Poland’s Personal Data Protection Office (UODO) this week imposed a PLN 2.8 million (€645,000) fine on online retailer Morele.net for “insufficient organisational and technical safeguards”.
The data breach affected approximately 2.2 million customers who purchased products through one of the group’s nine websites.
The extent of the data breach
The leaked data included names, telephone numbers, email addresses and delivery addresses. 35,000 customers had additional information leaked, including their payment instalment information (including Personal ID number), education, source of income and net income, household maintenance costs and marital status.
Scam SMS messages sent to customers
Morele.net was made aware of the scam in November 2018 when customers reported receiving SMS messages informing them that they needed to make an extra payment of PLN 1 to complete the order. The message contained a link to a fake Dotpay electronic payment gateway.
Morele.net informed the police and UODO of the incident and attempted to resolve the issue by implementing additional security measures and contacting affected customers.
The penalty imposed by UODO
The President of UODO stated that Morele.net, “by not using sufficient technical means of data protection, violated, among others specified in art. 5 paragraph 1 letter f GDPR, the principle of confidentiality. As a result, unauthorized access to and access to customer data occurred. The authority considered that an ineffective means of authenticating access to data had been used.
Penetration testing is key
Morele.net could have mitigated this data breach or avoided it altogether by conducting regular penetration tests of its systems.
Penetration testing is designed to identify weaknesses in an organisation’s systems and exploit them. This demonstrates to an organisation exactly how a cyber criminal could infiltrate its systems, networks and applications, allowing the organisation to pinpoint how effective its security controls are and the areas that need improvement.