- Authority: Spanish Data Protection Agency
- Company: PROMOFARMA (company that sells drugs on the Internet).
- ARCHIVE OF ACTIONS
- Subject: Security breach
- Infraction: None. 1,300,000 people affected
- Link: https://www.aepd.es/es/documento/e-08205-2019.pdf
“It is recorded that a personal data security breach occurred, categorized as a confidentiality breach due to the possible access of personal data by third parties, as a consequence of the improper access to the client and user database as a result of an external attack and subsequently put on the Deep Web”.
“However, it is also recorded that PROMOFARMA had technical and organisational measures in place to deal with an incident such as the one now analysed, and in particular the encryption and encoding of passwords, which has enabled the detection, analysis and classification of the security breach in personal data as well as the diligent reaction to it in order to notify, communicate and minimise the impact and implement the appropriate reasonable measures to prevent it from being repeated in the future through the implementation of an action plan previously defined by the figures involved in the processing manager”.
“It is demonstrated that PROMOFARMA only had knowledge of the security breach and immediately notified the AEPD and the Guard of Barcelona”. The attack affected 1.3 million people.
“Even without being able to password protect the effectiveness of the theft of personal data, the entity forced all users to change their passwords.”
The company’s data protection department brought the facts to the attention of the Board of Directors.
“As an additional measure it was demonstrated that PROMOFARMA increased the algorithm used to encrypt the information in the database, which further reduces the risk of decryption of the information.
PROMOFARMA, has carried out an adaptation to the RGPD in which it implemented a management system for Governance, Risks and Compliance with the aforementioned regulations (the resolution lists all the technical and organisational measures that the company has accredited to have imposed when processing the personal data of its customers).