Hellenic SA: fine on a company for failure to implement technical and organisational measures resulting in unauthorised access by third parties

2 May 2024

Background information

  • Date of final decision: 28 February 2024
  • National case
  • Legal Reference (s): Article 5(1)(f)(Principle of integrity and confidentiality), Article 32 (Security of processing)
  • Decision: Infringement of the GDPR, administrative fine
  • Key words: non-compliance with technical and organisational measures, network vulnerabilities, unauthorised access, dark web, data breach, data breach notification, network intrusion, ransomware, security policy implementation, remote desktop, incident investigation, security review, privileged access escalation


Summary of the Decision


Origin of the case  

"HELLENIC POST SERVICES S.A.” (ELTA S.A.) has reported two breach incidents to the Hellenic Supervisory Authority (SA), in accordance with the GDPR. The first incident involves a breach of data encryption for the purpose of demanding ransom in the company's system, resulting from a malicious attack by third parties, while the second incident involves the leakage of personal data, which was subsequently published on the Dark Web.


Key Findings 

From the investigation of the incident, the Ηellenic SA found that the controller did not comply with the required technical and organisational measures and failed to ensure the implementation of the processing security policy. This failure resulted in breaches within the controller's system, including vulnerability scanning, unauthorized access to the system resources, execution of malicious processes, disabling of security software, and file encryption. 



A fine of 1% of the last available annual turnover was imposed on the data controller on the basis of criteria assessed in accordance with EDPB Guidelines 4/2022 on the calculation of administrative fines, i.e. the wide range of persons affected, the amount of the damage, the nature of the breach, the security policy omissions and the categories of data affected. Mitigating factors were the strengthening of the system’s security measures after the incident, the fact that the investigation of the incident was entrusted to a specialised company and that the company followed its instructions, the recovery of the data and the company’s adverse financial situation.


For further information:

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.