Checking potential system vulnerabilities cannot be delayed
The inability to quickly identify the threat and remove it led the company ID Finance Poland to data loss. Therefore, the President of the Personal Data Protection Office (UODO) found that the company had not implemented appropriate technical and organizational measures, which resulted in a loss of confidentiality of the personal data principle, and imposed an administrative fine on the company in the amount of over PLN 1 million (EUR 250,000).
The punished company (owner of a lending platform MoneyMan.pl) did not respond adequately to the signal about gaps in its security. It did not check quickly enough the information that its client’s data was available on one of its servers. Such notification was not treated seriously, so a few days after the company received the signal, an unauthorized person copied the data and then deleted it from the server. The person demanded a ransom for returning the stolen information. Only then did the company start analysing the security features on its servers and notified data breach to the supervisory authority at the same time.
In the proceedings, the UODO established that the breach took place following the failure to restore the appropriate security configuration after one of the servers operated by the processor (hosting company) was restarted. The controller was notified about this by one of its cybersecurity specialists, who detected the vulnerability and indicated sample, publicly available information. Instead of diligently checking the received notifications and monitoring the processor, whether it duly dealt with the case in terms of checking the security, the controller had doubts about whether this was an attempt to extort other data from him, which he indicated in his correspondence to the processor. As a result, they did not immediately check the system’s identified vulnerabilities and a few days later, the data was stolen from this server.
This breach would not have occurred if the controller had immediately reacted appropriately to the information that the data on his server was unsecured. In the opinion of the Personal Data Protection Office, the controller should maintain the ability to quickly and effectively identify any breaches in order to be able to take appropriate action. Moreover, the controller should be able to quickly investigate the incident in terms of whether there has been a data breach and take appropriate remedial action.
The supervisory authority also found that the processor's lack of a sufficiently quick response to the notification of a system vulnerability does not exclude the controller's responsibility for the data breach. The controller must be able to detect, address, and notify data breach - this is a critical element of technical and organizational measures.
In the opinion of the UODO, the company, despite promptly providing the processor with information about a potential vulnerability in the server's security, did not take sufficient action. The proceedings showed that the controller briefly analysed the signal received, did not take it seriously and did not oblige the processor to deal with the case properly.
When imposing a fine for the loss of the confidentiality of personal data due to a series of negligence by the controller, the UODO took into account the scale of the breach and the scope of the stolen data. In addition, because unencrypted passwords have also leaked, it is possible to use these data to log in to different customer accounts, if they used the same login (e.g. e-mail) and password on other websites. In establishing the amount of the fine, the authority also took into account the controller's delay in taking preventive measures.
The amount of the fine should fulfil both a repressive and a preventive function. In the opinion of the authority, it should prevent similar breaches in the future both in the penalized company and at other controllers’.
For details on the case please see the contents of the decision available (in Polish) at: https://uodo.gov.pl/decyzje/DKN.5130.1354.2020.