News
πͺπΈ Insurance company fined for safety failure βοΈπ°
Source : PS-00453-2023
π΄ The Facts
π
October 2022: A cyberattack π» compromised the personal data of 1.6 million people.
π Method: A brute force attack π― on an internal customer management application, using compromised broker credentials.
π Exposed Data:
- π·οΈ Names and addresses
- π Phone numbers
- π³ Bank details from insurance contracts
β οΈ Security Flaws Identified
πΉ No Multi-Factor Authentication (MFA) βπ
πΉ Customer data retained beyond the legal timeframe β³π
π Violations Identified by the AEPD
π Failure to ensure data security π‘οΈ (Art. 5-1 f & 32 of GDPR)
π‘ The data controller must implement technical and organizational measures to ensure the confidentiality and security of personal data.
π Failure in Privacy by Design βοΈ (Art. 25 of GDPR)
π§ Data protection must be integrated from the design phase of systems.
π Lack of a Data Protection Impact Assessment (DPIA) π (Art. 35 of GDPR)
π A DPIA is required when processing activities may pose risks to individuals' rights and freedoms.
π¨ Sanctions
πΆ Administrative fine: €5M, reduced to €4M after adjustments.
β³ Ordered to conduct a DPIA within 3 months.
π Conclusion
π This case highlights the importance of securing access, complying with data retention rules, and anticipating risks through impact assessments.