The five highest fines in May 2024

In May 2024, another data protection fine worth millions was imposed. And this against a company that is supposed to protect its customers on the internet.
Categories:

In May 2024, another Fine in the millions for serious data protection violations. And this against a company that is supposed to protect its customers on the Internet.

1. Avast Software and Avast Limited: 13.9 million euros (Czech Republic)

The Czech Data Protection Authority has initiated proceedings against Avast Software, based in Prague (Czech Republic), and Avast Limited. Fine in the amount of EUR 13.9 million (CZK 351 million). The final decision of the responsible Supervisory authority was published on April 10, 2024 and on May 2, 2024.

An anonymous tip-off and media reports at the end of 2019 triggered the investigation.

The Czech Supervisory authority noted that the company personal data of users of its antivirus software and browser extensions to its sister company without a lawful basis. The transferred data concerned around 100 million users and included, in particular, pseudonymized Internet browsing histories of the users, which were linked to a unique identifier. In addition, the Supervisory authority that the one for the Processing Responsible persons had misinformed its users (the data subjects) about these data transfers by claiming that the transferred data was anonymized and used solely for statistical trend analysis. The LSA concluded that internet browsing histories, even if they are not complete, personal data as it is possible to re-identify at least some of the individuals concerned. The misconduct is all the more serious because the company is one of the leading experts in cybersecurity and provides the public with tools to protect data and privacy. Privacy available.

Source: The President of the Office for Personal Data Protection

2nd Verkkokauppa.com: 856,000 euros (Finland)

After a Complaint the Finnish Supervisory authority investigated the activities of the online retailer Verkkokauppa.com. The company required its customers to register before online purchases could be made. Purchases in the online store were not possible without creating a customer account.

The company's review revealed that the online store's customer account data was stored indefinitely. There was also no indication of the storage period for the data that was collected.

Furthermore, the practice of requiring the creation of a customer account for online purchases violates data protection law. The creation of a customer account or the storage of personal data resulting from this creation may not be a prerequisite for the conclusion of individual online purchases.

The Finnish Supervisory authority imposed a ban on the use of the company by decision dated March 6, 2024. Fine in the amount of 856,000 euros against Verkkokauppa.com because it had not set a retention period for customer account data. The company was also ordered to correct its practice of requiring registration for online purchases. The decision was published on May 8.

Source: Press release Data Protection Ombudsman

3. the Greek Ministry of the Interior: 400,000 euros

The Greek data protection authority has found in an investigation that MEP Anna-Michelle Asimakopoulou sent political emails to Greek voters abroad without permission. The email addresses came from a register kept by the Ministry of the Interior for the 2023 elections. There were 236 complaints that Asimakopoulou had sent unsolicited political messages. There were also 66 complaints against the Ministry of the Interior for passing on these addresses.

The investigation of the Supervisory authority revealed that Asimakopoulou used a list of 25,538 email addresses, 23,392 of which matched those of the Ministry of the Interior. The addresses were not properly secured and the processing was carried out without sufficient protective measures.

The Greek data protection authority therefore issued an order on 27.05.2024 Fine 400,000 against the Ministry of the Interior and recommended measures to improve the Data security. In addition, the Supervisory authority the Ministry of the Interior to ensure compliance with data protection regulations.

A fine of 40,000 euros was issued against the MP Anna-Michelle Asimakopoulou.

Source: Notice of fine

4. 4Finance Spain Financial Services, S.A.U.: 360,000 euros (Spain)

The Spanish Data Protection Agency (AEPD) has initiated fine proceedings against 4Finance Spain Financial Services after a security breach was reported on February 17, 2023.

The investigation revealed that attackers had used stolen credentials to access customer accounts and submit fraudulent credit applications. Access to the data was gained through brute force attacks and credential stuffing. A total of 9,497 customers were affected, whose personal and financial data was compromised by the unauthorized access.

Furthermore, it turned out that the company had not reported the data breach to the AEPD or the data subjects without delay, although this was required under Articles 33 and 34 of the General Data Protection Regulation (GDPR) would have been required. The company only informed the affected customers about the incident on April 11, 2023 following an order from the AEPD.

Following the incident, 4Finance Spain Financial Services introduced additional security measures, including the introduction of two-factor authentication (2FA) to prevent future attacks.

The original fine of EUR 600,000 was reduced to EUR 360,000 by decision dated April 8, 2024 due to the guilty plea. The decision was published on May 8, 2024.

Source: Notice of fine from the AEPD

5th Vodafone España: 200,000 euros (Spain)

Due to the Complaint of a customer, the Spanish Data Protection Authority (AEPD) has initiated sanction proceedings against Vodafone España, S.A.U. The customer had received a text message on January 14, 2022 announcing a change of contract holder without his consent. Vodafone confirmed that the change had been made fraudulently in a store in Rubí (Barcelona).

The telephone company stated that the fraud was committed by a third party who had obtained the customer's personal data and used it to conclude several fraudulent contracts. Following an investigation, Vodafone found that the fraud was made possible by forged identity documents and inadequate identity checks in several stores in Barcelona and Valencia.

Vodafone took action to terminate the fraudulent contracts, reimbursed the customer for the costs incurred and added the customer to the internal list of fraud victims to prevent future incidents.

However, the AEPD found that Vodafone had not taken sufficient measures to prevent such fraud. In addition, the security measures were inadequate to properly verify the identity of customers when signing a contract.

The AEPD recommended a revision of Vodafone's security protocols and imposed a fine of EUR 200,000 for breach of Article 6(1) of the GDPR. According to the Supervisory authority failed to check the legality of the Processing of personal data.

Source: Notice of fine from the AEPD

Contact us
Tags:
, , ,
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts