Polish data protection authority issues €645,000 fine to online retailer

Poland’s Personal Data Protection Office (UODO) this week imposed a PLN 2.8 million (€645,000) fine on online retailer Morele.net for insufficient organisational and technical safeguards”. 

The data breach affected approximately 2.2 million customers who purchased products through one of the groups nine websites.

 

The extent of the data breach

The leaked data included names, telephone numbers, email addresses and delivery addresses. 35,000 customers had additional information leaked, including their payment instalment information (including Personal ID number), education, source of income and net income, household maintenance costs and marital status. 

 

Scam SMS messages sent to customers

Morele.net was made aware of the scam in November 2018 when customers reported receiving SMS messages informing them that they needed to make an extra payment of PLN 1 to complete the order. The message contained a link to a fake Dotpay electronic payment gateway. 

Morele.net informed the police and UODO of the incident and attempted to resolve the issue by implementing additional security measures and contacting affected customers. 

 

The penalty imposed by UODO

The President of UODO stated that Morele.net, by not using sufficient technical means of data protection, violated, among others specified in art. 5 paragraph 1 letter f GDPR, the principle of confidentiality. As a result, unauthorized access to and access to customer data occurred. The authority considered that an ineffective means of authenticating access to data had been used.

 

Penetration testing is key

Morele.net could have mitigated this data breach or avoided it altogether by conducting regular penetration tests of its systems. 

Penetration testing is designed to identify weaknesses in an organisation’s systems and exploit them. This demonstrates to an organisation exactly how a cyber criminal could infiltrate its systems, networks and applications, allowing the organisation to pinpoint how effective its security controls are and the areas that need improvement.

 

Learn more about penetration testing >>


Subscribe to our weekly newsletter

No Responses

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.