During the server restart, the settings of the software responsible for the server's security were reset, as a result of which the personal data on the server was publicly available.

The company does not apply the approved codes of conduct pursuant to Art. 40 of the Regulation 2016/679 or approved certification mechanisms pursuant to Art. 42 of the Regulation 2016/679

Good cooperation on the part of the Company, which sent explanations and provided comprehensive answers within the prescribed period

It should be emphasized that in relation to the above-mentioned of persons, there is still a high risk of unlawful use of their personal data, as the purpose for which the person or unauthorized persons took action resulting in the infringement of personal data protection is unknown. Data subjects may therefore suffer material damage, and the very breach of data confidentiality is also non-pecuniary damage (harm). The data subject may at least feel the fear of losing control of their personal data, of identity theft or identity fraud, or of financial loss.

a breach of personal data protection in the form of stealing customer information from its database

name and surname, level of education, e - mail address, employment data, e-mail address of the person whose loan the client wants to recommend, personal data regarding earnings, data on marital status, telephone number (landline, mobile, previously used telephone number), PESEL number, nationality, NIP number, password (mistakenly, as indicated by the Company, stored in open text), place of birth, correspondence address, registered address , telephone number to the place of work and bank account number

personal data of 218,657 people were processed

The unauthorized data collection was confirmed, the scale of the breach was determined and remedial actions were taken, i.e. the correct configuration of the server was restored (port closure) and the passwords of the moneyman.pl users were reset.

in order to remedy the breach and minimize the negative impact on data subjects, customers and potential customers had been informed that their login passwords had been reset. In order to minimize the risk of recurrence of the breach, e.g. firewall operation has been restored.

the personal data on the server was publicly available

ID Finance Poland Sp. z o.o. in liquidation with its seat in Warsaw at ul. Hrubieszowska 6A

the diligence with which the controller acts after a cyber-attack of these characteristics matters

not to impose a penalty in the form of an administrative fine and to replace it with the penalty of a warning under Article 76. 3 of the LOPDGDD in relation to Article 58.2 b) of the RGPD.

in view of the diligence carried out by VOX with regard to the prompt communication of the security violation to this Spanish Data Protection Agency, as well as the initiation of actions aimed at minimizing the negative consequences of the aforementioned security violation, and as indicated in proven facts six and seven of this resolution, which show that following the security incident and the reports commissioned by the security experts, the entity has remedied the vulnerabilities identified and the level of security has been improved

Contrary to what VOX indicates in its allegations to the agreement of initiation, this Agency is not considering the personal data subject to the security breach as ideological data that deserve to be subsumed under the umbrella of Art. 9 of the RGPD which, under the heading "Special categories of data", includes as such personal data that reveal (...), political opinions (...), but the type of data that has been exposed and the specific type of exposure, i.e., on the Internet, reveals a certain risk that must be taken into account, as indicated below. The data in question is related to the subscription to a newsletter on the activity of the political party, and that, although it does not necessarily imply data of an ideological nature, the public exposure of this information through the Internet may give rise to certain combinations with other information - also published on the Internet or by other sources, such as comments on social networks, participation in forums, monitoring of certain user profiles on social networks, etc., - and place its headlines in a certain position in that sense. On the possibility of combining information on a holder of personal data, we can mention Opinion 4/2007 of the Article 29 Working Party, "On the concept of personal data" which, although it analyses the possibilities of identifying someone through combinations with other information, is very clear when we refer to the risk of attributing a certain political ideology, starting only from the data of a subscriber to the information of that party, and combining it with another. In particular, it indicates the following: (...)when we speak of "indirectly" identified or identifiable, we are generally referring to the phenomenon of "unique combinations", be they small or large. In cases where, at first sight, the available identifiers do not make it possible to single out a particular person, that person may still be 'identifiable', because that information combined with other data (whether or not the data controller is aware of them) will make it possible to distinguish that person from others. This is where the Directive refers to "one or more specific elements characteristic of their physical, physiological, mental, economic, cultural or social identity". Some of these characteristics are so unique that they make it possible to identify a person effortlessly (the "current Prime Minister of Spain"), but a combination of details belonging to different categories (age, regional origin, etc.) can also be conclusive enough in some circumstances, especially if one has access to additional information of a certain kind. This phenomenon has been extensively studied by statisticians, always ready to avoid any breach of confidentiality (...) Thus, the different pieces that make up the personality of the individual are brought together in order to attribute to him/her certain decisions (...) As indicated above, in this case, a search on the Internet, for example, of the name, surname or e-mail address of one of the affected parties may offer results that, combined with the subscription to receive news about the activity of the political party, i.e. those who have been the object of the security breach, reveal to us a certain political ideology, the revelation of which does not have to have been consented to by the owner. This possibility entails a risk that must be assessed when processing certain data with this characteristic and which increases the demand for the degree of protection in relation to the security and safeguarding of the integrity and confidentiality of these data. This risk must be taken into account by the controller and, on the basis of this risk, measures must be established which would have prevented the controller from losing control of the data and, therefore, of the holders of the data who provided them to the controller.

