Bank Millennium fined €80,000 by Polish DPA for failure to report a breach

Bank millennium fined €80,000 by Polish DPA for failure to report, and sufficiently inform data subjects of a breach.

 

Recently, a fine was imposed on Bank Millennium by the Polish DPA for a data breach which the bank failed to report, and about which they failed to sufficiently inform the affected customers. The supervisory authority was informed of the breach when a complaint was made against the bank for documents which contained personal data, and which were misplaced by a courier service, according to this report from the EDPB. The correspondence which was lost contained information including customers’ name, personal identification number, registered address, bank account numbers, as well as identification numbers assigned to the bank’s customers. While the customers, who went on to file a complaint, were informed of the data breach, the information provided to them was not sufficient according to the requirements of the GDPR.

 

Bank Millennium considered the breach to be of medium severity and therefore did not think  it necessary to inform any more than it did.

 

Depending on the severity of a data breach, there are different steps which need to be taken with regard to reporting a data breach. Bank Millennium, perceiving the threat of this data breach to be at a medium level, did not see it necessary to inform the Polish DPA of the breach. They also gave customers limited information on how their data may have been compromised. According to the DPA, the information given to customers was insufficient and did not meet the standard required by the GDPR. The Polish DPA stated that they could have provided guidance to the data controller in this instance, regarding how much information would need to be conveyed to the affected data subjects, had they been informed of the data breach.

 

Bank Millennium was fined €80,000 as a result of their failure to report a data breach.

 

The Polish DPA fined Bank Millennium a total of €80,000 for this violation of data protection law, and ordered the bank to communicate the breach to the persons affected by the breach in the manner set out in the GDPR. The Polish DPA considered the fact that during the proceedings the bank still failed to fulfill its obligations, as well as the gravity of the breach. In addition, the Supervisory Authority found the bank’s level of cooperation during the proceedings unsatisfactory. This fine is intended to serve a repressive function and serve as a deterrent to other banks and various organizations who may not be as vigilant with fulfilling their data protection obligations.

 

 

 

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Whatsapp privacy policy updated after record fine of €225 million

Whatsapp privacy policy has been updated after the company was hit with a GDPR fine, however, this changes nothing about their service.

 

Whatsapp has amended their privacy policy after being hit with a record fine for an EU GDPR violation. While the company is still appealing the €225 million fine, their privacy policy is being updated, as ordered by the Irish data protection watchdog. The company insists that nothing about its actual service is changing. The changes being made to their privacy policy are for the purpose of providing additional detail on their existing practices. Whatsapp users in Europe are also not expected to take any action regarding these changes. According to this report from BBC, these changes will only be made to the privacy policy for Whatsapp Europe, which already differs from that of the rest of the world.

 

Numerous users complained previously about an update to the company’s terms raising concerns about the safety of their information.

 

Several users in Europe complained about an update to the terms of service which they believed would result in their accounts being blocked if they failed to accept those terms. Many of those users were under the impression that these new terms would result in their information being shared with Whatsapp’s parent company Facebook, which has since become Meta. Whatsapp commented on this matter in particular when addressing the amendments ordered by the Irish DPC. Whatsapp iterated in its statement; “This update does not change how we process, use or share user data with anyone, including Meta, nor does it change how we operate our service.” The company noted that users were not required or expected to agree to anything or take any action, and that messages on their platform continue to be end-to-end encrypted. This means that only the sender and receiver can read those messages.

 

Whatsapp was recently hit with the second highest fine in GDPR history after users complained about this update to the company’s terms.

 

In September, Whatsapp was hit with a record fine after an investigation into the company’s level of transparency with handling user information. The Irish DPC had originally proposed a fine of €30 million – €50 million, but after other EU regulators were consulted on a reassessment of the amount, the fine rose to €225 million. WhatsApp insists that it has always provided the required information to its users and is appealing this fine. The company has however included substantially more information to users about its use of their information, and how the company works with its parent company, Meta.

 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Poor personal data security by Dutch airline leads to a fine

Poor personal data security leads to a fine from the Dutch DPA, after security flaws cause a major hack.

