π Facts
• π
Security Incident: On May 11, 2023, the company sent an encrypted USB key by postal mail containing the personal data of 143 individuals, including payment information.
• β Major Error: The decryption key was included in the same envelope, compromising the data's security.
The mail was returned empty, without the code or USB key—likely indicating loss or theft.
π Identified Failures
• Violation of Article 32 of the GDPR: Failure to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
o β Code sent in the same package as the encrypted USB key.
o β Lack of effective procedures to prevent this type of incident.
π§― Measures Taken by the Insurance Company
• π Internal procedures in place (prohibiting sending USB keys with the code).
• π» Regular employee training on security.
• π₯ Awareness-raising with the responsible employee.
• π Dark web monitoring to detect possible fraudulent use of the data.
• π© Notification to the affected individuals.
• π Follow-up by the DPO and cybersecurity team.
• π¨ Change of transport provider (SEUR replaced by Correos).
βοΈ Sanction
• πΈ Initial Fine: €100,000
• β
Reduced Fine for Voluntary Payment: €80,000
• β
No admission of responsibility
• π Fine was paid on June 17, 2024, closing the procedure.
π’ Corrective Measures Imposed
• The insurance company and SEUR must notify, within two months, the concrete steps taken to ensure data confidentiality, restore data access, and verify the effectiveness of technical measures.