From the actions carried out, it has been verified that the security measures that the investigated entity had in place in relation to the data it was processing, were not adequate at the time of the data breach, since, according to the report provided (...) several serious confirmed vulnerabilities were found that must be corrected and that in general have to do with the validation of the input parameters, and that must be corrected as soon as possible (...)

This possibility is a risk

may use that information to harass within the game and even in real life (even minors, who are many who play habitually)

specific points what makes them known, where they work, etc., for this reason providing data about a player gives information to know what natural person he is.

high risk of violating the rights or freedoms of natural persons to whom the data relates

numerous unlawful processing of data related to marketing activities

27 million and 800 thousand euros

passengers' names, contact details, address details, identity cards and passport numbers, booking and travel, destination, accommodation and contracting related data

Articles 5, 24, 25 and 32 Regulation (EU) 2016/679

it can be mentioned, as a mitigating factor, that FB employees have been educated about information security and that a written information security policy has been prepared with procedures for the handling of personal information.

As described above, this was information about the well-being, learning outcomes and social conditions of 18 undergraduate students. To a large extent, the information related to something that was lacking in them and in one case that the child welfare authorities had interfered with the person concerned. This included health information, but according to point 3 (b). Article 3 Act no. 90/2018, such information, both in terms of physical and mental health, is considered to be sensitive.

It is clear that FB reported the security breach immediately after it emerged. The school has also responded well to the Privacy Policy's requests for clarification and information within the time limits that have been granted.

Therefore, there should have been measures in place that would have prevented the security breach in question. However, from the evidence of the case it will be assumed that they were not present.

both by e-mail and by telephone

it is important that almost immediately after the security breach was sent the teacher in question send a message to all recipients, that they should delete the data they had received incorrectly

it is clear that this was not processing for unlawful purposes but human error

this is not a long-term violation but a unique case

It is clear that the security breach in question involved a significant reduction in the privacy rights of the students concerned in the light of the nature of the personal information in question.

This case concerns the processing of personal information by the educational institution.

attachment containing the sensitive personal information had been sent to 20 students and 37 guardians, in addition to which the sender had also sent a copy to himself

Risk assessments and safeguards will be reviewed regularly.

All staff of the school involved in the processing of personal information have been instructed on security breaches and presentation of the procedures.

educational lectures for most staff

FB has formulated an internal privacy policy which provides procedures for the processing of personal data for employees

that FB contacted the guardians of the students in question on August 16, 2019, both by e-mail and by telephone

the students' well-being, learning outcomes and social conditions were taken into account. To a large extent, the information related to something that was lacking in them and in one case to the fact that the child protection authorities had interfered with the person in question. Then, in one case, there was information about mental health and in another case physical health.

by mistake

emailed to unauthorized parties

sensitive information about interviews with students

also in consideration of the invasiveness of the contested treatment with respect to the fundamental rights of the interested parties

it is noted that, as is clear from the documentation acquired during the preliminary investigation, the University limited itself to accepting the design choices of the company that provided the whistleblowing application which did not provide for the encryption of personal data

Therefore, considering the permanent nature of the offense, which is, moreover, of an omissive nature, the applicable discipline must be identified with reference to that in force at the date of completion of the case, to be recognized precisely at the time of the cessation of the conduct, which occurred after the aforementioned date of 12 December. 2018, when both the aforementioned Regulation and the internal adjustment regulations (Legislative Decree 101 of 2018) already applied.

