After Supreme Administrative Court (NSA) On February 9, 2023, it overturned the decision of the President of the Personal Data Protection Office imposing a penalty on Morele.net, the supervisory authority re-conducted administrative proceedings in this case. It showed that the personal data protection breach occurred due to the company’s failure to apply appropriate security measures, which led to the leakage of personal data of 2.2 million people.
As he informed spokesman for the Personal Data Protection Office, The Supreme Administrative Court did not question all the findings of the President of the Personal Data Protection Office related to this violation. However, he questioned the authority’s competence to assess the technical and organizational measures used by the controller to secure personal data. According to the court, the authority should prove that it has the knowledge needed to conduct such a security analysis. The justification indicated that the President of the Personal Data Protection Office should have appointed an expert or created an internal document constituting conclusions from the analysis of the standard of security measures used by the company, to which the administrator could refer in the course of the proceedings.
“In connection with Personal Data Protection Office again conducted administrative proceedings, which also showed that Morele.net applied insufficient technical safeguards to the existing risk of data protection breach. There was also a lack of implementation of appropriate procedures that would allow reacting to unusual behavior, such as increased network traffic,” we read in the statement.
It was added that the deficiencies in security were confirmed by the “Analysis of the measures used by Morele.net sp. oo (…)”, prepared by the supervisory authority in connection with the need to comply with the Supreme Administrative Court’s judgment.
It was explained that during the proceedings, the President of the Personal Data Protection Office did not appoint an expert, and the party to the proceedings questioned the presented analysis, accusing, among others, bias of its authors and demanding their exclusion. The supervisory authority did not take this allegation into account during the proceedings, as it would de facto mean that none of the UODO employees would be able to deal with this case due to the allegation of bias.
The administrator did not encrypt some of the data
Meanwhile, the prepared analysis showed that the administrator did not encrypt some of the data (which he admitted to), did not have two-factor authentication, and did not conduct a risk analysis that would include, among others, threats related to the possibility of logging into the system from a public network. As a result, unauthorized external access occurred twice, as a result of which an unauthorized person came into possession of Morele.net’s customer data. – emphasized in the announcement.
According to Personal Data Protection Office there were also no technical and administrative solutions to monitor network traffic and react in the event of detecting incorrect activities. This is confirmed by the findings that the company was not sure whether and what data had been stolen from its resources. The administrator implemented a number of solutions in this area only after the data leak. In the evaluation President of the Personal Data Protection Officeif he had them earlier, he would have been able to detect unauthorized access attempts and take action to prevent data theft.
During the proceedings, the administrator himself admitted that the failure to implement appropriate solutions was an error on his part.
President of the Personal Data Protection Office decided that in this case the imposition of an administrative fine is necessary and justified by the gravity, nature and scope of the violations alleged against the administrator – explained in the announcement. (PAP)