Hellenic Post Services S.A. Faces GDPR Fine for Data Breaches

Hellenic Post Services S.A. (ELTA S.A.), a prominent postal service provider in Greece, has been fined by the Hellenic Supervisory Authority (SA) for failing to implement adequate technical and organizational measures, leading to unauthorized access by third parties and subsequent data breaches. The final decision, issued on February 28, 2024, highlights critical lapses in compliance with GDPR principles regarding the integrity and confidentiality of personal data and the security of processing.

The case originated from two separate breach incidents reported by ELTA S.A. to the Hellenic SA, as required under the GDPR. The first incident involved a malicious attack resulting in the breach of data encryption, with perpetrators demanding ransom, while the second incident saw the leakage of personal data subsequently published on the Dark Web.

Following an investigation, the Hellenic SA found that ELTA S.A. failed to adhere to the necessary technical and organizational measures and neglected to ensure the implementation of a robust processing security policy. This failure led to various breaches within the company's system, including vulnerability scanning, unauthorized access to system resources, execution of malicious processes, disabling of security software, and file encryption.

As a consequence of these breaches, the Hellenic SA imposed an administrative fine equivalent to 1% of ELTA S.A.'s last available annual turnover. The decision to impose the fine was based on several criteria outlined in the EDPB Guidelines, including the wide range of persons affected, the amount of damage incurred, the nature of the breaches, omissions in the security policy, and the categories of data affected.

Despite the imposition of the fine, mitigating factors were taken into account. These included efforts by ELTA S.A. to strengthen its system's security measures post-incident, engagement of a specialized company for the investigation, compliance with their instructions, successful data recovery, and the company's adverse financial situation.

This enforcement action underscores the importance of robust data protection measures and compliance with GDPR regulations, particularly in safeguarding the integrity and confidentiality of personal data. It serves as a reminder to organizations of the potential consequences of failing to implement adequate security measures to prevent unauthorized access and data breaches.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.