-
.
- Ελληνικά
On 13 March 2023, a Data Breach Notification was submitted to my Office on behalf of the Department of Cadastre and Land Surveying (hereinafter the "Department") stating that on 8 March 2023 the Department suffered a cyber attack which affected the Department's web portal (DLS Portal).
After a full investigation of the incident, it was determined that the attack did not result in the attacker gaining access to personal data; however, the availability of the data was affected due to systems being taken offline to investigate the incident and gradually restored. Despite the fact that no personal data was accessed by the attacker, I note the following. The controller should ensure, inter alia, the availability and reliability of processing systems and services on an ongoing basis. The even temporary unavailability of data may have had an impact on the data subjects by not being able to serve them.
b) If the attacker had gained access to the Department's servers, there was a possibility that the attacker could have gained access to other systems/subnets, which include personal data.
After reviewing the technical and organizational measures taken prior to the incident, the results of the investigation, the actions taken after the incident, and the actions planned to be taken to further shield the systems, a violation of the Regulation was found by not implementing appropriate security measures.
On 21 December 2023, I issued a Decision in which I issued a Reprimand to the Department. I also instructed the Department to inform me within two months of:
a) The progress in implementing the additional measures it will take and in securing the additional equipment.
b) The results of the new penetration test and the status of the resolution of the findings.
c) The timetables in which the actions to enhance the security of its systems will be implemented.
In issuing the Decision, all the facts relevant to this case were taken into account and in particular that:
a) No personal data was accessed by the attacker.
b) The period during which the availability of data was affected was limited (full restoration of all systems occurred after one month, but several services were provided to citizens in physical presence after approximately one week)
c) No substantial harm appears to have been caused to the subjects.
Contents of this article including associated images are owned by PIO
Views & opinions expressed are those of the author and/or PIO
Source
