Order of Psychologists of Lombardy a flaw gave access to data of several patients including minors and members subjected to disciplinary measures 30 thousand euro fine from the Privacy Guarantor

pThe Privacy Guarantor has fined the Order of Psychologists of the Lombardy Region for 30 thousand euros for not having adopted adequate technical and organizational measures to guarantee data security
The Guarantor intervened following some complaints and the notification of data breach made by the Order which declared to have been hit by a sophisticated ransomware attack carried out by a group of cybercriminals The violation involved the unauthorized access to the Orders computer network the encryption and exfiltration of numerous documents containing in particular personal data of members of the Register subjected to disciplinary proceedings and of several patients including minors and other persons involved in various capacities
The attack also affected data belonging to special categories such as those revealing racial or ethnic origin religious or philosophical beliefs trade union membership sexual life or orientation health as well as data relating to criminal convictions and offences Therefore the data subjects were exposed to risks of discrimination identity theft fraud reputational risks and other prejudices in the economic and social sphere
After the ransom was not paid the cybercriminals published the exfiltrated data on the dark web However the availability and integrity of the personal data were not compromised and were recovered thanks to the procedures and backup systems
The investigation by the Guarantor revealed that the Order had not adopted adequate measures to promptly detect violations of personal data and to guarantee the security of the processing systems The sanction was imposed taking into account the seriousness and particularly sensitive nature of the data involved
However the collaboration of the Order was recognized which communicated that it had adopted additional security measures to prevent future attacks and improve the protection of the personal data processedppThe disciplinary measures are as followsppProvision of 29 April 2025ppRegister of measures
n 271 of 29 April 2025ppTHE GUARANTOR FOR THE PROTECTION OF PERSONAL DATAppIN todays meeting attended by Prof Pasquale Stanzione president Prof Ginevra Cerrina Feroni vicepresident Dr Agostino Ghiglia and the lawyer Guido Scorza members and Dr Claudio Filippi the acting secretary generalppHAVING SEEN Regulation EU 2016679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 9546EC General Data Protection Regulation hereinafter RegulationppHAVING SEEN Legislative Decree no 30 of 2003 June 196 containing the Personal Data Protection Code containing provisions for the adaptation of national legislation to Regulation EU 2016679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data as well as on the free circulation of such data and which repeals Directive 9546EC hereinafter CodeppHAVING SEEN Regulation no 12019 concerning internal procedures having external relevance aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data approved with resolution no 98 of 4 April 2019 published in the Official Journal no 106 of 8 May 2019 and in wwwgpdpit web doc no 9107633 hereinafter Regulation of the Guarantor no 12019ppHaving seen the documentation in the filesppHaving seen the observations made by the Secretary General pursuant to art 15 of the Regulation of the Guarantor n 12000 on the organization and functioning of the office of the Guarantor for the protection of personal data web doc n 1098801ppSpeaker lawyer Guido ScorzappWHEREASpp1 IntroductionppOn 19 October 2023 the Order of Psychologists of the Lombardy Region hereinafter the Order notified the Authority pursuant to art 33 of the Regulation of a personal data breach which occurred on 3 October 2023 concerning unauthorized access to the computer network data encryption on servers and deletion of data from backup NAS see notification of 19 October section F point 8ppSubsequently on November 20 2023 the Order supplemented the aforementioned notification declaring that it had been the victim of a sophisticated ransomware attack by the criminal association NoEscape which resulted in unauthorized access to the Orders computer network data encryption and subsequent deletion of backups which were however subsequently recovered on October 10102023 7 when the Owner became aware of the malicious source of the anomalies found in the previous days following the receipt of an email from csirtpecacngovit indicating the reference to a link on Onion that redirected to a page where the publication of 18GB of data was threatened Subsequently following the failure to pay the ransom the cyber criminals published the exfiltrated data on the dark web on October 31 and October 2023 XNUMXppIn this regard the Order stated that it can exclude the loss of integrity and availability of the data since all the archives have been completely restored thanks to the saves made in the cloud of a supplier and the presence of backups on external USB drives stored in a safe Furthermore the malicious agent was able to encrypt and exfiltrate only 69 GB compressed 45 GB this quantity is only small compared to the overall size and amount of data contained in the Orders archives which corresponds to hundreds of GB which were not impacted In fact only some folders containing files were impacted not all of them Furthermore the Data Controller has no evidence that other data other than those published on the dark web were accessed by cyber criminals and these in their communications have always referred only to the data subsequently published on the dark web see notification of 20 November section F point 7 and G point 14ppThe Order also stated that the data subjects involved in the cyber attack were 3000 and that the impact of the breach is high with exclusive reference to the data of data subjects involved in disciplinary proceedings and to the persons cited in the same proceedings which represent only a very limited part of the breached data quantifying such proceedings at 159 most of which concern the last two years while for other older proceedings the documentation concerns only the parties involved and the measure adopted The Order however considered in relation to the employees and the only three collaborators of the Data Controller whose identity documents were exfiltrated that the severity was medium see notification of 20 November 2023 section F point 13 and G point 3ppFrom the documentation in the files it emerges that the breach involved approximately 15000 records of personal data including personal details contact details payment details data relating to identityrecognition documents covered by professional secrecy as well as data belonging to special categories see art 9 of the Regulation and 2sexies of the Code such as data revealing racial or ethnic origin religious or philosophical beliefs trade union membership sexual life or sexual orientation state of health as well as data relating to criminal convictions and offences see art 10 of the Regulation and 2octies of the Code This with the consequence that the interested parties were exposed as assessed by the Order and declared in the notifications of the breach to risks of loss of control of the data discrimination identity theft fraud damage to reputation knowledge by unauthorised third parties and significant economic and social damageppWith reference to the measures in place at the time of the violation the Order declared that it carried out constant checks on the updates