Background information
- Date of decision: 16 May 2023
- Cross-border case or national case: National case
- Legal references: Article 5 (Principles relating to processing of personal data), Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), Article 32 (Security of processing)
- Decision: Administrative fine, Compliance order
- Key words: Responsibility of the controller, Data security, Electronic communications, Hacker attack, Personal data breach, Principles relating to processing of personal data, Security of processing
Summary of the Decision
Origin of the case
The supervisory authority has received a data breach notification following to a ransomware attack resulting from the use of a vulnerability existing in an IT system.
In this case, the controller conducted a risk analysis in an unreliable manner (especially with regard to backups), and implemented incomplete technical and organisational measures to guarantee security in the processing of personal data.
As a result, the security of the IT system used by the controller was breached and the data processed in the system was then encrypted using malware.
The controller, prior to the occurrence of the personal data breach, identified the risk associated with the use of outdated software, but did not update it, and therefore did not itself comply with the procedures of which it was the author.
Key Findings
During the proceeding and after analysing the evidence, the DPA found that the actual cause of the ransomware attack was an outdated virus database. What is more, it was established that the operating system, installed by the controller on the server at the time of the data breach, was not supported by the developer.
The proceeding indicated that personal data processed by the controller had been encrypted, resulting in a loss of accessibility to the controller's databases.
The technical measures adopted by the controller to protect personal data adequately were in no way tested, measured and evaluated by the controller to verify their effectiveness. During the course of the proceeding, the controller was not able to demonstrate that the solutions applied were sufficient to ensure the security of the data processed. Furthermore, the controller did not provide evidence that it performs regular testing after the personal data breach.
The President of the Personal Data Protection Office has imposed an administrative fine in the amount of about 6 700 EUR (30 000 PLN) on the controller for selecting ineffective security safeguards for the IT system used and for failing to test them.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.