Postel S.p.A. – €900,000 Fine (Italy, 2024)

The controller is a subsidiary of Poste Italiane, the main post services company of Italy. In August 2023, an unauthorised person accessed, through a ransomware cyberattack, the controller’s servers, containing data of the controller’s employees and job applicants (around 25,000 data subjects). These files, that were afterwards published online on the dark web, contained not only the name, surname and date of birth, but also data related to the trade union membership and health of the data subjects, therefore falling into the scope of Article 9 GDPR, and related to criminal convictions and offences (Article 10 GDPR). On 17 August 2023, the controller notified the data breach to the DPA. On 13 October 2023, the DPA requested the controller to provide further details about the data breach, arguing that the first notification was lacking some of the elements provided for by Article 33(3) GDPR. The controller pointed out that the data breach occurred due to two vulnerabilities in the IT system. First, the DPA held that the notification was lacking some of the elements provided for by Article 33(3) GDPR. The DPA pointed out that, also according to Recital 87 GDPR, the notification made to the DPA must contain adequate and exhaustive information concerning the data breach. According to the DPA, the purpose of such a notification is to allow the DPA to use its powers and restore a high level of protection of personal data. In the case at hand, for example, the notification was lacking any information about which servers were impacted and what vulnerabilities were used to access the system. Moreover, the controller did not refer to any measure taken to mitigate the data breach adverse effects, even though this would be required by Article 33(3)(d) GDPR. Therefore, the DPA found a violation of Article 33 GDPR. Second, the DPA noted that the data breach could happen due to two vulnerabilities present in the Microsoft Exchange platform, allowing the unauthorised third par