of the operating systems of the server and client stations of the firmware of the network devices and that it adopted a correctly configured and monitored authentication system antivirus on all stations local saves on two NAS located in the two offices a cloud backup no 5 USB HDs in a safe at the office and two USB HDs kept in a safety deposit box at the institutes bank see notification of 19 October 2023 section F point 9 Furthermore the Order had adopted the following measures i firmware of the network devices ii correctly configured and monitored authentication system iii antivirus reset end point on all workstations iv local saves on two NAS located in the two offices v a cloud backup with a thirdparty supplier vi no 5 USB HDs in a safe at the Owners office and two USB HDs kept in a safety deposit box at the bank of the institution a VPN Virtual Private Network for the connection to the Orders systems All these measures were constantly monitored and updated The Order detailed these measures in a note dated 19 January 2024 pages 2 4ppWith reference to the measures adopted following the violation the Order stated that it took action to better understand what had happened and recover the backup copies physical and cloud of the data residing on its servers having promptly involved a thirdparty supplier in the restoration activities and proceeded to i disable all rules on the firewall that allowed external access to the XX machine containing the software of the Register of Psychologists in the terminal server ii block all active VPNs and add rules that blocked all traffic to and from the network from 2100700 pm to 310720231 am iii change the password starting from the domain server and then on the ESX servers containing the virtual machines In the meantime it had already proceeded to create a new virtual machine on which a backup software was installed Once the operation was completed the virtual server that acts as Domain Controller was restored using a backup copy present on a physical disk locked in a safe with data backup 234 Thanks to some cloud backups at a thirdparty provider and some physical backup disks in a safe and in the safety deposit box at the Orders reference bank the Owner was able to restore the data by recovering the deleted data thanks to the cloud and physical backups bringing the situation back to the day before the attack Therefore the loss of availability and integrity of the data was only temporary thanks to the completed recovery activities Furthermore tests were then carried out in order to understand the anomalies found and the nature of the event installing a specific monitoring software on all machines including its own servers Subsequently we proceeded to 20 successfully restore the data also allowing the use of cloud applications 2023 restore the XX server ie the Owners file server 1 realign the PCs of users who were not present in the previous days recover the NAS backups present on site change the passwords of new users XNUMX after obtaining confirmation from the thirdparty provider about the fact that once all the data had been copied the Data Controller could proceed with the deletion of the encrypted files i delete the encrypted files from the server at the Casa della Psicologia after copying them to NAS and ii start the creation of a new virtual machine on the ESX server of the Casa della Psicologia When the data were published on the dark web the Data Controller carried out online verification activities also on the dark web trying to identify the possible presence of data attributable to the archives subject to encryption and deletion and to reconstruct the impacted personal data see notification of XNUMX November XNUMX section H point XNUMXppIn relation to the technical and organizational measures adopted to prevent similar violations in the future the Order stated that after having restored the data and deleted the encrypted copies it implemented measures such as i the creation of VPN accesses with certificates in place of the old local users ii carrying out functional tests and iii modifying the connection rules of VPN users on the Orders network limiting their access to only the necessary servers Furthermore the new backup agent was installed on the XX server and the backup was reconfigured both on the cloud and on the 4 NAS The Order is taking steps to adopt a new cloud application for managing the register of members of the order and is evaluating the purchase of an application that in addition to collecting log files also performs an analysis function and provides for the sending of alerts to the ADS The Data Controllers IT representatives have restored all the archives and are preparing a plan to optimize the appropriate measures that were already in place at the IT structure of the order by adopting more stringent measures in reference to the categories of particular data such as the adoption of a multifactor authentication system MFA and the encryption of archives The adoption of monitoring software to identify potentially critical situations and alert the ADS and a solution that allows to guarantee the integrity of onsite backups and rapid data recovery in addition to the measures already adopted see notification of 20 November 2023 section H point 2ppWith regard to the communication of the breach to the interested parties the Order in the supplementary notification stated that it would make the communications to the interested parties by 24112023 for the whistleblowersreported persons and individuals cited in the proceedings and that it would make such communications also for the benefit of the employees and the 3 collaborators mentioned above as a precaution In particular the Order stated its intention to send a communication via email with reference to the whistleblowers and reported persons relating to the proceedings from 2018 to today who can be reasonably traceable and stated that the breach will be communicated directly to 334 interested parties a number that includes the traceable persons involved in the disciplinary proceedings 13 employees and 3 suppliers while in relation to the other interested parties the Data Controller will publish a public communication on its website as in accordance with Article 34 paragraph 3 of the Regulation sending a communication to the interested party would require disproportionate efforts In this regard three types of communications have been produced 1 Individual communication for those reporting and those reported in disciplinary proceedings who are identifiable 2 Communication published on the site in relation to individuals to whom it is not possible to send a communication 3 Individual communication for employees and 3 collaborators whose identity documents have been exfiltrated see notification of 20 November 2023 section L points 3 and 4ppFinally the Order declared that it had communicated the personal data breach to the interested parties pursuant to art 34 of the Regulation on 23112023 to the interested parties who presented a high level of risk with reference to the Incident ie those reported and those reporting in the context of disciplinary proceedings as well as the employees of the Order see note of 19 January 2024 page 11 by means of an individual communication and in relation to the other interested parties by means of a public communication on its website since in accordance with Article 34 paragraph 3 of the Regulation sending a communication to the interested party would require disproportionate efforts see notification of 20 November 2023 section L point 3ppIn relation to the personal data breach in question