The President of the Personal Data Protection Office (UODO) has imposed an administrative fee of more PLN 1 MLN on ID Finance Poland Sp. z o.o. in liquidation, the owner of the MoneyMan.pl loan portal. As a result of an error made by the company's processor, i.e. the hosting company, the security of customer database, including PESEL numbers and unencrypted passwords, was lost, which caused a leak of data. The company identified the breach and reported it, as a result of which the authority undertook an inspection.
why was the company fined?
The President of the UODO accused ID Finance Poland Sp. z o.o. of failing to implement appropriate technical and organizational measures to ensure adequate security of its customers' personal data and its protection. The database was not adequately protected against disclosure, e.g. by encrypting passwords.
In addition, the authority found that the company had not implemented measures to ensure prompt and effective identification of a data breach. Although a data breach notification policy had been developed, it was very general and not subject to periodic verification of its effectiveness. As a result, in the opinion of the President of UODO, the company contributed to the failure to ensure continuous confidentiality, integrity, availability and security of the processing systems and services.
The President of the UODO emphasized that a data controller, upon becoming aware of a possible security incident, should conduct its brief verification, and if it determines that a breach has occurred - report it and take remedial actions. A full analysis of the breach may be continued after it has been notified. According to the supervisory body, the company inadequately reacted to the first notification of a possible data leak by focusing on verifying its authenticity instead of taking measures to secure their customers' data. The effect of such action was to escalate the breach.
outsourcing personal data processing does not release from responsibility
Even though the personal data leak occurred at the processor's, the responsibility for the breach lies with the data controller, who is responsible for ensuring appropriate data security measures. In the course of the proceedings, the company argued that its liability for the breach should be considered only in the context of the correctness of entrusting personal data processing, i.e. entrusting it to an entity that ensures an adequate guarantee of using its services. However, the President of the UODO disagreed with this standpoint.
The company may appeal the decision to the provincial administrative court.