attack, they lost access to customer and employee data. The database contained detailed personal data, such as PESEL numbers, data from ID cards, home addresses, bank account numbers, or contact details. According to the company’s explanations, the attack was possible because an employee turned off the antivirus program. The data administrator assessed that the purpose of the attack was blackmail, not data takeover, so he assumed that there was no high risk of violating the rights or freedoms of individuals.
Despite notifying the individuals whose data were concerned, the UODO stated that the manner of notification was faulty. In addition, the data administrator did not respond to the office’s comments, which was another reason for imposing the penalty.
Inadequate Security Measures and Risk Analysis
The President of UODO, analyzing the collected evidence, determined that the company had not implemented appropriate technical and organizational measures, which could prevent the attack. The key failure was not conducting a risk analysis in accordance with GDPR requirements. The company did not identify threats associated with the use of malicious software or ensure the software update in their IT infrastructure.
Even the measures implemented after the incident were not sufficient. The data administrator could not demonstrate that they were appropriate to the identified risk because the risk analysis was not conducted.
Lack of Training and Responsibility of “Human Factors”
The data administrator pointed out that the “human factor” was responsible for the attack. However, the President of UODO emphasized that the organization only conducted two data protection training sessions, including only one before the incident. This is definitely too little in a situation where the company considered the “human factor” to be a potential threat.
Responsibility of the Data Processing Entity
The financial penalty was also imposed on the partners of the civil partnership, to whom the administrator entrusted data processing. The UODO indicated that this entity did not provide the administrator with sufficient assistance in ensuring data security. The processing entity did not inform about server vulnerabilities, lack of software updates, and the need to implement newer solutions, which ultimately enabled the ransomware attack.
Source: https://managerplus.pl/uodo-naklada-wysoka-kare-za-naruszenie-zasad-ochrony-danych-osobowych-po-ataku-ransomware-35821