News

Source : PS-00453-2023

🔴 The Facts
📅 October 2022: A cyberattack 💻 compromised the personal data of 1.6 million people.
🔓 Method: A brute force attack 🎯 on an internal customer management application, using compromised broker credentials.
📂 Exposed Data:

• 🏷️ Names and addresses
• 📞 Phone numbers
• 💳 Bank details from insurance contracts

⚠️ Security Flaws Identified
🔹 No Multi-Factor Authentication (MFA) ❌🔑
🔹 Customer data retained beyond the legal timeframe ⏳📂

📜 Violations Identified by the AEPD
📌 Failure to ensure data security 🛡️ (Art. 5-1 f & 32 of GDPR)
💡 The data controller must implement technical and organizational measures to ensure the confidentiality and security of personal data.

📌 Failure in Privacy by Design ⚙️ (Art. 25 of GDPR)
🔧 Data protection must be integrated from the design phase of systems.

📌 Lack of a Data Protection Impact Assessment (DPIA) 📊 (Art. 35 of GDPR)
📉 A DPIA is required when processing activities may pose risks to individuals' rights and freedoms.

🚨 Sanctions
💶 Administrative fine: €5M, reduced to €4M after adjustments.
⏳ Ordered to conduct a DPIA within 3 months.

🔍 Conclusion
👉 This case highlights the importance of securing access, complying with data retention rules, and anticipating risks through impact assessments.