DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Mobile phone operator Cosmote and parent company OTE fined by Hellenic DPA over 2020 data breach slapped with fine over data breach

Posted on February 1, 2022 by Dissent

Ekathimerini reports:

Mobile phone operator Cosmote and parent company OTE have been slapped with fines of over 9 million euros by Greece’s Data Protection Authority over a breach of user records in September 2020.

Specifically, the watchdog fined Cosmote 6 million euros for failing to protect a file containing the call histories of thousands of customers from hackers and OTE another 3.25 million euros for failing to provide the necessary security infrastructure to prevent such an attack.

Read more at ekathimerini.com

English-language statement from the Hellenic DPA, issued yesterday:

Following a personal data breach notification (subscriber call data leakage between 1/9/2020 and 5/9/2020) by COSMOTE [MOBILE TELECOMMUNICATIONS SINGLE MEMBER S.A.], the  Hellenic DPA investigated the circumstances under which the breach took place and, in this regard, examined the lawfulness of record-keeping in relation to leaked data, as well as the security measures applied. This is about a file containing subscribers’ traffic data which, on the one hand, is retained in order to handle any problems and malfunctions for a period of 90 days from the date of making the calls and, on the other hand, it becomes “anonymised” (pseudonymised) and is kept for 12 months aiming to reach statistical conclusions about the optimal design of the mobile telephony network, once it has been enriched with additional simple personal data.

The investigation of the case revealed that COSMOTE had infringed the principles of legality (Articles 5 and 6 of Law 3471/2006 on the protection of personal data and privacy in the electronic communications sector) and transparency due to the provision of unclear and insufficient information to subscribers (Article 5(1)(a) and Articles 13-14 of the General Data Protection Regulation – GDPR), as well as: (i) Article 35(7) of the GDPR due to poor data protection impact assessment; Article 25(1) due to poor anonymisation; Article 12(1) of Law 3471/2006 due to inadequate security measures taken, and Article 5(2), in conjunction with Articles 26 and 28, due to failure to allocate the roles of the two companies in relation to the processing in question. In addition, ΟΤΕ [HELLENIC TELECOMMUNICATIONS ORGANIZATION S.A.] was found to have infringed Article 32 of the GDPR due to inadequate security measures taken in relation to the infrastructure used in the context of the breach.

For the infringements found, and taking into account the criteria set forth in Article 83(2) of the GDPR, the Authority, on the one hand, fined COSMOTE a total of € 6,000,000, and imposed the sanction of stopping the processing and destroying the data, and, on the other, fined OTE a total of € 3,250,000.

Decision 4/2022 is available in Greek here.

No related posts.

Category: Business SectorCommentaries and AnalysesNon-U.S.Of Note

Post navigation

← Messages and user data from secret sharing app Whisper exposed online (again): report
Hackers Move $3.55B Worth of Bitcoin From 2016 Bitfinex Hack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.