The Phone House and the Data Protection Agency face off in court over a 6.5€ million fine
This past November, one of the largest fines imposed by the Spanish Data Protection Agency (AEPD) was debated in the National Court: a €6.5 million fine against the mobile phone, tariff, and technology store The Phone House for the hacking incident it suffered in April 2021.
The Phone House Data Hack
As mentioned earlier, in April 2021, The Phone House experienced the leak and hijacking of approximately 100 GB of personal data from up to three million (3,000,000) customers, former customers, employees, and suppliers.
The stolen information included personal data such as full names, ID numbers, addresses, emails, phone numbers, nationalities, birth dates, banking details, and even information about devices and products, such as insurance and IMEI codes for mobile phones.
The Phone House fell victim to a ransomware attack by a well-known hacker group that typically steals company information and demands a “ransom” in exchange for not publishing the acquired data.
In this case, the cybercriminals demanded an undisclosed ransom to prevent the release of confidential information on the deep web. When the company refused to yield to the extortion, the attackers made the stolen information public, putting millions of people at risk of fraud and identity theft.
Infringement and Penalty from the Spanish Data Protection Agency (AEPD)
According to the resolution issued by the National Court, dated September of this year, the Data Protection Agency issued a sanctioning resolution on December 27, 2023, imposing a 6.5€ million fine due to a series of infringements.
Specifically, this fine is broken down into two violations:
- A violation of Article 5.1.f) of the GDPR, classified under Article 83.5 of the GDPR, resulting in an administrative fine of 4,000,000€.
- A violation of Article 32 of the GDPR, classified under Article 83.5 of the GDPR, resulting in an administrative fine of 2,500,000€.
Article 5.1.f) of the GDPR states that “personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).”
In this case, while it is true that security breaches cannot always be anticipated, the AEPD maintains that: “It does not have a policy of dismissal in cases of cyberattacks, of any kind, nor for those affected by ransomware. Therefore, regarding data protection, the technical and organizational security measures to be implemented by data controllers and other obligations to be fulfilled under the GDPR must be adequate to the specific risks posed by the particular processing carried out by each controller.”
The AEPD concluded that The Phone House did not have the appropriate technical or organizational measures in place.
On the other hand, Article 32 of the GDPR addresses the security of processing, which requires that, considering the state of the art, application costs, the nature, scope, context, and purposes of the processing, as well as the risks of varying probability and severity for the rights and freedoms of individuals, The Phone House, as the data controller, should have implemented appropriate technical and organizational measures to ensure a level of security corresponding to the risk.
In this regard, the AEPD highlighted “the inadequacy of the encryption algorithm, which is a true deficiency, an insecure algorithm that had been pointed out years earlier by the CCN, although it was only recommended in the aforementioned report. What the report shows is that TPHS was using this algorithm, and it is known to be defective. It should not be forgotten that the attacker obtained the credentials of several TPHS users.”
For all these reasons, the AEPD determined that The Phone House did not adequately meet the security requirements for processing.
The company, The Phone House Spain, which is controlled by the publicly listed group Global Dominion Access in Spain, filed a contentious-administrative appeal against the negative resolution due to administrative silence. In this appeal, it requested the precautionary suspension of the payment until the judges ruled on whether the measure could be annulled or, if applicable, confirmed. It argued that the “significant” amount claimed forced it to “cease meeting financial and business obligations.” Therefore, it will be necessary to wait for the National Court’s ruling to determine how this matter will be resolved.
María comenzó su contacto con el derecho de las nuevas tecnologías en la carrera en la Universidad Complutense de Madrid. Actualmente se encuentra cursando el Máster Universitario en Derecho de las Telecomunicaciones, Protección de datos, Audiovisual y Sociedad de la Información en la Universidad Carlos III de Madrid, con el objetivo de certificarse como DPO.
More from my site
The AEPD and the European supervisor analyse the challenges posed by the processing of neurodata
First fines of over 40,000€ by the AEPD for exploiting customer data through business Wi-Fi
The AEPD orders a precautionary measure for Meta
Neighbourhood Community and WhatsApp Group. What does the AEPD say?
Age Verification for Minors. Regulations and Position of the AEPD
The AEPD pronounces on the Worldcoin case