The President of the Personal Data Protection Office (UODO) in Poland has re-assessed a significant data breach incident at Morele.net, resulting in a substantial fine of over €870,000. This decision comes after the Supreme Administrative Court (NSA) on February 9, 2023, overturned the initial penalty, prompting a fresh administrative investigation.
The investigation revealed that Morele.net failed to implement adequate technical protections, leading to the personal data leak of 2.2 million individuals. Although the NSA did not dispute the UODO President’s findings regarding the breach, it did challenge the authority’s competence to assess the technical and organizational measures taken by the data controller to protect personal data. The court suggested that UODO should have either appointed an expert or created an internal document detailing the analysis of the security standards applied by the company, to which the data controller could respond during the proceedings.
The UODO conducted a new administrative procedure, which again confirmed that Morele.net had insufficient technical safeguards in place relative to the existing risk of data protection infringement. The company also lacked appropriate procedures to respond to unusual behaviors, such as increased network traffic. These security lapses were highlighted in the “Analysis of security measures applied by Morele.net sp. z o.o.,” prepared by the supervisory authority to comply with the NSA’s verdict.
During the proceedings, UODO did not appoint an expert, and the company questioned the presented analysis, accusing its authors of bias and requesting their exclusion. However, the supervisory authority dismissed this claim, as it would effectively prevent any of its employees from dealing with the case due to the alleged partiality. The analysis showed that the administrator did not encrypt part of the data, lacked two-factor authentication, and did not conduct a risk analysis that would consider threats such as the possibility of logging into the system from a public network. Consequently, there were two instances of unauthorized external access, resulting in the unauthorized acquisition of customer data from Morele.net.
There was also a lack of technical and administrative solutions to monitor network traffic and respond to irregular activities. These findings suggest that the company was uncertain about the nature and extent of the data stolen from its resources. The administrator only implemented several of these solutions after the data leak. According to the UODO President, had these measures been in place earlier, the company could have detected unauthorized access attempts and taken actions to prevent data theft. The administrator admitted that the lack of appropriate implemented solutions was an oversight. The UODO President deemed the imposition of a financial penalty necessary and justified by the severity, nature, and scope of the violations attributed to the administrator. This decision marks the first instance where the guidelines of the European Data Protection Board on calculating administrative fines, adopted on May 24, 2023, were applied to determine the fine amount.
Source: Aktualności – UODO