Greek DPA Imposes Fines on Telcos for GDPR ViolationsTwo Telcos Fined $10 Million for Failure to Disclose Info, Inadequate Security
The Greek data protection authority, Hellenic DPA, has imposed fines totaling more than $10 million on two telecommunication companies - OTE, or the Hellenic Telecommunications Organization, and its fully owned mobile operator Cosmote - for multiple data breaches, illegal processing of data related to its subscribers, and inadequate security measures, under the country’s Electronics Communications Law and GDPR articles.
Cosmote has been reprimanded for flouting eight GDPR articles, including "unclear and insufficient information" disclosure to its subscribers, and three other Electronics Communications Law violations. Cosmote's parent company, OTE, "was found to have infringed Article 32 of the GDPR due to inadequate security measures taken in relation to the infrastructure used in the context of the breach." The collective fine for the two companies that the OTE Group needs to pay is 9,250,000 euros ($10,500,000).
The Hellenic DPA said in a press statement issued this week that the fine is due to breaches of personal data protection and illegal data processing of the customers/subscribers data by the two telecommunication companies.
"Taking into account the criteria set forth in Article 83(2) of the GDPR, the Authority, on the one hand, fined Cosmote a total of 6 million euros ($6.8 million) and imposed the sanction of stopping the processing and destroying the data, and OTE was fined a total of 3.25 million euros ($3.7 million)," the Hellenic DPA says.
The incident for which the fine is being imposed occurred in 2020. Cosmote Mobile telecommunication first detected the cyberattack on Sept. 8, 2020, when its internal team observed an unauthorized file export from one of its computer systems. The exported file contained data from Sept. 1 to Sept. 5. The intrusion was detected just before the company's systems check on Sept. 8, and the company blamed the unauthorized access on a cyberattack that Cosmote eventually informed the customers about on Oct. 14, 2020, through a formal announcement.
The company reportedly blocked the unauthorized access and took evasive measures after first spotting of the attack. That it made the public announcement more than a month later was problematic. The Greek DPA has penalized the two companies for not maintaining transparency and letting affected subscribers know of the data breach in a timely way. "The investigation of the case revealed that Cosmote had infringed the principles of legality - Articles 5 and 6 of Law 3471/2006 on the protection of personal data and privacy in the electronic communications sector) and transparency due to the provision of unclear and insufficient information to subscribers - Article 5(1)(a) and Articles 13-14 of the General Data Protection Regulation - GDPR," the Hellenic DPA says.
Cosmote said at the time of the incident that it did not inform its customers/subscribers because it wanted to maintain the integrity of the ongoing investigation. "The immediate disclosure of the attack would jeopardize the incident's thorough investigation and handling." The company did immediately block the unauthorized access, and it "took all precautionary measures and informed the competent authorities from the very first moment, as provided by law," Cosmote said in its public announcement.
Cosmote said that the exfiltrated file mainly contained call registry records of mobile subscribers during the five-day period, which included the following details:
- Phone number;
- Date of the calls;
- Time and duration logs of the calls;
- Device type;
- Age and gender of the subscriber;
- Average revenue per user record;
- Base station coordinates;
- Cosmote subscriber mobile tariff plan.
At the time, Cosmote did not mention the number of subscribers affected by the cyber incident, but the Hellenic DPA states the number of affected subscribers in its verdict, along with further details:
- Base station coordinates data of 4,792,869 unique Cosmote subscribers;
- Age, gender, plan and ARPU of 4,239,213 unique Cosmote subscribers;
- MSISDN/CLI of 6,939,656 users of other domestic and fixed providers who communicated with Cosmote customers;
- MSISDN, IMEI, IMSI, and base station coordinates of 281,403 roaming Cosmote subscribers.
The analysis of the logs made by Cosmote show that the attacker used a brute force attack to gain administrative access into an OTE administrator account. This password was leaked during a previous incident in which the LinkedIn social networking application password was leaked, the Hellenic DPA says.
The attacker then executed queries on Cosmote's Big Data system, from which he extracted the file. But the DPA says that this was not the only data breach that occurred. The same attacker, who was operating through an external IP address that belongs to a hosting provider in Lithuania, also exfiltrated four other files - with file sizes of 37GB, 2.4GB, 8.5GB, and 6.1GB - in separate instances.
Basis for Penalties
Transparency was one of the factors for the penalty in this case, but the Hellenic DPA also says that the two companies maintained poor data protection impact assessment, poor anonymization, inadequate security measures and illegal data processing practices, including storage of call details on its servers for 90 days in the name of service quality assurance, and maintaining an anonymized version of the data for another 12 months, for drawing statistical conclusions that help in targeted service improvement.
The DPA's verdict says that although the company provided full support during the investigation, before deciding the penalty it considered the very long duration of the infringement; the number of affected subscribers, users or individuals, which totaled over 10 million; and the fact that, for a long period, there was no implementation of a pseudonymization after the calls were made.
Cosmote Didn't 'Get the Basics Right'
"The very large fines imposed by the Greek regulator reflect the litany of breaches committed by Cosmote," says Nigel Jones, co-founder of The Privacy Compliance Hub. He tells ISMG the decision appears to show that Cosmote failed to get the basics of security right. "The processing they carried out wasn't lawful. They didn't get their privacy notices right, didn't complete an adequate data protection impact assessment [DPIA], failed in their anonymization attempts, didn't keep the personal information secure and shared the personal information unlawfully," he says.
"Many companies continue to get this wrong because they don't care - they think they can tick a few boxes and then ignore the issue. Other companies think it is too hard and don't know where to start. Both viewpoints are wrong and risk the sort of fines and loss of reputation being experienced in this case," Jones says.
Peter Galdies, senior consultant of DQM GRC, tells ISMG: "While the headline discusses transparency, the adjudication also draws strongly on an insufficient DPIA process and poor anonymization techniques. The key here is the DPIA, which is a legal requirement for data processing such as this. Had the DPIA been correctly managed, it should have revealed the other two problems - transparency and poor anonymization, enabling the organization to remedy these failures."
Galdies says that DPIAs are often the most important tool for an organization to manage the risks around personal data processing, but they are often overlooked or poorly addressed as organizations typically do not understand their real value and view them simply as a legal "tick box" exercise.