The Privacy Guarantor has fined the Order of Psychologists of the Lombardy Region [Ordine degli psicologi della Lombardia] for 30 thousand euros for not having adopted adequate technical and organizational measures to guarantee data security.
The Guarantor intervened following some complaints and the notification of data breach made by the Order, which declared to have been hit by a sophisticated ransomware attack carried out by a group of cybercriminals. The violation involved the unauthorized access to the Order’s computer network, the encryption and exfiltration of numerous documents containing, in particular, personal data of members of the Register subjected to disciplinary proceedings and of several patients, including minors, and other persons involved in various capacities.
The attack also affected data belonging to special categories, such as those revealing racial or ethnic origin, religious or philosophical beliefs, trade union membership, sexual life or orientation, health, as well as data relating to criminal convictions and offences. Therefore, the data subjects were exposed to risks of discrimination, identity theft, fraud, reputational risks and other prejudices in the economic and social sphere.
After the ransom was not paid, the cybercriminals published the exfiltrated data on the dark web. However, the availability and integrity of the personal data were not compromised, and were recovered thanks to the procedures and backup systems.
The investigation by the Guarantor revealed that the Order had not adopted adequate measures to promptly detect violations of personal data and to guarantee the security of the processing systems. The sanction was imposed taking into account the seriousness and particularly sensitive nature of the data involved.
However, the collaboration of the Order was recognized, which communicated that it had adopted additional security measures to prevent future attacks and improve the protection of the personal data processed.
Read more about the ransomware attack by NoEscape in October 2023, the entity’s claims, and investigative results, as well as the required disciplinary measures at PressKit.it.