two complaints pursuant to art 77 of the Regulation and one report pursuant to art 144 of the Code have been submitted to the Guarantorpp2 The investigative activityppIn response to a request for information from the Authority note prot no 016845323 of 21 December 2023 the Order with a note dated 19 January 2024 prot 0001441 integrated the information regarding the technical and organizational measures put in place to prevent similar violations in the future stating that it has adopted a plan which includes the installation of a software tool for detecting threats to data security a new segmentation of the network to strengthen its protection against cyber attacks isolate any attacks and prevent them from spreading on the network and infecting other servers and devices new backup procedures and airgaps between production and backup highlighting the reliability of the multilevel data backup system in place at the time of the violation see note dated 19 January 2024 pages 4 5ppFollowing a further request for information from the Authority note prot no 006783624 of 4 June 2024 the Order with note dated 19 June 2024 prot no 0009014 provided a copy of an analysis carried out by an external consultant from which it emerged that the NoEscape group published on their leak site a 7zip archive divided into three parts and that the size of the 5 published data amounts to 416GB and contains Identity cards and passports Confidential agreements Contracts Bank documents Data related to their customers Internal reports see Incident Response Report IR v11 attached to the note dated 19 June 2024 page 20 hereinafter incident reportppWith a note dated 16 October 2024 ref no 0120794 the Office on the basis of the elements acquired the checks carried out and the facts that emerged following the investigative activity notified the Order pursuant to art 166 paragraph 5 of the Code the initiation of the procedure for the adoption of the provisions referred to in art 58 paragraph 2 of the Regulation for having failed to adopt adequate measures to promptly detect violations of personal data and guarantee the security of the same in violation of arts 5 paragraph 1 letter f and 32 paragraph 1 of the Regulation With the same note the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority art 166 paragraphs 6 and 7 of the Code as well as art 18 paragraph 1 of law 24 November 1981 n 689ppWith a note dated November 15 2024 the Order through its lawyers submitted a defense brief declaring in particular thatpp the Order despite the significant economic restrictions has implemented its own security measures in compliance with the guidelines of the Agency for Digital Italy AgID referred to in Circular no 22017 of 18 April 2017 relating to the minimum ICT security measures for public administrations without prejudice to the fact that the Order periodically updates these measures in order to guarantee an adequate level of IT security in line with progressive technological developmentpp the combined provisions of Articles 5 paragraph 1 letter f and 32 paragraph 1 of the Regulation provide does not provide a numerus clausus of measures that must be adopted peremptorily On the contrary the implementation of specific security measures depends on the level of risk posed by the specific processing as well as on the technological evolution of the sector and on the implementation costs and resources actually available for their implementationpp in the case of public administrations however an indication of the expected security measures is provided by the AgID Circular which provides for the following three levels of security minimum standard which can be assumed as a reference basis for the majority of public administrations high pp the Order as a noneconomic public body and therefore a public administration pursuant to Legislative Decree 1652001 subject to the jurisdiction of AgID has adopted its own security measures in line with the provisions of the AgID Circular conforming to the standard level referred to in letter b pp this level of security is to be considered adequate considering the actual level of risk for the Orders systems in light of the following circumstances a the activities carried out by the Order do not fall within the definition of essential services for citizens as per the AgID Circular b from an organizational perspective the Order is not among the public administrations which due to their size and economic capacity present a high level of riskpp the Order is a noneconomic public body with limited capacity for support with only 13 employees The Order does not receive state subsidies and its economic resources derive only from payments made by members Nonetheless the Order has always paid particular attention to the issue of cybersecurity allocating on average 57 of its annual turnover to the management of its technological resources and infrastructure in line with the market standard pp therefore the adoption of higher level measures would have entailed a disproportionate burden on the Order pp with regard to the failure to adopt a suitable socalled alert mechanism for the timely identification of any anomalies on the Orders systems it is specified that the Order had already implemented a firewall to protect its corporate perimeter which is able to detect logs and RDP Remote Desktop Protocol connection attempts from the outside including any attempts at unauthorized access to the corporate network In particular the logs collected by the firewall were archived on the Orders infrastructure servers and sent to an archiving mechanism in order to have a double copy of the logs Furthermore the control of these logs was entrusted to the Orders employees who periodically monitored the firewall logs in order to identify any suspicious accessespp these measures were therefore overall suitable for promptly identifying a data breach for two main reasons being in line with the AgID Circular which for the prompt identification of breaches considers it sufficient to adopt inter alia measures that provide for the recording of any anomaly with respect to normal network traffic to allow for its offline analysis In fact according to AgID the adoption of DLP Data Loss Prevention mechanisms capable of autonomously identifying suspicious situations and sending an alert is to be considered a highlevel measure to which the Order is not required to comply Furthermore the adoption of a more advanced alert and log monitoring mechanism would have required an investment in terms of economic and work resources disproportionate for the Orderpp to ensure constant monitoring of the alerts detected the Order should also have sufficient qualified personnel to carry out this activity including on weekends and at nightpp in any case as soon as the Data Breach occurred the Order started a process aimed at increasing the security level of its systems within the limits of the economic resources at its disposal In particular a software was installed that allows alerts to be received when Active Directory configurations change or in the event of access to systems with particular userspp by virtue of the characteristics and the methods of carrying out the attack the mechanism itself would not have been effective in preventing the occurrence of the violation andor in ensuring its more timely identification In fact the prerequisite for the alert mechanism in question to function is that the attackers generate anomalous traffic due to the volume geographical origin or time period of the accesses Where such anomalous traffic is missing the alert mechanism would therefore not be able to