INTRODUCTION
The Spanish Data Protection Authority, Agencia Española de Protección de Datos (AEPD), had levied a €6.5 million ($7.1 million) fine against The Phone House Spain SL (TPHS), an electronics retailer, for breaching the General Data Protection Regulation (GDPR). This enforcement action, disclosed in a decision published in November, follows a significant data breach on 14th April, 2021. During this breach, TPHS reported a cyberattack that compromised the personal information of over 13 million user individuals. The attackers had accessed and downloaded a data base with the personal data of clients, former clients, suppliers and employees of the controller and published the information on a public open wide website. The personal data comprised of names, ID numbers, postal addresses, email addresses, mobile numbers, nationality, sex, dates of birth, bank account numbers as well as employment details of employees.
INVESTIGATION AND CONTROLLER’S CONTENTIONS
The controller contended that the required adequate measures were being placed and there was no such manner that the attack could have been detected and prevented. The controller held that the technical expertise of the cyber attackers weas beyond any catch-holding. The controller submitted that there was no relationship between the alleged inadequacy and the data breach as placing any more robust measures couldn’t have prevented the attack. Hence, on the above grounds no casual link could be established between the actions of the controller and the breach incident. The controller firmly posited itself as a victim of the attach and that Article 5(1)(f) of the GDPR cannot be interpreted as an obligation of a specific result.
The AEPD’s investigation highlighted serious deficiencies in TPHS’s cybersecurity measures. Specifically, the company lacked any such adequate procedures to regulate access to its network and failed to monitor internal network activity effectively. Moreover, the investigation revealed that TPHS did not implement sufficient technical and organization safeguards to secure its systems, which are critical to mitigating risks associated with maintaining large networks. These failures were determined to violate Article 32 of GDPR, which mandates that entities adopt security measures proportionate to the risks associated with data processing.
Additionally, the AEPD determined that TPHS has breached the principle of integrity and confidentiality under Article 5(1)(f) of the GDPR as well.
OFFICIAL HOLDING OF AEPD
The AEPD emphasized that a violation of Article 5(1)(f) occurs whenever a personal data breach takes place, regardless of whether it resulted from inadequate or absent security measures. The AEPD noted that as a controller responsible for managing the vast amounts of personal data concerning millions of individuals, The Phone House Spain SL was under the obligation of anticipating the risks and implementing adequate safeguards to prevent the cyberattacks. The AEPD held that a Data Protection Impact Assessment conducted in 2018 had identified vulnerabilities in the controller’s security system, which were exploited during the breach. Despite such awareness, AEPD held that the controller failed to address them over a period of two years, indicating negligence on its part.
The AEPD ultimately imposed a fine of €4,000,000 for breaching Article 5(1)(f) of the GDPR, which concerns with the principle of integrity and confidentiality. An additional €2,500,000 fine was imposed on the controller for failing to comply with Article 32 GDPR, which mandates appropriate security measures.
REGULATORY COMPLIANCES
Article 32 of the GDPR stands out among numerous guidelines dealing explicitly with the “security of processing” of personal data. Article 32 of the GDPR refers to the security of processing, which outlines that the controller and the processor shall implement appropriate technical and organizational measures to ensure security appropriate to the risk. Such measures broadly taken into account are:
- The pseudonymization and encryption of Personal Data.
- Ensuring ongoing confidentiality, availability, integrity and resilience of a processing system.
- Restoration of the availability and access to PII promptly in the event of an incident.
- Implementing a process for regularly testing, assessing and evaluating the effectiveness of technical and security measures.
Whereas Article 5(1)(f) of the GDPR establishes the principle of integrity and confidentiality, requiring personal data to be processed securely to prevent unauthorized access, accidental loss, destruction, or damage. It mandates the implementation of appropriate technical and organizational measures to ensure data protection throughout processing.
Similar to Article 32, the (Digital Personal Data Protection Act, 2013 (DPDPA) mirrors regulations within its own legislative text. Section 8(4) of the DPDPA highlights that Data Fiduciaries shall implement appropriate technical and organizational measures to ensure effective observation of the provisions of DPDPA and the rules made thereunder.
IMPORTANCE OF SECURITY MEASURES
Such fines like those imposed on TPHS highlight the critical necessity of adopting comprehensive cybersecurity measures and ensuring compliance with the GDPR. Such penalties serve as a stark reminder for organizations across the globe of the serious consequences of neglecting data protection responsibilities. The GDPR places significant emphasis on safeguarding personal data through technical and organizational measures proportionate to the risks. Failure to implement such measures as demonstrated in the present case, not only results in financial penalties but also damages on an organizations reputation and customer trust. In an era of increasing cyber threats, businesses must adopt proactive strategies, such as conducting regular security audits, addressing identified vulnerabilities and deploying robust access controls. By enforcing stringent penalties, regulators aim to foster a culture of accountability and prioritize the protection of individuals’ rights. This serves as a call to action for organizations to invest in their cybersecurity infrastructure and comply fully with GDPR standards to mitigate risks and secure sensitive information.
