Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Italy: Garante fines Postel €900,000 for not having sufficient technical and organizational measures to address vulnerability
On October 22, 2024, the Italian data protection authority (Garante) published in its newsletter No. 528, its decision No. 572, as issued on July 4, 2024, in which it imposed a fine of €900,000 on Postel S.p.A. following violations of the General Data Protection Regulation (GDPR).
Background to the decision
The Garante noted that on August 17, 2023, Postel had notified the Garante of a personal data breach. According to Postel, it had suffered a ransomware-type cyber attack which resulted in the blocking of some servers and workstations. Particularly, the attack involved the exfiltration of files containing personal data relating to workers, workers' relatives, corporate office holders, job candidates, and company representatives and its subsequent publication to the dark web. Postel stated that the breach affected approximately 25,000 interested parties and the categories of personal data affected included contact data, access and identification data, payment data, data relating to criminal convictions and offenses, data relating to identification documents, data revealing trade union membership, and health data.
Findings of the Garante
The Garante found that the processing carried out by Postel had violated Articles 5(1)(f), 25, 32, and 33 of the GDPR by:
not including all information necessary to identify the characteristics of the IT incident in the data breach notification;
- failing to adopt adequate technical and organizational measures to guarantee a level of security appropriate to the risks; and
- not addressing vulnerabilities that have been reported by the Microsoft Security Response Center in September 2022 and the National Cybersecurity Agency (CSIRT) in November 2022.
Outcomes
As a result of the above, the Garante imposed a fine of €900,000 on Postel. Additionally, the Garante ordered Postel to carry out an analysis of the vulnerabilities of its systems, prepare a plan to detect and manage such vulnerabilities, and identify detection and response times adequate to the risks presented.
You can read the decision here and the newsletter here, both only available in Italian.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
