Data breach fairy tale
In 2018 the biggest Polish online retailer Morele.net (founded in 2000) lost 2.2 million customer data, including names, email, delivery addresses and telephone numbers. In September 19, 2019 it suffered 660,000 EUR fine, the highest fine in Poland we heard until this moment. Polish data protection authority (UODO) identified poor monitoring of potential threats and slow reaction to unusual behaviour. Additionally, Morele.net has not been able to demonstrate the customer consent where it should have.
According to ENISA, 60% of companies which suffered cyber attack stop operations within 6 months of attack. In case of smaller entities this is even faster. In case of Morele, since 2018 it has taken strategic actions in the area of reconstruction, strengthening and improvement of infrastructure security:
-Two-step verification when changing the email address and phone number assigned to the user's account;
- changing the hashing method and hashing sensitive data;
- expanding the monitoring of internal systems;
- additional anti-bot verification,
and at the beginning of 2019, customers received access to the morele.net application and for changes introduced in the field of visual communication on the website, the company received a nomination for the prestigious Mobile Trends Awards 2018 in the category mobile or rwd website for the redesign of the mobile website and in the stores belonging to the company.
Risen from the ashes, kept afloat and already announced an appeal against UODO decision.
And this is not only Morele story. There is still a presence of an online retailers which still have not grasped the importance of protection of data that their customers entrust to them. This is them who are responsible for the pro-active interest and activity towards privacy, security and protection by default, and not the consumer who considered to be responsible for the assessment of retailer. There is a category of consumers which are not well aware of the internet life and its rules, and retailers know it and shall be responsible for that people safety. If one does not want to learn a hard way, this is another good practical example which shall effectively discourage from violating personal data protection provisions in future.
Author: Marina Briškena, DPO