Morele.net Fined €645,000 for lack of GDPR Compliant Security Measures

Poland’s Personal Data Protection Office (UODO) this week decided to fine an online retailer PLN 2.8 million, or €645,000 for “insufficient organizational and technical safeguards”.

It has been reported the online retailer in question, Morele.net, became aware of a breach on its systems in November 2018 that impacted 2.2 million customers through the company’s nine websites. Customers reported receiving SMS messages demanding extra payments to complete an order that had been submitted. The SMS scam included a link to a fake electronic payment gateway controlled by the cybercriminals.

Poland’s Personal Data Protection Office (UODO) this week has taken the decision to apply a penalty of PLN 2.8 million or €645,000 for “insufficient organizational and technical safeguards”.

The data breach is reported to include names, telephone numbers, email addresses and delivery addresses. It was further reported that another 35,000 customers had additional information leaked, including their payment instalment information (including Personal ID number), education, source of income and net income, household maintenance costs and marital status.

In 2018, the European Union last year enacted the General Data Protection Regulation, a law that charges organizations in relation to the collection and use of their customers’ personal data. GDPR imposes a minimum threshold that organizations must consider to ensure compliance. If these conditions are not in place then a company or organization can be sanctioned with a fien as up to a maximum of €20m or 4% of annual global revenue for the previous financial year.

President of UODO Jan Nowak said, in relation to the penalty applied to Morele.net: “By not using sufficient technical means of data protection, violated, among others specified in art. 5 paragraph 1 letter f GDPR, the principle of confidentiality.”

The application of this fine follows the trend of EU based data protection agencies implementing a stringent policy when it comes to applying financial penalties against companies and groups of all shapes and sizes for GDPR breaches. Other recent fines include a penalty for the unlawful use of facial recognition technology against a Swedish school, Unicredit Bank was fined  US$146,000 for a GDPR breach in Romania and Google is facing a possible €5.45bn penalty in relation to using a GDPR ‘workaround’.

This highlights the importance for all companies operating in the European Union to ensure that they are doing everything possible to comply with the GDPR legislation. Breaches of any size are not being tolerated and 2019 has seen the trend towards the application and sanctioning of financial penalties across the entire EU. If you are a company doing business in this region and you are unsure if you are 100% compliant with the data privacy law then you must move swiftly to address this.

There is more guidance on this available in our articles on GDPR for US Companies, How to Prepare for GDPRWhat are the GDPR Penalties? and Essential Steps for GDPR Compliance.