The Hellenic SA imposed a fine on a company, HELLENIC POST SERVICES S.A., for failing to implement necessary technical and organizational measures as required by the GDPR, resulting in unauthorized access by third parties
The company reported two breach incidents to the Hellenic Supervisory Authority, involving data encryption breach for ransom demands and leakage of personal data onto the Dark Web. The investigation revealed the controller's non-compliance with security measures, leading to vulnerabilities, unauthorized system access, malicious processes, and file encryption. The fine of 1% of the annual turnover was based on various criteria including the scale of persons affected, damage amount, breach nature, and security policy omissions, with mitigating factors such as security improvements post-incident, specialized investigation, data recovery, and financial difficulties. https://www.edpb.europa.eu/news/national-news/2024/hellenic-sa-fine-company-failure-implement-technical-and-organisational_en