Polish Personal Data Protection Office slaps the third and the biggest fine so far – what does it mean?

​The website uodo.gov.pl has recently published a decision of the President of the Polish Personal Data Protection Office imposing a fine on Morele.net sp. z o.o. for insufficient organisational and technical security measures. The President has imposed a fine of more than 2,830,410 million zloty (EUR 660,000) which has resonated across media. 

In the case in question, about a year ago an unknown group in an unknown way obtained unauthorised access to data of 2.2 million customers of Morele.net, such as: first name, last name, phone number, e-mail address and shipping address. Of that great number, about 35 thousand customers were also robbed of Polish personal identification numbers (PESEL), personal ID card numbers, information about education, permanent address, correspondence address, income source, net income, household upkeep costs, marital status, loan or alimony liabilities. The unauthorised access occurred at least twice, provoking a strong reaction from the data protection authority. 

The inspectors found that Morele.net processed loan applications without legal grounds, while the company's representatives claimed that they did not know that such applications were processed in their systems. They stored unnecessarily copies of documents delivered by customers who applied for payment in instalments. About 600 company employees had access to the data of more than two million customers. This demonstrates the scale of the problem and the issue of “accountability”. The data protection authority also charged that the company had not conducted a data protection risk analysis but only a partial and informal assessment of the processes. The data protection watchdog referred in his decision to good information security standards, such as ISO 27001:2017.

The European Network and Information Security Agency (ENISA) publishes personal data processing security guidelines in which it recommends a two-factor authentication for access and authentication control in personal data systems. The President of the Personal Data Protection Office emphasised that the guidelines had been issued back in mid-2016 and the fact that they were not followed may have resulted from the missing risk analysis in respect of personal data processing systems.

ENISA is not the only organisation which deals with good practices or security standards on the market. In his decision the President wrote “The OWASP Foundation, an international non-profit organisation which develops and promotes good practices for software developers, presented in its “OWASP Top 10 – 2017” report a list of the biggest threats to online applications along with the prevention methods. One of them is the breach of an authentication measure (usually single-factor). Multi-factor authentication is the recommended method to significantly reduce the risk of security breach”. The OWASP Foundation provides documents and tools that help develop and test software in a secure way (importantly, everything is made available for free).

Their website includes documents such as: OWASP Application Security Verification Standard (ASVS) Project (for software developers, leaders, project managers), or “OWASP Testing Guide v4” (for Quality Assurance teams, manual testers, security testers) and a lot of other helpful material. Writing and maintaining secure software fits the SSDLC (Secure Software Development Lifecycle) which OWASP has been promoting since its inception in December 2001. Almost 20 years have passed and good practices are still ignored. No wonder the President of the Polish Personal Data Protection Office emphasised it was high time making use of that knowledge.

Another charge raised by the authority was the lack of effective monitoring and incident response measures. The volume of data stolen by hackers was so big that it took 8 days to transmit it. So the company knew that somebody siphoned a lot of data out of the company but it did not know how to respond and deal with such an unusual network behaviour. Moreover, Morele.net was accused of ignoring customers’ reports of data leaks which later contributed to attempts at cheating the customers injured by Morele.net – the criminals set up a false electronic payment gate to extort money. 

All this painted a grim picture of Morele.net's approach to data security. It suggests that the company could be not ready for challenges of online commerce. Our daily audit work often shows that businesses are unaware of physical security threats, let alone cybersecurity threats.

Importantly, Morele.net was not punished for what happened after the data leak, but for gross negligence in data protection leading to the cyberattack and for the lack of awareness of which data and how long were processed in the company. As the company cooperated with the President of the Polish Personal Data Protection Office, the fine was reduced to just over 1 zloty for each stolen record. Given the General Data Protection Regulation’s (GDPR) provisions that make the penalty amount dependent on the company’s annual sales, that fine is rather nominal. 

More than a year has passed since the GDPR came into force, but there is still a lot left to be desired.