Disabled antivirus, lack of control, and a 350,000 GDPR fine

The disregard for antivirus software by a single employee highlighted critical IT infrastructure negligence across the entire company, contributing to a financial penalty of 350,000 PLN imposed on the enterprise.

Why did the President of the UODO punish the data controller?

At the end of last year, a company specializing in the sale of anti-burglary doors was fined over 350,000 PLN by the President of the Personal Data Protection Office (UODO).

The partner company also suffered damages, though significantly smaller, as the PUODO valued their offense at nearly 10,000 PLN.

Violated regulations – the grounds for the GDPR penalty:

Art. 24(1), Art. 25(1), and Art. 32(1) and (2) of Regulation 2016/679
Art. 5(1)(f) of Regulation 2016/679
Art. 5(2) of Regulation 2016/679
Art. 28(1) of Regulation 2016/679
Art. 34(2) in conjunction with Art. 33(3)(c) and (d) of Regulation 2016/679

How did the data breach occur?

During the supervisory authority’s analysis of the case, it was revealed that the Controller committed numerous negligences related to updating implemented security measures, conducting risk analysis for its assets, controlling employee permissions to interfere with key safeguards, and most importantly, notifying the individuals affected by the data breach, as the potential consequences of the breach were downplayed.

One of the primary causes of the personal data breach was the disabling of the Controller’s licensed antivirus program by an employee. As a result of this incident – which should never have happened – processes initiating an encryption sequence were launched on the company server.

Cyber-negligence of the partner company

This breach might have been avoided if the Controller had approached cybersecurity matters appropriately, ensured that operating systems were updated beforehand, and revoked user permissions that allowed interference with the system combining firewall and antivirus functions in a timely manner.

Today, antivirus software is an absolute foundation in building cybersecurity within organizations and one of the key elements for ensuring personal data protection.

Consequences of the ransomware attacks

As a result of the ransomware attack, the company briefly lost access to the data of its clients and employees, both current and historical.

Sensitive data, such as PESEL numbers, residential addresses, and bank account numbers, were compromised.

The company downplayed the matter, arguing that “unknown perpetrators” carried out the attack solely for blackmail purposes, not for data theft. However, this argument did not convince the UODO, given that the owners failed to provide evidence proving that the data had not been “stolen.”

Furthermore, the enterprise did not properly manage the flow of information with the data processor, who failed to report vulnerabilities in the server security and ignored software updates. This also influenced the final amount of the GDPR fine.

Recommendations

Regular risk analysis

Risk analysis is the “analytical” foundation of security. To ensure safety, every company should conduct a regular and reliable risk analysis. The risk analysis team should consist of specialists from specific areas. Based on such an analysis, security measures (technical, physical, and organizational) adequate to the threats can be implemented.

Restricting employee permissions

The ability of employees to interfere with security measures should be restricted according to their scope of duties. Even the best safeguards are useless if an unaware employee disables them.

Monitoring partner entities – the controller is responsible for security

If we outsource the management of a specific area to an external company, we must place great importance on verifying the level of security. We must monitor whether the partner fulfills their duties and takes care of updates and data protection. This is yet another ruling where, despite the noticeable fault of the processor, the controller is burdened with a significantly higher fine. You can read about another situation with a similar conclusion here:

Case study: How ignoring GDPR principles can cost millions – An analysis of errors by PANEK SA and ITCenter

In this case as well, the GDPR penalty was much more painful for the personal data controller.

Looking to enhance your cybersecurity?

Contact us!

Leave your details – we’ll call you back

Our specialist will get back to you no later than the next business day. You don’t have to fill in the message field, but a brief note about the topic you’re interested in will be a valuable hint for us.

Powiązane wpisy

Cybersecurity Digitalization

Two-Factor Authentication
ByPerceptus 2022-04-112026-02-27

Is a password alone enough protection? Logging in has been with us since the 1960s. This type of authentication is a proven way to segregate data and grant a logging-in person access to specific private files, while simultaneously preventing access to other users’ data. Half a century later, despite the massive popularization of the internet…

Czytaj artykuł Two-Factor Authentication
Cybersecurity Password manager

Cryptography in the perc.pass password manager
ByPerceptus 2024-04-182026-03-05

Cryptography and perc.pass Content: Cryptography What is a cryptographic key? Why can’t we encrypt using passwords alone? They are bits too, aren’t they? What is the point of all this? When we began our journey to realize the idea of a web-based password manager, the team was filled with an atmosphere of great excitement, mixed…

Czytaj artykuł Cryptography in the perc.pass password manager
Cybersecurity

Operations Security
ByPerceptus 2022-07-052026-02-27

What is Operations Security? OPSEC (Operations Security) is the process of protecting publicly available individual data that could be exploited by others. The term OPSEC originated in the military, where it was first used by the United States Army during the Vietnam War. It encompasses both technical and non-technical countermeasures, such as: Using encryption software…

Czytaj artykuł Operations Security
Cybersecurity

HSM – small size, great potential for data protection
ByPerceptus 2021-07-202026-02-27

HSM (Hardware Security Module) is a dedicated cryptographic processor designed to protect an organization’s critical assets. It guarantees the highest level of security for sensitive data within a protected, isolated environment. This is validated by certifications such as the US FIPS 140-2 Level 3 and Level 4, as well as the European eIDAS Common Criteria…

Czytaj artykuł HSM – small size, great potential for data protection
Cybersecurity

IT security audit – If things are going so well, why are they so bad?
ByMarta Siekacz 2024-04-242026-03-03

Today, an IT security audit has become an indispensable element of the strategy of every company, regardless of its size or industry. New legislate requirements, the constantly growing number of cyberattacks and the increasingly advanced technology used to carry them out make these audits crucial for protecting resources and data from potential threats. What is…

Czytaj artykuł IT security audit – If things are going so well, why are they so bad?
Cybersecurity

SOC for industry? A solution tailored to our times
ByPerceptus 2023-11-162026-03-03

Since 2019, operations in the manufacturing sector have been under the pressure of supply chain disruptions caused by the pandemic, followed by the armed conflict in Ukraine. The latter factor impacts corporate risk in another, less obvious way. The war across the eastern border has significantly influenced cybercriminal activity. New threats are emerging that can…

Czytaj artykuł SOC for industry? A solution tailored to our times