The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine in the amount EUR 250,000 applied by Polish Data Protection Authority to ID Finance Poland for loss of confidentiality of the personal data principle.
In the proceedings, the President of the Personal Data Protection Office (UODO) established that the breach took place following the failure to restore the appropriate security configuration after one of the servers operated by the processor was restarted. The controller was notified about this by one of its cybersecurity specialists, who detected the vulnerability and indicated sample, publicly available information. ID Finance Poland did not immediately check the system’s identified vulnerabilities and, as a result, a few days later, the data was stolen from this server.
When imposing the fine, the UODO took into account the scale of the breach and the scope of the stolen data. In addition, because unencrypted passwords have also leaked, it is possible to use these data to log in to different customer accounts, if they used the same login (e.g. e-mail) and password on other websites. In establishing the amount of the fine, Polish Data Protection Authority also took into account the controller’s delay in taking preventive measures. The amount of the fine should fulfil both a repressive and a preventive function. In the opinion of the authority, it should prevent similar breaches in the future both in the penalized company and at other controllers’.
The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.