He turned off the antivirus program just for a moment. He didn’t see this coming
The Personal Data Protection Office (UODO) imposed on the company selling, among others, anti-burglary doors, a fine of PLN 350,000.
More text below the video
All because of the company did not properly protect the personal data of its customers. Previously, the company experienced a hacker attack, as a result of which it lost access to customer and employee data. The database contained data such as: PESEL numbersID cards, parents’ names and surnames, e-mail addresses and telephone numbers.
Was the human factor to blame?
The company blames one of its employees for this turn of events. The employee disabled the antivirus program, which allowed the criminals to attack. According to the administrator, the incident lasted for a short time and the company eventually managed to regain access to the data. It was also established that the aim of the attack was not to obtain data, but to blackmail. Hence, the “risk of violating the rights and freedoms of natural persons” was assessed as low.
The company informed all data subjects about the entire event, but according to the Office of Personal Data Protection, it did so incorrectly and did not respond to the reported comments.
So what went wrong?
The data controller did not apply appropriate technical and organizational measures that would minimize the risk to the data. (…) contrary to the GDPR, did not conduct an appropriate risk analysis. In this situation, this risk had to be combined with the possibility of using malware.
Over the years, the processor has failed to inform the administrator about vulnerabilities in the server software, as well as about the need to update the operating system to the latest possible version.
– the office said in a statement.
What could have been done better?
It was pointed out that “one of the key methods of preventing such attacks is to use up-to-date software for all elements of the IT infrastructure.” However, the company did not do this. The administrator pointed out that the human factor was to blame, but he himself admitted that he had only conducted two training courses in the field of data protection. This is not enough if the administrator believes that a person poses a threat to data in his organization. In the opinion of the Personal Data Protection Office, there were also a number of shortcomings in the reporting of data breaches. Many years of neglect have accumulated and hence the specific amount of the fine.
See: Personal Data Protection Office punished the National Prosecutor’s Office. She disclosed the victim’s personal data
See: They bought fake clothes privately, now they have a problem. The prosecutor’s office steps in
