The Polish Personal Data Protection Office (“UODO”) announced the imposition its highest fine to date for violation of personal data protection regulations, on 19 September 2019.

Morele.net Sp. z o.o., an online retailer, reported that it was the victim of a cybercrime and data of about 2.2 million customers was data including their names, email and delivery addresses, and phone numbers were compromised.

The breach was revealed in December 2018 and has cost the company a fine of over $725700 (EUR 660,000). Hackers used the stolen data in a phishing attack and the customers were sent a link to a fake store page where they were instructed to pay an allegedly missing sum of money for purchases that were previously made in the Morele.net store.

The company reported the case to law enforcement authorities and notified the UODO. Morele.net also informed its customers about the incident. After an investigation by UODO, it was determined that the organizational and technical measures used by Morele.net for data protection were not adequate to the existing risk related to the processing of their customer data, and these inadequacies resulted in the unauthorized access.

Read more here