Data breach under the GDPR: clarifications from the Italian Data Protection Authority

With a recent decision, the Italian Data Protection Authority (“Garante”) provided some useful guidelines regarding the data breach procedure in case of a personal data violation.

Article 33 of EU Regulation 679/2016 (“GDPR”) establishes that the data controller shall notify each breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data (a “data breach”) to the relevant supervisory authority, ideally not later than 72 hours after having become aware of it.

The controller shall also notify the data subjects of the personal data breach, under Article 34 GDPR, without undue delay, having considered the likelihood of the personal data breach resulting in high risk and unless any of the conditions of Article 34(3) GDPR are met.

In compliance with the GDPR, in February 2019 Italiaonline Spa notified the Garante of the breach of 1.5 million authentication credentials of users who had logged into their email accounts via webmail. In particular, from the technical analysis carried out by the company it was found that the breach had occurred through a Wi-Fi hotspot. Italiaonline Spa activated containment and mitigation measures, such as changing password systems and notifying users of the data breach on the landing page. In addition, the company specified it had not noted unusual access (in terms of volumes and connections) to the email accounts and it had sent by email a data breach notification to all users.

Upon receiving the data breach notice, the Garante started an inquiry that revealed a weakness in the data breach procedure adopted by the company. The Authority, as a result, issued an order under Article 58(2) (E) GDPR.  

First of all, the Garante recalled that, in assessing risks to the rights and freedoms of natural persons in connection with data breaches, the likelihood and severity of the risk should be determined by reference to the nature of the violation, the nature and volume of the breached personal data, the degree of difficulty in identifying the natural person, the severity of the consequences and the number of users involved.

In the case at issue, the Garante noted that the data breach had occurred following a cyber-attack at the email accounts’ front-end systems and had permitted the acquisition by third parties of a large amount of authentication credentials, related to a large number of identifiable data subjects, thus involving high risk. In fact, the Authority noted, “the acquisition of authentication credentials by third parties, regardless of whether this leads to an effective log in to the email account, must be considered as a source of potential prejudice to data subjects due to the fact that the same authentication credentials may be used to log in also to other online services”.

Having found that the data breach at hand could involve a high risk to the rights and freedoms of natural persons, a condition for which the notification of the data breach to the data subjects is necessary, the Garante went on to specify the contents of such notice.

In this regard, Italiaonline Spa had prepared two different notices, depending on whether or not the data subjects had changed their passwords within the 48 hours following the data breach notification. In these notices, the data breach was described as “anomalous activity on the systems” and it was suggested, as a corrective measure to the data subjects who had not already done so, changing their password. The notification was sent to the same email addresses whose authentication credentials had been breached.

The Garante deemed the information provided to be insufficient, in respect to the high risks for the data subjects, and the delivery methods to be incorrect; the communication sent to the breached email accounts, in fact, could have ended up not reaching the real users.

The Authority clarified that the data breach notice provided to the data subjects should be simple and clear in order to provide specific advice regarding measures to adopt for preventing illicit uses of personal data, such as identity theft.  Regarding the delivery methods of the notice, the Garante stated that the data controller should choose a delivery method appropriate for reaching all the concerned data subjects.

Based on the above, the Garante ordered Italiaonline Spa to send a new data breach notice to the data subjects, indicating the nature of the data breach and its possible consequences and providing the users with specific advice regarding measures to adopt for preventing further risk. In the case at hand, the advice was to stop using the breached authentication credentials and change the password used to access other online services if identical or similar to the one breached.