identify suspicious situationspp the attack suffered by the Order is of the brute force type ie the attackers repeatedly attempted to access the Orders IT resources using the access credentials of some users pp no outgoing traffic peaks were recorded that would have generated any alerts in light of the following circumstances a the RDP Remote Desktop Protocol connection attempts from outside occurred over the weekend or during the evening hours b the access attempts did not occur in a massive manner but rather spaced out over time and avoiding access from blocked countries c the attackers had samples of the organizations files at their disposal that allowed them to access the systems with the Orders credentials and d the traffic generated by the attackers was below the threshold as it was quantified as a maximum of 5GB divided into several days while the average traffic on the Orders systems is between 10 and 20 GB depending on the activities including maintenance and updates carried out dailypp in fact it is not uncommon for the Order to carry out activities and events that require access to the systems even during the weekend and in the evening Consequently the mere presence of traffic at night or during the weekend which is also below the threshold could not constitute evidence of the presence of illegitimate access since it is plausible that legitimate users were connected to the Orders network This is without considering that a detection of anomalous traffic does not necessarily coincide with an ongoing violation of personal data which could instead require as in the case at hand a long time to be confirmedpp thanks to the particular evasive techniques with which the attack was perpetrated the attackers would have still managed to avoid any alert mechanisms pp as regards the failure to adopt a multifactor authentication system it is specified that the Order at the time the data breach occurred had implemented a correctly configured and monitored authentication system in line with the provisions of the AgID Circular In this regard in fact the AgID Circular requires the implementation of a double authentication factor as a socalled high level measure not standard only for privileged users and the attribution of administrative rights considering the alternative measure of password strength that was correctly adopted by the Order as equivalent In particular at the time of the events the system used to authenticate the Orders users and to access the domaincertified systems ie workstations and servers was based on Active Directory of company name through the use of the VPN Virtual Private Network of company name to ensure the security of the connection to the Orders systems Furthermore access to the users PC occurred through two steps ie the insertion of the disk encryption password as well as the various domain credentials Finally specific credentials to be used in the authentication and IT authorization processes with reference to the data and email servers were assigned to the Orders employees Not only that the credentials assigned had to in any case comply with the robustness requirements set out in the AgID Circular In particular the passwords had to be 14 characters long and could not be reused multiple times In fact the system prevents users from reusing a password already used in the past to access the same IT systempp the Order has now added a double computer authentication procedure based on i use of username and password already present ii certificate with double authentication and iii application of device trustpp in any case the access by cybercriminals to the computer systems did not appear to have occurred through the theft of access credentials but rather due to a bug in the system that was promptly resolved by the Orderpp as for the inadequate segmentation and storage of authentication credentials there are no reasons why the segregation mechanism implemented by the Order should be considered inadequate nor on the concrete role that such a system would have had in the context of the Breach of personal data In fact the AgID Circular merely provides for the storage of credentials in order to guarantee their availability and confidentiality and in the event that digital certificates are used for authentication to guarantee adequate protection for private keys These requirements are therefore respected by the Orderpp as a rule the failure to segment passwords or their inadequate conservation are mainly relevant in the case in which the attack occurs through the introduction of malware into the system In this case the failure to segment prevents the isolation of the threat thus potentially leading to the propagation of the malware throughout the IT infrastructure In this case however the ransomware did not propagate to other systems as the Order blocked the attack and the encryption before it could extend to servers other than those to which the attack was directed Consequently the failure to segment had no impact on the attack and its failure to adopt it cannot therefore be considered contestablepp following the occurrence of the Data Breach the Order has nevertheless introduced a new additional network segmentation which will allow for the isolation of any attacks to prevent them from spreading across the network and infecting other servers and devices and to ensure that the devices on the management network cannot be reached from the LAN network unless rules are activated on the firewall only if necessarypp as regards the contested failure to protect credentials with stateoftheart cryptographic algorithms it is essential to clarify that i the email domain oplit and the Active Directory domain used to access the Orders internal servers reside on different servers the first on servers external to the Order oplit while the second on the Orders internal servers opllan ii the analysis conducted only concerned what was present on the dark web and detected vulnerabilities only in the Orders external domain oplit and iii the credentials analysed refer exclusively to the email domain and do not in any way allow access to the Orders internal systemspp therefore it is completely irrelevant that some of the aforementioned credentials were classified as critical and high since they belonged to email addresses that could not be used to access the Orders internal systems Moreover only 3 out of 12 users were employees of the Order and none of them had a password classified as critical or high Many of the exposed credentials were in fact obsolete or invented Consequently the alleged failure to encrypt such credentials appears to be completely unrelated to the dynamics of the attackpp the credentials used to access the Orders internal systems were protected by stateoftheart cryptographic algorithms In fact access to the servers was via Active Directory which uses encryption by default Finally in order to introduce an additional element of protection the disks of the users computers were encrypted requiring an additional initial password for access These encryption measures are in line with the AgID Circular which provides for the obligation to carry out an analysis of the data to identify those with particular confidentiality requirements relevant data and in particular those to which cryptographic protection should be appliedpp it is appropriate to note the irrelevance of the reference made by this Authority to the Cryptographic Functions Guidelines Password Conservation adopted with provision no 594 of 7 December 2023 web doc no 9962283 as they had not yet been adopted at the time the contested facts occurredpp the Order is