A solid risk analysis and control procedures would avoid an incident. Administrative fine for Social
A temporary loss of data in the Social Welfare Centre could not occur if the risk analysis for the natural persons’ data was carried out correctly.
The Social Welfare Centre in Aleksandrów was attacked by hackers in 2022. As a result, it lost access to the personal data of 1500 customers, which was very detailed. Both the Mayor of Aleksandrów and the Social Welfare Centre notified the incident to the President of Personal Data Protection Office. This is required by the legislation, but in this case the controller has been warned for delay in notification. It has not fully complied with this obligation.
The President of Personal Data Protection Office verified why the incident had occurred. The proceedings revealed that both institutions did not have sufficient safeguards for the data, both technical and organisational. In order to be aware of the seriousness of the infringement and the risk it poses, the President of Personal Data Protection Office imposed a fine of PLN 5000 on Social Welfare Centre in Aleksandrów and PLN 10 000 on Mayor of Aleksandrów.
The problem was that although Social Welfare Centre (data controller) and the Mayor (authority/processor on behalf of the controller) analysed the risk to to the data of the data subjects, they did so in an insufficient manner. Although they were aware – and included in the risk analysis – that a ransomware attack was possible, they ignored that risk. They did not apply sufficient protective technical measures. To do so, they used an operating system on the server, which lost the support of the manufacturer two years before the incident. The ransomware attack was to be protected by back-up. As much as it was done on a network drive, it was also encrypted as a result of the attack. As a result, the lost data had to be reproduced with the help of an external party.
At the same time, Social Welfare Centre, which was the controller of the data, did not check regularly whether the Mayor was processing data safely, which would, in the meantime, make it possible to detect these problems.
Decision in Polish: DKN.5131.30.2022