The Spanish data protection authority AEPD fined an e-commerce company €1,090,000 following a data breach. Attackers gained access via an old IT system that was still connected to the internet – with outdated software, without security updates, without logging and without access control. The system was not actively in use but contained customer data.
The AEPD determined that the company violated the requirement for appropriate security under GDPR Article 32. A system without updates and without monitoring is by definition insecure. In addition, the company reported the breach late – they did not notify the AEPD within 72 hours, and affected customers were also not notified in a timely manner.
**Practical point:**
Create an overview of all systems connected to the network. If a system is not in active use, update it or disconnect it. Forgotten systems are open doors.
Inspired by: AEPD (Spain) via TechLaw.se