evaluating the adoption of an encryption system in line with the requirements set by the Guarantor as well as by EU Directive 20222555pp the contested conduct i involved a small number of data subjects and personal data compared to those present in the Orders system 69 GB out of a total of 350 GB ii generated a high risk to a limited number of data subjects and the Order notified the data subjects impacted by a higher risk on an individual basis while for the others it published an announcement freely available on its website iii only resulted in a loss of confidentiality without affecting the integrity and availability of the data the compromise of which was only temporary thanks to the actions undertaken by the Order to limit the negative effects and the presence of information backups iv did not significantly impact the Orders systems pp in order to improve the detection of violations and the security of systems as well as to prevent similar attacks in the future the Order has taken steps to i create certified VPN accesses ii adopt a multifactor authentication MFA system iii define more stringent password policies iv block nighttime access to the network v deactivate all access to the servers and introduce stricter rules for access vi control the geolocation of external accesses vii introduce further segmentation of the network to isolate any new attacks and prevent them from spreading on the network and infecting other servers and devices viii reconfigure existing network switches ix limit remote access via VPN x implement new immutable backup systems xi implement an airgap between the production environment and backup xiii modify the connection rules of VPN users encrypt archives and adopt a new cloud application for management of the Registerpp the severity of the impact of the breach is high with exclusive reference to the subjects to whom the disciplinary proceedings exfiltrated refer and to the persons cited in the same proceedings which represent only a very limited part of the data obtained illicitly ie 159 proceedings In relation to the personal data of the employees involved in the Data Breach however the only special categories of personal data impacted concern the union membership of such employees due to the presence only of payment receipts for membership fees Finally with regard to the other categories of data subjects involved in particular suppliers and other members of the Order not involved in disciplinary proceedings the information subject to the personal data breach is mainly in the public domain In general therefore the Data Breach did not involve the most sensitive data processed by the OrderppAt the hearing requested pursuant to art 166 paragraph 6 of the Code and held on 2 December 2024 see minutes prot no 0141629 of the same date the Order represented by its lawyers declared in particular thatpp the attack was particularly sophisticated and elusive and therefore even adopting more advanced alert systems would not have been possible to detect it in particular the data exfiltration about 5 GB occurred progressively at night and on holidays without ever exceeding the average daily traffic threshold about 10 to 20 GBpp although there is no specific evidence the circumstances of the attack seem to suggest that it was aimed at obtaining specific data and documents and commissioned by unidentified individuals who had an interest in gaining possession of such data and documents or in any case in causing damage to the Order that would impact them having moreover the individuals in question presumably knowledge of the Orders IT systems eg average traffic thresholdpp as regards the measures adopted to ensure the security of passwords which the Order believes were adequate it must be highlighted that given the abovementioned considerations regarding the small size of the Order and the scarce economic and organizational resources the Order could not afford to carry out activities such as for example vulnerability assessments and penetration tests or checks on the dark web aimed at preventively checking for any loss of confidentiality of credentialsppIn response to a specific reservation formulated during the hearing the Order again through its lawyers in a note dated 11 December 2024 declared in particular thatpp although in its defence brief the Order stated that the cybercriminals did not gain access to the computer systems by stealing access credentials but rather by a bug in the system that was promptly resolved by the Order it is appropriate to clarify that from a purely technicalIT point of view the term bug was used in the brief for a vulnerability of the systems that the cybercriminals exploited to gain illegitimate and easy accesspp specifically the compromised vector used by the attackers appears to be server XX which exposed the Remote Desktop Protocol RDP service from which external connections resulted throughout the attack ie from September 30 2023 to October 3 2023 with scans to detect the presence of any vulnerabilities However the first connection requests resulted as failed attempts to access the RDP The accesses however actually occurred in the final phase of the attack ie from 2312 pm on October 2 2023 to 0401 am on October 3 2023pp the RDP system is a system that allows remote access to a computer or server running on the same local network LAN allowing authorized users to view the screen and interact with the system as if they were physically present However to enable such remote connections RDP requires the opening of open and publicly visible ports This feature exposes RDP to external access by unauthorized partiespp in this case from what emerges from the Incident Response Report it must be considered that the attackers have i identified the vulnerability of the server that exposed the RDP service through active scans by automated agents or bots and ii attempted to access the system by exploiting credentials presumably obtained from the dark web or through other automated tools used to make repeated access attempts that generate random combinations of usernames and passwords until a valid one is identified socalled brute force attackpp in any case it must be excluded that the origin of the Breach of personal data is to be found exclusively in the exposed credentials relating to the domain oplit since the stolen credentials refer only to the email domain and did not in any way allow access to the Orders RDP system which instead is the system to which the cybercriminals actually had accesspp the email domain oplit and the Active Directory domain used to access the Orders internal servers reside on different servers ii the analysis conducted revealed vulnerabilities only in the Orders external domain oplit and iii the credentials used are email addresses that in some cases are not even associated with a valid account In fact only 3 out of 12 addresses appear to refer to employees of the Order while many of the exposed credentials were obsolete or invented and in any case not usable to access the RDP which appears to be the system to which the attackers actually had accesspp the analyses carried out on the elements and logs made available by the organisations technical contact allowed us to identify the probable entry vector specifically a server that exposed the Remote Desktop servicepp in light of the above access to the Orders IT systems occurred due to a vulnerability in an RDP access point of the Orders infrastructure although the attackers attempted to use credentials that in all likelihood they already had presumably via the dark web or generated through a brute force attackpp