18,000 fine after ransomware attack affecting employees and former employees
What happened in the security breach?
The Spanish Data Protection Agency has fined a company in the telecommunications sector 18,000 euros following a serious security breach that compromised personal data of employees and former employees of different companies linked to its activity. The incident, which occurred in September 2023, followed a ransomware attack that encrypted corporate systems and allowed the exfiltration of sensitive information.
Liability of the company and relationship with other companies
Initially, the AEPD was informed that it was a business group made up of several companies. However, the main company subsequently rectified this description, specifying that there was in fact a contract for the provision of services between itself and the rest of the affected entities. This circumstance played an important role in the assessment of liability in the case, since it determined that the sanctioned company acted both as a controller in relation to its own employees and as a data processor in relation to the employees of the other companies.
Compromised data and serious security breaches
The compromised data included first name, last name, address, telephone number, email address, ID card number and even, in some cases, financial information contained in payrolls. The investigation revealedserious weaknesses in system security: a generic VPN user with outdated credentials was active, there were no limits on authentication attempts, the domain controller was running on obsolete equipment and there were no strong authentication mechanisms for remote access. These shortcomings facilitated the intrusion and revealed the lack of adequate technical and organizational measures to protect personal data from unauthorized access.
Infringement of the GDPR and applied penalty
The Agency concluded that the principle of integrity and confidentiality set out in Article 5.1.f of the GDPR had been violated, both in the processing carried out as the data controller and in those in which the company acted as the processor. The initial penalty amounted to 30,000 euros, but the amount was reduced to 18,000 euros when liability was recognized and voluntary payment was made in advance.
Lessons to ensure the protection of personal data
The resolution reflects that it is not enough to have processing contracts or security clauses on paper; it is essential to ensure that the measures committed to are actually and effectively implemented. Information protection requires investments in up-to-date systems, robust access controls and incident response plans, as well as an organizational culture in which the security of personal data is part of the corporate strategy.
