An online retailer in Poland has received a hefty fine under the General Data Protection Regulation (GDPR) after failing to protect the data collected from 2.2 million customers through the company’s nine websites.
The European Union last year passed the General Data Protection Regulation, a law that makes organizations more responsible in collecting and processing their customers’ personal data. While not enforcing a particular set of technological tools and processes, the GDPR imposes a minimum threshold that organizations must consider to ensure compliance. For Polish retailer Morele.net, this was sadly not the case.
Morele.net reportedly became aware of a breach on its systems in November 2018, when customers reported receiving SMS messages demanding additional payments to complete an order. The SMS scam contained a link to a fake electronic payment gateway controlled by the hackers.
While Morele.net took steps to remedy the situation following the breach, Poland’s Personal Data Protection Office (UODO) this week decided to fine the company PLN 2.8 million, or €645,000 for “insufficient organizational and technical safeguards”.
The President of UODO stated that Morele.net, “by not using sufficient technical means of data protection, violated, among others specified in art. 5 paragraph 1 letter f GDPR, the principle of confidentiality.”
According to itgovernance.eu, for most of the affected customers, the leaked data included names, telephone numbers, email addresses and delivery addresses. Of the 2.2 million customers affected, 35,000 had additional information leaked, including their payment instalment information (including Personal ID number), education, source of income and net income, household maintenance costs and marital status, according to the report.
Starting with mid-2019, data protection authorities across the EU have switched from an educative stance to a more corrective attitude, dealing the first fines under the newly adopted regulation. Among the highest-reported penalties this year are those incurred by British Airways (205$ million euros), hotel chain Marriott (111 million euros) and Google (50 million euros).