However the stolen credentials did not allow access to the Orders network ie the exposed RDP system Therefore even if the Order had adopted multifactor authentication solutions this would not have prevented the Personal Data Breach from occurringpp in any case the economic conditions of the Order did not allow it to sustain the cost of a dark web scanning service for the identification of stolen credentials and the execution of periodic vulnerability assessments and penetration testspp3 Outcome of the investigationpp31 The legislation on the protection of personal datappPursuant to art 5 par 1 letter f of the Regulation the processing of personal data must be carried out in accordance with the principle of integrity and confidentiality according to which personal data must be processed in a manner that ensures appropriate security including protection through appropriate technical and organizational measures against unauthorized or unlawful processing and against accidental loss destruction or damageppBased on this principle art 32 of the Regulation provides that the data controller taking into account the state of the art the costs of implementation the nature scope context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk The data controller is the person responsible for implementing such measures and must be able to demonstrate that the processing is carried out in accordance with the Regulation see art 5 par 2 and 24 of the Regulation see the Guidelines 072020 on the concepts of controller and processor under the GDPR adopted by the European Data Protection Board on 7 July 2021 esp point 41pp32 Failure to take adequate measures to detect personal data breachesppAs shown in the documents in the file from the preliminary analyses of the logs of the FireWall installed to protect the company perimeter the following was found during the period between 30 September and 1 October 2023 numerous RDP Remote Desktop Protocol connection attempts from outside were detected addressed to the machine XX and XX and that from 2 October RDP sessions were recorded in the evening hours which lasted until 3 October therefore suggesting a persistent threat therefore it is probable that the illegitimate activities had started on 30 September 2023 and ended on the morning of 03 October 2023 with the execution of the Ransomware see Incident Response Report IR v11 attached to the note of 19 June 2024 pages 8 9ppOnly on 3102023 following the receipt of some reports from users of the Order who reported the impossibility of accessing the network the Order noticed the encryption of some servers and the deletion of backup data believing initially that this was due to a technical problem Subsequently only following an indepth analysis conducted by the System Administrator ADS concluded on 10102023 was it possible for the Data Controller to understand that the Incident represented a violation of personal data pursuant to the Regulation even though it did not yet have actual knowledge of the level of seriousness of the same Incident Response Report IR v11 attached to the note of 19 June 2024 pages 8ppThe Order had therefore not adopted any adequate measure to promptly detect violations of personal data based on anomalous behavior resulting from access to the company network such as for example the time and frequency of accesses usually at night their origin from IP addresses of foreign countries and from operations carried out with domain accounts with or without administrative privileges such as for example the deactivation of security measures or the termination of processes and services also due to the fact that to ensure constant monitoring of the alerts detected the Order should also have a sufficient number of qualified personnel to carry out this activity even on weekends and at night note of 15 November 2024 citppAs regards the defences put forward by the Order following the administrative violation charge it must be noted that as recently reiterated by the Guarantor see provisions of 17 July 2024 no 444 doc web n 10057610 the circumstance that the Order had adopted its own security measures in line with the provisions of the AgID Circular conforming to the standard level does not exempt in general the data controller from the obligation to carry out an assessment in concrete terms on the appropriateness of the measures adopted to guarantee the security of the processing taking into account the context in which it operates In particular the adoption of the measures indicated in the aforementioned guidelines which constitute moreover the minimum security measures for the Italian public administration keeping in mind the enormous differences in size mandate types of information managed exposure to risk and anything else that characterizes the over twenty thousand public administrations does not in itself guarantee compliance with the obligations in terms of security The aforementioned guidelines in fact have the purpose of indicating to public administrations the minimum measures for ICT security that must be adopted in order to counter the most common and frequent threats to which their information systems are subject starting from the set of controls known as SANS 20 in version 60 of October 2015 and ensuring the minimum level of protection in most situations keeping in mind the enormous differences in size mandate types of information managed exposure to risk and anything else that characterizes the over twenty thousand public administrations recommending that each administration identify within itself any subsets technical andor organizational characterized by homogeneity of security requirements and objectives within which to apply in a homogeneous manner the measures suitable for achieving the objectives themselves Specifically the Guidelines having been issued on the basis of the state of the art technical knowledge and cyber threats present in 2015 could not take into account the worsening of cyber risk in recent years also due to the spread and adoption during the COVID19 pandemic of technological methods and tools to allow the performance of activities work and nonwork remotely This change of scenario also given the significant increase in attacks by cybercriminals would have required a renewed assessment that weighed the new and much more serious risks associated with the processing for the rights and freedoms of the interested parties in relation to the adequacy of the measures adopted The aforementioned assessment not being able to be crystallized and therefore concluded at the time in which the treatments were designed should have been periodically carried out over time also in light of technological development this also in order to develop an awareness regarding the need to mitigate the risks deriving from violations of personal data Therefore the alleged compliance with the measures indicated in the aforementioned Agid Guidelines does not exhaust the obligation of the data controller to adopt adequate measures based on his own risk assessment ppFurthermore the defensive argument put forward by the Order cannot be accepted according to which taking into account the fact that the cyber attack in question was particularly sophisticated progressive data exfiltration at night and on holidays without ever exceeding the average traffic threshold any realtime alert mechanisms for the timely identification of any anomalies would have been in any case ineffective Such automatic mechanisms where appropriately configured and monitored in fact allow for the detection of events that precisely because of the particular precautions used by