Lawyer - Technology II FinTech II AI II Cybersecurity II Crypto II M&A - Partner at Paradigma - Law & Strategy
On the back of the #EU Court of Justice VB v. NAP ruling of 14 December 2023 which -among other things- ruled that the occurrence of a #databreach does not imply -per se- that the data #controller has not adopted adequate security measures, the Italian Data Protection Authority fined #Unicredit and #NTTData in connection with a massive #cyberattack that involved thousands of Unicredit customers back in 2018. The sanctions date back to the 8th of February, but were only made public by the #garanteprivacy on the 7th of March. The cyberattack was carried out by a sophisticated actor that over several days tried to gain access to Unicredit's #mobilebanking #platform by deploying reverse #bruteforce techniques (in a reverse brute force attack, a malicious actor tries out very easy passwords on a large number of accounts). NTT Data had been contracted by Unicredit to perform a #vulnerabilityassessment and #penetrationtest and, while carrying out such operations, came across the attack. It actually turned out that NTT Data instructed a #subcontractor to carry out the VA and PT exercises allegedly without informing Unicredit, and apparently the news of the data breach had travelled too slowly from the subcontractor to Unicredit, via NTT Data. For its part, Unicredit not only failed to prevent its mobile banking application from returning the customers' names and one of the PIN codes when access to their accounts was attempted with incorrect credentials, but also failed to adopt the appropriate security measures to prevent the brute force attack. Unicredit was fined 2.8 million Euros. NTT Data was fined 800K Euros by the #DPA for breaching article 28, para 2, of the GDPR (which requires processors to inform controllers of the appointment of a sub-controller) and article 32, para 2, GDPR for not informing Unicredit of the breach without delay. Data breaches may not imply, per se, that the data controller has not adopted adequate measures, but this fine issued by the #garanteprivacy shows that DPAs are not shy when it comes to determining whether security measures are up to the task or not, even if it takes over 5 years..and that #dataprocessors are not off the hook when it comes to major data breaches. This story is not over yet though, as NTT Data has announced that will seek judicial review of the DPA decision.
Data breaches are no more acceptable and/or accepted in most jurisdictions still poor enforcement and/or sanctions won’t change the game. Customers vote 🗳️ flying away from lazy cybersecurity companies the solution with name and shame? #dora #cybernews #cyberresilience #dataprotectionlaw #dataprotection #databreaches #cyberattacks #cyberwar #cybersecurityawareness #cybersecurity
Lawyer - Technology II FinTech II AI II Cybersecurity II Crypto II M&A - Partner at Paradigma - Law & Strategy
6mohttps://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9991020