Greece: HDPA fines OTE Group €3.2M for insufficient security measures resulting in data breach
The Hellenic Data Protection Authority ('HDPA') published, on 31 January 2022, its decision No. 4/2022, in which it fined the Hellenic Telecommunications Organisation S.A., OTE Group, €3,250,000, for a violation of Article 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a data breach concerning leakage of subscriber call data.
Background to the decision
In particular, the HDPA outlined that Cosmote Mobile Telecommunications S.A reported of a data breach to the HDPA and submitted various documents as requested, from which it arose that the OTE Group should have been involved in the investigation of the incident, specifically with regards to the security measures implemented. Moreover, the HDPA noted that the data breach concerned leakage of subscriber call data between 1 September 2020 and 5 September 2020 and that this data was saved in Cosmote's server and was moved from the server to an IP address which belonged to a hosting provider in Lithuania. Additionally, the HDPA detailed that from Comoste's investigation, it was found that, from the same IP address, a website that was hosted in the OTE Group's infrastructure was hacked. Specifically, the HDPA highlighted that the hacker managed to gain administrative access using the password of an administrator of OTE Group, and then executed queries on Cosmote's Big Data system, from which it exported the file with the subscriber call data.
Findings of the HDPA
The HDPA found that, since both Cosmote and the OTE Group are responsible for the determination of the technical and organisational security measures, the OTE Group violated Article 32(1) of the GDPR.
As a result of the above violation, the HDPA issued a fine of €3,250,000 to OTE.