On April 12, 2024, the Hellenic Data Protection Authority (HDPA) published its Decision No. 10/2024, as issued on February 28, 2024, in which it imposed a fine of €2,995,140 on Hellenic Post S.A. (ELTA) for violations of the General Data Protection Regulation (GDPR), following its breach notification to the HDPA.

Background to the HDPA's decision

The HDPA recounted that ELTA had submitted a notification of a breach incident concerning software encryption on the company's system, as a result of a malicious attack by third parties, and leakage of personal data which were subsequently published on the dark web. Furthermore, the HDPA noted that as part of the system breach, there was unauthorized remote access to workstations and files within the company, leading to the attackers' discovery of the passwords of network domain management accounts, unauthorized access to files and folders, and installation of malicious processes.

Findings of the HDPA

After investigations into the cybersecurity incident, the HDPA found that ELTA did not maintain adequate technical and security measures on the system and used an incorrect application of security policies, in violation of Article 32 of the GDPR. Furthermore, the HDPA found that ELTA did not ensure restricted access of personal data to only authorized persons, in violation of Article 5(1)(f) of the GDPR.

Outcomes

As a result, the HDPA fined ELTA €2,995,140 for the aforementioned violations.

You can read the press release here and the decision here, both only available in Greek.