The Italian Data Protection Authority sanctioned a bank for a personal data breach that occurred in 2018

The sanction was issued because of an investigation started by the Authority following a personal data breach the Company had suffered in October 2018. Specifically, the Bank had been subjected to several attempts to access to the online banking system for the mobile web channel between October 11 and 21, 2018, when a cyber-attack of massive proportions was actually carried out, as a result of which the illicit acquisition of a large number of data referring to customers had occurred. As a result of the attack, the Bank had decided to notify the breach, pursuant to Article 33 of the Regulations, stating that:

The Bank did not initially see the breach as posing a high risk to the rights and freedoms of data subjects and had made the communication only to the 6,859 customers whose passwords had been identified by the attackers; no direct communication had been addressed to the others involved: the Company had merely posted a notice on its website. 

However, the Authority did not take the same view and by provision dated December 13, 2018, ordered Bank to notify all those affected by the violation of the violation. 

During further investigations carried out by the Bank, it also emerged that in the period between October 1 and 22, 2018 - the time frame in which the violation had occurred - a Penetration Test on the Mobile Site system was underway, the execution of which had been entrusted to an external company, as the external data processor, which had used the support of a sub-processor, in the absence of Bank's prior authorization.

On October 19, 2018, moreover, the supplier had detected some vulnerabilities, which were only reported to the Bank on October 22, 2018, after the breach had already occurred. 

In view of the findings, the Authority initiated an investigation against the external company that had been entrusted with the penetration test, during which the Authority found that the security measures implemented by the Bank pursuant to Article 32 GDPR had some critical issues, specifically that " the mobile banking portal, due to an "application condition", made available within the HTML code, even in the event of unsuccessful authentication attempts, some personal data (first name, last name, tax code, NDG) of customers and former customers of Bank which, therefore, were susceptible to be freely consulted and acquired by anyone; no mechanism had been provided, as part of the computer authentication procedure of the users of the aforementioned portal, capable of effectively countering brute force attacks conducted through the use of the so-called bots (computer programs that access websites through the same channel used by human users, simulating their operation)."

As a result of the investigation, on February 5, 2020, the Authority notified the Bank of the start of the sanction proceedings, at the conclusion of which, four years later, the Authority charged the Company with violating Articles 5(1)(f) (principle of integrity and confidentiality) and 32 of the GDPR (failure to adopt adequate security measures), based on the following findings:​

Aside from the violations alleged and the reconstruction of the Bank's liability, the examined Provision is undoubtedly a subject of interest because of the timing of the sanction.

While it is true that the investigations carried out were of a technical nature of considerable complexity-as specified by the Guarantor himself within the text of the order-it is equally true that there is a time lapse of about six years between the violation and the sanction, and as many as four years elapsed from the time of the notification of initiation of the sanction proceedings, before the outcome of the case. 

This aspect, although justified by the Authority, makes us wonder whether such an extension of its time for issuing sanctions is compatible with the most basic principles on fair trial and whether, at this point, the rules of administrative procedure identified by the Italian Data Protection Authority himself, can still be considered valid.