the attackers can escape human control highlighting certain events eg traffic at night or on holidays on days when no scheduled maintenance interventions are planned even if they are not statistically significant eg traffic in line with the average daily traffic thresholdppNor can the circumstance be relevant that as claimed by the Order the adoption of the aforementioned automated alert systems would have entailed a high and disproportionate economic cost for the Order being the same a public body with limited organizational and financial resourcesppIn this regard it must be considered that art 32 of the Regulation mentions the costs of implementation only among the factors that the data controller must take into account for the purpose of identifying the appropriate technical and organizational measures to address the risks that exist on the data being processed see art 24 of the Regulation This factor implies that the controller does not employ a disproportionate amount of resources where alternative less expensive but effective measures exist it being understood that the cost of implementation represents a factor to be taken into account in implementing data protection by design and not a reason to abstain from implementing it therefore the measures identified must ensure that the processing activity envisaged by the controller does not involve processing of personal data in breach of the Principles regardless of the cost of such measures Controllers must be able to manage the overall costs in order to effectively implement all the Principles and consequently protect rights European Data Protection Board Guidelines 42019 on Article 25 Data protection by design and by default adopted on 20 October 2020 paras 24 and 25 see also ENISA Guidelines for SMEs on the security of personal data processing December 2016 p 12 where it is highlighted that the reference to implementation costs should not be interpreted as an excuse for not acting but rather as an invitation to all stakeholders to simplify and reduce costs In this sense the approach to simplifying the notion of risk and adopting appropriate measures are essential for the correct implementation of this article or of art 32 of the RegulationppIt follows that when the data controller decides to adopt less expensive technical and organizational measures these must still be equally effective in mitigating the risks that exist on the data As in fact highlighted by the Guarantor implementation costs cannot be considered an element that authorizes the data controller to lower the level of protection that the measures must adequately ensure if anything they can constitute a factor to be taken into account when choosing between multiple solutions provision 17 July 2024 no 475 web doc no 10057648ppIn this case the Order cannot therefore invoke the limited nature of its organizational and financial resources to justify the failure to adopt adequate measures to address the risks arising from the processing it has implemented On the other hand following the breach of personal data in question the Order has decided to install a software tool for detecting threats to data security see note of 19 January 2024 page 4 thus the Entity having been able to bear the economic cost arising from the adoption of this measureppData controllers are then required to consider the implementation costs together with the additional factors covered by art 32 of the Regulation namely the state of the art the nature scope the context and the purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons see art 25 of the RegulationppAs for the state of the art it is a dynamic concept that cannot be defined statically with respect to a given point in time but should be subject to continuous assessment in the context of technological progress it imposes an obligation on controllers when determining appropriate technical and organisational measures to take into account current progress made by the technology available on the market with the consequence that controllers must be aware of technological progress and remain constantly updated on the opportunities and risks for processing in terms of data protection arising from technologies and on how to implement and update measures and safeguards that ensure effective implementation of the principles and the rights of data subjects taking into account the evolution of the technological landscape Guidelines 42019 on Article 25 Data protection by design and by default cit par 1820ppTaking into account as stated above the worsening of cyber risk in recent years the adoption of the aforementioned automated alert systems must be considered in the context of the processing in question a measure appropriate to the state of the art of technology and the current risk scenario The Guidelines 92022 on the notification of personal data breaches under the GDPR adopted by the European Data Protection Board on 28 March 2023 hereinafter the Notification Guidelines highlight in fact that the ability to promptly identify process and report a breach must be considered an essential aspect of the technical and organizational measures that the data controller and processor must implement pursuant to art 32 of the Regulation to ensure an adequate level of security of personal data par 41 see provision 17 July 2024 no 444 web doc no 10057610ppWith regard to the nature object context and purposes of the processing the Order should have duly taken into account the circumstance that in the context of handling disciplinary proceedings it may process personal data of vulnerable subjects patients minors including data relating to particular categories of data or criminal convictions or offencesppParagraph 2 of Article 32 of the Regulation specifies that in assessing the appropriate level of security account must be taken in particular of the risks presented by the processing which derive in particular from the destruction loss modification unauthorized disclosure of or unauthorized access whether accidental or unlawful to personal data Also in this regard the Order for the purpose of identifying the necessary technical and organizational measures should have considered the high risks for the interested parties that could have resulted from a possible disclosure of the aforementioned sensitive information in terms of consequences on the economic and social relations of the interested parties with particular regard to the family school or work environment as moreover emerges from the report and complaints receivedppIn light of the above considerations it must be concluded that the failure of the Order to adopt the aforementioned technical and organizational measures constitutes a violation of Articles 5 paragraph 1 letter f and 32 paragraph 1 of the Regulationpp33 Failure to adopt adequate measures to guarantee the security of processing systemsppIn partial rectification and clarification of the statements made during the investigation the Order integrating the statements made during the hearing stated that access to the Orders IT systems occurred due to a vulnerability in an RDP access point of the Orders infrastructure although the attackers attempted to use credentials that in all likelihood were already in their possession likely via the dark web or generated through a brute force attack specifying that the stolen credentials did not allow access to the Orders network ie the exposed RDP system Therefore in the opinion of the same even if the Order had adopted multifactor authentication solutions this would not have prevented the violation of personal datappHaving recalled what was highlighted