Incidental safeguards review is not regular testing of technical measures
The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 1.9 million on Virgin Mobile Polska for the lack of implemented appropriate technical and organisational measures to ensure the security of the processed data.
UODO stated that the company infringed the principles of data confidentiality and accountability specified in the GDPR. Virgin Mobile did not carry out regular and comprehensive tests, measurements and evaluations of the effectiveness of the technical and organisational measures applied to ensure the security of the data processed. Activities in this regard were only undertaken when there were suspicions of vulnerability or in connection with organisational changes. Moreover, no tests were carried out to verify safeguards related to the transfer of data between applications related to the servicing of buyers of prepaid services. In addition, the vulnerability associated with data exchange in these systems was used by an unauthorised person to obtain data from some of the company’s clients.
In connection with a data breach, as a result of which an unauthorised person obtained customers data from one of the databases, the Supervisory Authority carried out the inspection at the company. As a result of the irregularities found, the authority instituted administrative proceedings finalised with the imposition of a fine.
In the course of the proceedings, the UODO disagreed with the controller which claimed to have tested and monitored the technical and organisational measures taken to ensure the security of personal data. The Supervisory Authority considered that these activities were neither regular nor comprehensive, as they were carried out incidentally and did not cover all the systems in which the data was processed.
In the course of the proceeding, it turned out that data exchange between applications in the IT system was to take place after verification of certain parameters from registration applications of prepaid services’ customers. The aim was for the programme to check whether the request for the transfer of the data had been received from the authorised entity. In practice, this verification did not work, and before its implementation the mechanism was not tested. However, vulnerability in this process (consisting in failure to verify the relevant parameters) was used by an unauthorised person to obtain the data. It was only after this incident that appropriate activities were undertaken regarding the repair of this functionality in the company’s IT system.
The Supervisory Authority considered that the implementation of a data processing system for use without proper validation of assumed parameters was a flagrant breach by the controller.
In imposing a fine, the UODO took into account that the breach committed by the operator was serious as it posed a high risk of adverse effects of legal remedies for a large number of persons (e.g. the risk of identity theft). It should be remembered that although unauthorised persons had short-term access to the systems, but sufficient to collect large amounts of data. Moreover, the breach itself was long-term, with the vulnerability of data leakage existining for a long time.
The Office also took into account mitigating circumstances, such as the good cooperation of the controller, the quick removal of the breach after its detection, but also the implementation of additional solutions to further improve the security of the data processed.
However, given the scale and gravity of the breaches, the UODO considered that it would be disproportionate to apply remedies other than an administrative fine. The fine is intended to prevent the company from committing similar negligence in the future.
The full text of the decision is available (in Polish) at: https://www.uodo.gov.pl/decyzje/DKN.5112.1.2020