Agencia Española de Protección de Datos – AEPD imposes a fine to Air Europa for violating arts. 32 and 33 #gdpr
1) Art. 32 fine €500.000 for failing to implement appropriate TOMs to ensure a level of #security appropriate to the risk (art. 32 #GDPR)
– attackers had access to about 4,000 credit cards for the purpose of committing fraud, collected at least 488,847 unique credit cards, viewed and filed in at least 2,651 unique card numbers, CVVs, expiration dates and cardholder names and the aprox number of records affected were 1,500,000
– insufficient: a) segregation bt the office and the production environment that manages payment w card data; and blocking and monitoring outbound traffic to suspicious external IP addresses
– no 2FA
– several systems operated for longer than 1y, and the operating systems were not patched for such a long period
– the DPIA did not determine what level of risk is or is not acceptable for the treatment carried out and how is it calculated, and it did not break down the mitigating measures
– Art. 33 fine €100.000 for failing to notify the DPA on proper time: 41 days later of becoming the unauthorised access
0 comentarios