dispute relating to the "failure to comply with current and more specific rules to ensure the protection of rights and freedoms with regard to the processing of employees' personal data in the context of employment relationships

the University has notified the "dispersion of common personal data (name, e-mail address) relating to 2 whistleblowers via the whistleblowing platform (provided by Agic Technology srl) on search engines"

art. 5, par. 1, lett. a) of the Regulations

have involved the InfoSapienza Center for the suspension of the whistleblowing application and the cancellation from some search engines of the cached copies of the web pages containing these data

have communicated the violation of personal data to the two interested parties

the personal data […] affected by the data breach were the following: name; surname; structure / seat; phone; e-mail; reporting date

The GDPR does not prevent an organisation from implementing third party scripts. Rather, the GDPR requires that each organisation assess the risks arising in the circumstances of their own implementation and put controls in place to protect the personal data that it processes. Ticketmaster has shown very limited knowledge at the date of the Incident of the risk of implementing third party scripts into a payment page, despite it being widely known and documented at that time. A fortiori, Ticketmaster has not evidenced that it deployed appropriate and proportionate controls to manage this risk.

Despite the notifications by, amongst others, Monzo and Commonwealth Bank of Australia of possible fraud involving the Ticketmaster website, the integrity of the chat bot was not initially checked, assessed or otherwise tested to ensure that it has not been compromised. Indeed, it took Ticketmaster approximately nine weeks from the date of Monzo's notification of possible fraud involving the Ticketmaster website for Ticketmaster to run a payment through its payment page and monitor the network traffic thereon.

the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons

unauthorised or unlawful processing and against accidental loss, destruction or damage

failed to comply with its obligations under Article 5(1)(f) and Article 32 GDPR

By 28 June 2018, all potentially impacted data subjects were emailed to inform them of the Personal Data Breach.

Ticketmaster have been unable to provide the Commissioner with a breakdown of the individuals affected during the period from 25 May 2018 to 23 June 2018.

customer's personal data that was the subject of the breach included "name, address, email address, full credit card number, C VV, and Ticketmaster username and password"

Further, Ticketmaster stated: "As part of Ticketmaster's GDPR readiness programme, Ticketmaster invested £2.5 million on an internal privacy portal to deal with data subject rights issues, including complaints.e"

It was because of Ticketmaster's business decision to include the chat bot on its payment page that the chat bot was able to unlawfully process the personal data of customers. An attacker directed its attack at the Inbenta servers and inserted malicious code into the JavaScript for the chat bot.

Because Ticketmaster included the chat bot on its payment page, the personal data scraped by the malicious code included financial data such as names, payment card numbers, expiry dated and CVV numbers.

On 22 June 2018 at 8.53pm, Ticketmaster received a notification from Barclaycard regarding around 37,000 instances of known fraud. As set out below, this is the date from which Ticketmaster has stated that it had knowledge of the Personal Data Breach in its personal data breach reports submitted to the Commissioner.

Ticketmaster has received approximately 997 complaints alleging financial loss and/or emotional distress.

On or around 5 May 2018, Ticketmaster engaged four third party forensics firms (together "the Incident Response Team") to investigate the Australia Event and any data breach and subsequent fraud.

On 1 May 2018, the Commonwealth Bank of Australia provided Ticketmaster with data concerning 1,756 MasterCard users who had been victims of fraud and who had all transacted on Ticketmaster's Australian website.

criteria

the breach or potential breach

the infringements constitute a serious failure to comply with the GDPR and, accordingly, that the imposition of a penalty is appropriate

unauthorised or unlawful processing and against accidental loss, destruction or damage

Monzo Bank have advised that around 6,000 cards have had to be replaced in relation to Ticketmaster transaction fraud.

Barclays Bank have advised that around 60,000 individual card details had been compromised.

9.4 million EEA data subjects were notified as having been potentially affected

an incident from 25 May 2018 to 23 June 2018, affecting personal data processed by Ticketmaster during that period (the "Incident")

The university hospital has thus not taken appropriate organisational measures, in accordance with Article 32 of the General Data Protection Regulation, to limit users' access to personal data of patients in the medical record system.

it is a question of very large data collections with sensitive personal data and wide-ranging permissions.

in breach of Article 5(1)(f) and 5(2) and Article 32(1) and (2)

This in turn has meant that there has been a risk of unauthorised access and unwarranted dissemination of personal data in the context of the internal confidentiality, on the one hand, and in the context of the single file management, on the other.

