On January 31, 2022, The Hellenic Data Protection Authority (HDPA) imposed a €6 million fine to Cosmote Mobile Telecommunications for violation of the Law on the Protection of Personal Data and Privacy in the Electronic Telecommunications Sector and the General Data Protection Regulation (GDPR) after a reported data breach.
Details of the case
Greece’s largest mobile operator suffered a cyberattack in 2020, in which the unknown attacker used social engineering techniques to break into Cosmote systems and steal customers’ personal data, including rough positional data of 4.8 million users, as well as age, gender, plan, and average revenue per user for around 4.2 million of these subscribers.
The HDPA investigated the circumstances in which the incident took place and examined the legality of keeping the leaked records as well as the security measures applied.
The HDPA Investigation
The mobile operator reported a data breach to the HDPA along with requested documents. However, the HDPA’s investigation found that the parent company –Hellenic Telecommunications Organisation (OTE Group), should also have been a part of the investigation, which Cosmote failed to include.
Additionally, Cosmote mishandled the situation by failing to explain to the affected individuals the severity of the data breach and failing to implement appropriate data protection measures.
The HDPA investigation uncovered that Cosmote can legally keep call data for quality assurance reasons, for up to 90 days, and 12 additional months if the data has been pseudonymized.
However, in some cases, the pseudonymization process was not completed, and the data was held for longer than legally allowed.
The HDPA’s decision
When determining the final value of the fine, the Authority considered the long duration of the infringement, the number of affected individuals, and other factors.
Taking all this into account, The HDPA issued a €6 million fine to Cosmote Mobile Telecommunications for violation of GDPR on multiple accounts and fined OTE Group a €3.2M for insufficient security measures resulting in a data breach.
Read the HDPA press statement available in Greek.