Poland: UODO issues warning to spa company for outdated software resulting in data breach
The Polish data protection authority ('UODO') issued, on 17 February 2021, a warning to a spa company for using outdated software, resulting in a ransomware-type encryption malware attack. In particular, the UODO highlighted that the data controller chose ineffective measures to protect its IT systems and failed to test their vulnerability to various types of threats. Specifically, the UODO noted that the company only tested the performance of software components and the resistance of the systems to various types of failures, and had used inadequate technical and organisational measures. Furthermore, the UODO stated that even though the company lost access to the encrypted data, the principle of data confidentiality was not breached.
As a result, the UODO concluded that the violation did not result in a high risk for the affected individuals, as the entire incident happened in a period in which, due to the COVID-19 pandemic, the spa entity did not conduct its activities. Lastly, the UODO emphasised that controllers are required not only to regularly test, measure, and evaluate the effectiveness of technical measures to ensure the security of the processed data, but also document these activities in order to comply with the principle of accountability under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').