At the time of the inspection, Karolinska University Hospital was unable to present any needs and risk analysis.

negative consequences for data subjects

The data also concern people who are in a situation of dependency when they are in need of care.

sensitive personal data

Both the data collections size as the number of people sharing information with each other has increased significantly.

This means that users at Karolinska University Hospital technically have access also to information on patients at SLSO within the internal confidentiality, and vice versa.

In the policy document "Decision on the allocation of competences"

Following the inspection, Karolinska University Hospital has begun work to ensure that needs and risk assessments are carried out throughout the organization. Among other things, a needs and risk analysis has been carried out for the Perioperative Medicine and Intensive Care function in accordance with Karolinska University Hospital Guidelines.

The template for needs and risk analyses available in Karolinska University Hospital's guidelines are not filled in regularly.

1 970 000 patient records are registered on, and de facto patients at, Karolinska University Hospital

hospital had started work on an action plan and a needs and risk analysis.

Previous review of Karolinska University Hospital's authorisation management The Swedish Data Protection Authority has previously conducted an inspection of Karolinska University Hospital's access control etc. By the Data Inspectorate Decision 920-2012, notified on 26 August 2013, states that Karolinska University Hospital was instructed, among other things, to carry out a needs and risk analysis as a basis for assigning authorisations in TakeCare.

The University Hospital has not taken measures to ensure and be able to demonstrate adequate security for personal data.

does not have limited user permissions for accessing the medical record system TakeCare to what is needed only for the user to be able to carry out their duties

These measures are regarding authentication not appropriate because they cannot provide an adequate level of protection for gaining access to the application.

In determining the risk to the data subject include the nature of the personal data and the nature of processing matters: these factors determine the potential harm to the individual data subject in the event of, for example, loss, modification or unlawful processing of the data.

the UWV in the employer portal processes personal data, including special personal data. This includes NAWdata, citizen service number, financial data and data on disability, dismissal and childbirth.

The UWV has in determining the confidence level the fact that the employer portal only contains health data processes related to reporting sick or the fact that someone is pregnant. The nature of the sick report is not processed.

In the employer portal, the UWV processes, among other things, personal data relating to the employee health.

Implementation Institute Employers' insurance (hereinafter: the UWV)

company CARREFOUR FRANCE

The rapporteur criticises the company for not having put in place the necessary measures to protect the personal data it processes after becoming aware of the existence of a vulnerability on its website.

no sensitive data were concerned by the processing operations.

With regard to the degree of cooperation with the supervisory authority, the restricted session noted the company's perfect cooperation, both in facilitating the CNIL's investigations and in taking into account the rapporteur's observations, even before the restricted session's decision. It also notes that the company complied with the rapporteur's legal analysis of all the shortcomings noted, even in cases where a difference of opinion remained.

With regard to the nature, seriousness and duration of the breach, it considers that this criterion is particularly characterized for several breaches, in particular those relating to the duration of the storage of personal data, the modalities of exercising rights and the deposit of cookies.

Accordingly, the restricted session considers that the failure to implement mandatory pre-authentication following the discovery of the vulnerability - when this measure had been identified and is the only measure to completely prevent the risk - constitutes a breach of section 32 of the Regulation.

To address this vulnerability, the company decided to develop two measures

the change in these practices since the notification of the sanction report

company for having kept for a period of one to six years the identity documents communicated to it by the persons concerned in the context of the exercise of a right. He considers that this period is excessive, as the data is kept beyond the time necessary to achieve the purpose for which it is processed.

the company acknowledges a delay in the implementation of its data erasure program but emphasizes the significant efforts made since the initiation of the procedure to bring itself into compliance

On the failure to comply with the obligation to keep personal data for no longer than is necessary for the purposes for which it is processed

unauthorized access by third parties

serious lack of diligence

absence of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of it

scope in a local environment

treatment

Article 32 of the RGPD has been violated, when a security incident occurs in your system allowing access to personal data of third parties, when accessing your account the claimant in perfumespremium.es, where the data of another customer with breach of security measures

shows personal data, addresses and billing of other users

materialize in the access to the personal data of a third person user client

Security of treatment

allowing access to the claimant to the personal data of a third person when accessing their account

showing the data of another client

when trying to access your user account in perfumespremium.es appears the personal data of another different user

anonymous user