 

An airline has recently been hit with a €400,000 fine from the Dutch DPA following a major hack, attributable to poor data security. The airline Transavia suffered a hack of two accounts in the company’s IT department, giving a hacker potential access to the personal data of over 25 million passengers. An assessment has since revealed that the personal data of 83,000 passengers was downloaded by the hackers.

 

There were three security flaws which made the company more susceptible to easily being hacked.

 

Hackers were able to download the personal information of 83,000 passengers from this airline’s database. This was made very easy due to three security flaws, the first of which was the use of very simple passwords which were evidently easy to guess. In addition, there was no multi-factor authentication in place, meaning that the one password was all that was needed to access those accounts. To further compound the situation, the access rights for these two accounts were not limited to what was necessary, making several of the company’s systems available to the hackers once they gained access to those two accounts.

 

This situation has been taken very seriously and highlights the importance of maintaining robust security systems and measures. In this case, the hacker was able to access the personal data of millions, simply by breaking into the system with a very simple password. One of those passwords was one that for years has been at the top of the list of most-used passwords, for example “123456”, “Welcome” and “password”.’

 

The personal data of 83,000 people was downloaded, including health data of 367 people.

 

Once the hacker gained access to those two accounts in Tansavia’s IT department, they gained access to the personal data of 25 million people which included their names, dates of birth, gender, email addresses, telephone numbers, flight information and booking numbers. The information downloaded related to 83,000 people, including a list of passenger data from 2015 containing names, dates of birth and flight information. The data also included the health information of 367 people who needed to request special considerations like wheelchairs due to health issues.

 

The Dutch DPA has reported an uptrend in data theft in recent times.

The data breach which led to this international investigation was but one of numerous attacks recorded in recent years. From September to November 2019, these hackers had access to Transavia’s accounts and were stealing personal information. In 2020, the Dutch DPA recorded an increase of 30% in the number of hacks reported, majority of them with the aim of stealing data. The authority has advised that data theft can be avoided by improving security measures.

 

 

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Record EU GDPR fine repealed by Amazon

Amazon has repealed the record EU GDPR fine on the basis that there was no data breach.

 

In July, we reported that Amazon was facing a possible fine for alleged GDPR violations totalling €350 million. According to this Bloomberg report, Amazon is now repealing this fine, which stands at €746 million. The CNPD, Luxembourg’s privacy watchdog hit Amazon with this record-breaking fine, claiming that it’s processing of user data was a violation of the EU GDPR. This fine is the result of a 2018 complaint from French privacy rights group La Quadrature du Net.

 

Amazon has repealed the record EU GDPR fine, claiming that there has been no data breach.

 

Amazon has disagreed with the CNPD’s findings, claiming that there has been neither a data breach, nor any customer data exposed to a third party. The world’s largest online retailer has also stated that there are guidelines as to what employees are allowed to do with customer data, which is collected in order to improve the customer experience. Some lawmakers and regulators have voiced concerns that the data collected is being used to give the company an unfair advantage in the marketplace. Amazon is being scrutinized by EU authorities over its use of data from sellers on its platform as they question whether it unfairly favors its own products.

 

The initially proposed fine of roughly 2% of Amazon’s global sales rose to the maximum fine under the EU GDPR – 4% of the company’s annual global sales.

 

Under the EU GDPR, regulators can fine companies up to 4% of their annual global sales. The fine proposed at first was roughly 2% of Amazon’s global sales at €350 million, but following the gaining of approval from other regulators in the Bloc, the fine now stands at €746 million. This fine is related to alleged compliance issues surrounding the company’s collection, storage and use of user data.

While Amazon stated that there has been no data breach, sources claim that their manner of storing user data violated the GDPR.

 

While Amazon claims that there has been no data breach, according to whistleblowers who previously worked with the company as information security officers, the manner in which data is stored on Amazon’s databases make it impossible for the company to comply with Article 17 of the GDPR. Article 17 states that data subjects have the right to request that all their personal data be erased by a data controller, and to have that request fulfilled without delay. Allegedly, data stored by Amazon is at risk, as there is a lack of clarity on what data is being stored, where it is stored and who can access it, making it impossible to fulfill the requirements of Article 17 of the EU GDPR.

 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.