The Greek data protection authority has imposed fines of 5,850,000 EUR ($6.55 million) to COSMOTE and 3,250,000 EUR ($3.65 million) to OTE, for leaking sensitive customer communication due to a cyberattack.
As the agency says in an announcement, COSMOTE infringed at least eight articles of the GDPR, including violating its duty to inform affected customers of the true impact of the incident.
OTE (Hellenic Telecommunications Organization) and COSMOTE belong to the same entity, OTE Group, which is the largest technology company in Greece, offering fixed and mobile telephony, broadband, and network communication services.
The hacking incident
An internal investigation conducted by COSMOTE in 2020 revealed that a hacker social engineered one of its employees through LinkedIn and later used brute-forcing tools to derive the target’s account credentials.
According to the findings of the investigation, the adversary used a Lithuanian IP address for accessing one of OTE’s servers repeatedly.
The threat actor leveraged the account credentials to steal database files on five separate occasions. The size of the stolen data amounted to 48GB.
COSMOTE keeps call details on its servers for 90 days for service quality assurance, and maintains an anonymized version of the data for another 12 months for statistical analysis that helps in targeted service improvement.
As the data protection authority probe discovered, the anonymization process wasn’t properly done, and the data holding periods weren’t strictly respected.
The impact…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
