The President of the Personal Data Protection Office (UODO) has once again imposed a fine on Morele.net following a significant data breach that compromised the personal data of over 2 million individuals. The fine, which amounts to more than PLN 3.8 million, stems from the company’s failure to implement adequate technical safeguards to protect the data.
The incident originally came to light after a ruling from the Supreme Administrative Court of Poland on February 9, 2023, which overturned a previous decision by the UODO to fine Morele.net. The court found that while the data breach was acknowledged, the UODO had not sufficiently demonstrated its competence in evaluating the technical and organizational measures taken by the company to secure personal data.
In response, the UODO re-conducted the administrative proceedings. The results revealed that Morele.net had not applied appropriate safeguards, including a failure to implement essential security measures such as encryption and two-factor authentication. Additionally, the company lacked a risk analysis that could have accounted for risks such as logging into systems from public networks. These deficiencies led to unauthorized access to personal data.
The UODO’s investigation confirmed that the company did not have the necessary technical and administrative procedures in place to monitor network traffic and respond to suspicious activities. As a result, Morele.net was unable to determine the full extent of the data breach until after the incident had occurred. These deficiencies were only addressed post-breach.
While Morele.net admitted that these shortcomings were an oversight on their part, the President of the Personal Data Protection Office determined that the severity and scope of the violations warranted a substantial fine. This decision marks the first time the European Data Protection Board’s Guidelines on the calculation of administrative fines, adopted on May 24, 2023, were used in determining the penalty.
The UODO continues to emphasize the importance of robust data protection practices for companies handling personal data, especially in light of increasing cybersecurity risks.
The President of the Personal Data Protection Office (UODO) has once again imposed a fine on Morele.net following a significant data breach that compromised the personal data of over 2 million individuals. The fine, which amounts to more than PLN 3.8 million, stems from the company’s failure to implement adequate technical safeguards to protect the data.
The incident originally came to light after a ruling from the Supreme Administrative Court of Poland on February 9, 2023, which overturned a previous decision by the UODO to fine Morele.net. The court found that while the data breach was acknowledged, the UODO had not sufficiently demonstrated its competence in evaluating the technical and organizational measures taken by the company to secure personal data.
In response, the UODO re-conducted the administrative proceedings. The results revealed that Morele.net had not applied appropriate safeguards, including a failure to implement essential security measures such as encryption and two-factor authentication. Additionally, the company lacked a risk analysis that could have accounted for risks such as logging into systems from public networks. These deficiencies led to unauthorized access to personal data.
The UODO’s investigation confirmed that the company did not have the necessary technical and administrative procedures in place to monitor network traffic and respond to suspicious activities. As a result, Morele.net was unable to determine the full extent of the data breach until after the incident had occurred. These deficiencies were only addressed post-breach.
While Morele.net admitted that these shortcomings were an oversight on their part, the President of the Personal Data Protection Office determined that the severity and scope of the violations warranted a substantial fine. This decision marks the first time the European Data Protection Board’s Guidelines on the calculation of administrative fines, adopted on May 24, 2023, were used in determining the penalty.
The UODO continues to emphasize the importance of robust data protection practices for companies handling personal data, especially in light of increasing cybersecurity risks.
Stay on top of supply chain logistics news updates at The Supply Chain Report. Visit ADAMftd.com for free international trade tools.
#DataBreach #PersonalDataProtection #PrivacyCompliance #CybersecurityNews #GDPREnforcement
