News

Source : PS-00453-2023

? The Facts
? October 2022: A cyberattack ? compromised the personal data of 1.6 million people.
? Method: A brute force attack ? on an internal customer management application, using compromised broker credentials.
? Exposed Data:

• ?? Names and addresses
• ? Phone numbers
• ? Bank details from insurance contracts

?? Security Flaws Identified
? No Multi-Factor Authentication (MFA) ??
? Customer data retained beyond the legal timeframe ??

? Violations Identified by the AEPD
? Failure to ensure data security ?? (Art. 5-1 f & 32 of GDPR)
? The data controller must implement technical and organizational measures to ensure the confidentiality and security of personal data.

? Failure in Privacy by Design ?? (Art. 25 of GDPR)
? Data protection must be integrated from the design phase of systems.

? Lack of a Data Protection Impact Assessment (DPIA) ? (Art. 35 of GDPR)
? A DPIA is required when processing activities may pose risks to individuals' rights and freedoms.

? Sanctions
? Administrative fine: €5M, reduced to €4M after adjustments.
? Ordered to conduct a DPIA within 3 months.

? Conclusion
? This case highlights the importance of securing access, complying with data retention rules, and anticipating risks through impact assessments.