Christmas hacking attack on Virgin Mobile Polska as an example of a personal data breach incident

The incident occurred on 18-22 December 2019.  According to the company's official statement, there was a hacking attack on one of Virgin Mobile Polska's applications, which enabled illegal access to users’ registration data, such as the first and last name, the PESEL number or the ID document number. The incident affected only those who used prepaid cards, who account for 12.5% of the mobile network’s users.

The company reacted immediately. On 25 December, they sent out text messages about the incident to those whose personal data had been hacked, advising them to be on the alert. Virgin Mobile Polska also informed the President of the PDPO and was going to report the crime to the prosecution service.

Such actions are in accordance with the procedures of the GDPR, Polish laws and Commission Regulation (EU) No 611/2013.

In this case, it is important to point out that telecommunications operators must report a breach to the President of the PDPO no later than 24 hours after its detection (if it is feasible). This time limit – shorter than the 72 hours stipulated in the GDPR – is set in Article 2(2) of Commission Regulation (EU) No 611/2013. In addition, the Regulation reads that in situations where a personal data breach is likely to have an unfavorable effect on the personal data or privacy of the mobile customer or an individual, it is necessary to notify the mobile customer (end user) immediately. 

Virgin Mobile Polska appears to have fulfilled its obligations under the above mentioned provisions.  However, this will ultimately be assessed by the President of the PDPO after the inspection.