CONCLUSION
Such fines underscore the importance of robust cybersecurity practices and compliance with GDPR standards to protect personal data and prevent breaches. It also serves as a cautionary tale for organizations across the European Union, emphasizing the high stakes of failing to prioritize data protection in today’s cyber-vulnerable landscape.
News of the week
- US Authorities Investigate TP-Link Routers Amid Cybersecurity Concerns
US officials are evaluating a potential ban on TP-Link routers due to suspicions that they could be used in Chinese cyberattacks. The company, which dominates roughly 65% of the US market for home and small business routers, is under scrutiny by the Departments of Commerce, Defense, and Justice. The investigations began after US lawmakers urged the Biden administration to address concerns about the potential exploitation of TP-Link routers in cyber threats.
2.Russia-Linked APT29 Exploits Legitimate RDP Methodology in Cyber Attacks
The Russia-affiliated threat group APT29 has been detected using a legitimate red teaming tactic to execute cyber attacks through malicious Remote Desktop Protocol (RDP) configuration files. According to a report by Trend Micro, the group has targeted governments, military organizations, think tanks, academic researchers, and Ukrainian entities, employing a “rogue RDP” technique first documented by Black Hills Information Security in 2022.
https://thehackernews.com/2024/12/apt29-hackers-target-high-value-victims.html
3.Hacker IntelBroker Leaks Data from Cisco DevHub
Hacker IntelBroker claimed to breach Cisco, accessing sensitive data, but Cisco confirmed no system compromise. Instead, data was retrieved from its public-facing DevHub, where some files were unintentionally exposed due to a configuration error. Recently, 2.9 GB of allegedly stolen data, including source code and certificates for Cisco products like Catalyst and WebEx, was leaked online. While IntelBroker claims to have downloaded up to 4.5 TB of data, these figures are likely exaggerated.
https://www.securityweek.com/hacker-leaks-cisco-data
4.Rhode Island’s RIBridges System Breached in Ransomware Attack
Rhode Island has reported a data breach in its RIBridges system, managed by Deloitte, after the Brain Cipher ransomware gang compromised its systems. RIBridges, an integrated eligibility system for public assistance programs, was hacked, potentially exposing residents’ personal information. The breach was discovered on December 5, 2024, and Deloitte’s evaluation suggests hackers likely accessed files containing sensitive data. On December 13, authorities were notified of the significant security threat to the system.
5.Netflix Fined $5 Million by Dutch DPA for Data Privacy Violations
Netflix has been fined $5 million by the Dutch Data Protection Authority (DPA) for non-compliance with European data protection regulations. The penalty stems from the company’s mishandling of customer data and violations of privacy laws. Reports suggest Netflix has repeatedly disregarded user rights, highlighting broader issues in its data management practices and strategies. This fine underscore the importance of adhering to strict data protection standards in the European Union.
6.EDPB Report Considers Use of Personal Data in AI Training
The European Data Protection Board (EDPB) released a report addressing the complexities of AI model development, suggesting potential allowances for using personal data without consent for training, provided the final AI application does not expose private information. This acknowledges that training data doesn’t directly translate to user-facing outputs. The report, requested by the Irish Data Protection Authority (DPA), aims to promote regulatory harmonization across Europe.
7.Meta Fined €251 Million by Irish DPC for Facebook Data Breach
The Irish Data Protection Commission (DPC) has fined Meta €251 million for violating the EU’s GDPR after a Facebook security breach exposed personal data of nearly three million users in the European Economic Area. The breach, caused by a design flaw allowing unauthorized access to profiles, occurred in 2017 but was only fixed in 2018. Meta, criticized for insufficient breach notification, plans to appeal. This marks the DPC’s third major fine under GDPR in 2024.
8.GIFT City Achieves ISO 27001 Certification for Information Security
Gujarat International Finance Tec-City (GIFT City), India’s first operational smart city and International Financial Services Centre (IFSC), has earned the esteemed ISO 27001 certification. This recognition underscores GIFT City’s dedication to safeguarding data through robust information security management systems (ISMS). The certification reflects its commitment to maintaining world-class standards in ensuring the confidentiality, integrity, and availability of critical information.
9.Infosys Becomes First India-Based Company to Secure BCR Approval
Infosys Ltd, a global leader in digital services and consulting, announced on December 19, 2024, that it has obtained regulatory approval for its Binding Corporate Rules (BCR) from Germany’s Hesse Data Protection Authority, endorsed by the European Data Protection Board. This certification enables compliant international data transfers across its group companies, making Infosys the first India-headquartered company to achieve this significant milestone.
10.Stairwell Introduces Core Platform for Enhanced Malware Detection
Stairwell, a cybersecurity platform focused on data search, has launched Stairwell Core, a tool enabling organizations to privately collect, store, and continually analyze executable files. This platform helps identify potential malware threats with high-confidence results, reducing noise and enabling faster decision-making and response times. Core serves as an accessible gateway into the Stairwell ecosystem, empowering organizations to enhance their malware detection and response capabilities effectively.