in the previous paragraph 32 in relation to the provisions of the articles 24 and 32 of the Regulation with particular regard to the impossibility of invoking implementation costs to justify the failure to adopt the necessary technical measures to protect data and taking into account that the adequacy of the measures implemented by the data controller must be assessed on a casebycase basis on the basis of the different criteria provided for by these articles and the data protection needs specifically inherent to the processing as well as the risks induced by the latter see Court of Justice of the European Union judgments C68721 MediaMarktSaturn of 25 January 2024 par 38 and C34021 Natsionalna agentsiaza prihodite par 30 to 32 it must be noted that the processing carried out by the Order in the context in question would have required the adoption of technical and organizational measures appropriate to the state of the art in order to ensure the confidentiality of the personal data of the data subjects This as stated above also in light of the purposes of the processing also carried out in the context of disciplinary proceedings the high number of interested parties the sensitive nature of the personal data processed also belonging to particular categories and relating to criminal convictions and offences as well as the possible risks for the rights and freedoms of the interested parties including vulnerable subjects patients minors workersppThe investigation revealed however that the Order had not adopted adequate measures to guarantee the security of the processing systems In particular the Order had not adopted a multifactor authentication MFA system which could have prevented unauthorized access to the systems even in the event of compromised authentication credentials Only following the incident did the Order in fact deem it necessary to adopt a multifactor authentication MFA system see notification of 20 November 2023 section H point 2 and note of 19 January 2024 pages 4 5ppIt must also be noted that although the Order has declared that the credentials previously exfiltrated and present on the dark web were not used for the purposes of the attack in question as they related to electronic mail such credentials had not been adequately protected by encryption and it cannot be excluded that the attackers tried to use the same credentials or other similar credentials to perpetrate the attackppFinally from the statements made by the Order it emerges that the server that was the entry vector of the attack was equipped with an obsolete operating system XX whose vulnerabilities RDP service exposed on default port were exploited by the attacker to penetrate the Institutions infrastructureppIn light of the above considerations the failure to adopt at the time of the infringement adequate measures to guarantee the security of the processing systems constitutes a violation of Articles 5 paragraph 1 letter f and 32 paragraph 1 of the Regulationpp4 ConclusionsppIn light of the above assessments it is noted that the declarations made by the data controller during the investigation the veracity of which may be held accountable pursuant to art 168 of the Code although worthy of consideration do not allow for overcoming the findings notified by the Office with the act initiating the procedure and are insufficient to allow the archiving of the present procedure since moreover none of the cases provided for by art 11 of the Guarantor Regulation no 12019 applyppTherefore the preliminary assessments of the Office are confirmed and the multiple violation by the Order of Articles 5 par 1 letter f and 32 par 1 of the Regulation is notedppConsidering that the violation of the aforementioned provisions occurred as a result of a single conduct same treatment or treatments linked to each other Article 83 paragraph 3 of the Regulation applies pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation Considering that in the case in question the most serious violation relating to Article 5 paragraph 1 letter f of the Regulation is subject to the sanction provided for by Article 83 paragraph 5 of the Regulation as also referred to in Article 166 paragraph 2 of the Code the total amount of the sanction is to be quantified up to EUR 20000000ppIn this context considering in any case that the conduct has exhausted its effects given that as highlighted above the Order has declared that it has adopted the appropriate technical and organizational measures to prevent similar events in the future the conditions for the adoption of further corrective measures pursuant to art 58 par 2 of the Regulation do not existpp5 Adoption of the injunction order for the application of the administrative pecuniary sanction and the accessory sanctions articles 58 par 2 letter i and 83 of the Regulation art 166 paragraph 7 of the CodeppThe Guarantor pursuant to Articles 58 paragraph 2 letter i and 83 of the Regulation as well as Article 166 of the Code has the power to impose a pecuniary administrative sanction pursuant to Article 83 in addition to the other corrective measures referred to in this paragraph or in place of such measures depending on the circumstances of each individual case and in this context the Board of the Guarantor adopts the injunction order with which it also provides for the application of the accessory administrative sanction to be published in full or in extract on the website of the Guarantor pursuant to Article 166 paragraph 7 of the Code Article 16 paragraph 1 of the Guarantor Regulation no 12019ppIn this regard taking into account Article 83 paragraph 3 of the Regulation in this case the violation of the provisions cited is subject to the application of the administrative pecuniary sanction provided for by Article 83 paragraph 5 of the RegulationppThe amount of the aforementioned administrative pecuniary sanction imposed depending on the circumstances of each individual case must be determined by taking into due account the elements provided for in Article 83 paragraph 2 of the RegulationppTaking into account thatppeven though the Order had not adopted realtime alert systems for the timely identification of any anomalies it had at least implemented a firewall capable of detecting logs and RDP Remote Desktop Protocol connection attempts from the outside including any attempts at unauthorised access to the network entrusting some of its employees with the periodic monitoring of the same see art 83 par 2 letter a of the Regulationppthe data exfiltration occurred progressively that is generating traffic quantities of such a size as not to arouse suspicion at night and on holidays without ever exceeding the average traffic threshold which evidently for unknown reasons was known to the attackers see art 83 par 2 letter a of the Regulationppthe breach did not compromise the availability and integrity of the personal data processed by the Order see art 83 par 2 letter a of the Regulationppthe breach however involved a large number of personal data approximately 15000 records 69GB including personal data contact details payment details data relating to identityrecognition documents data belonging to special categories ie data revealing ethnic origin religious or philosophical beliefs trade union membership sexual life or sexual orientation health status data relating to criminal convictions and offences and covered by professional secrecy with the consequence that the numerous data subjects to whom they refer 3000 some of whom involved in various capacities in 159 disciplinary proceedings including vulnerable individuals minors patients workers were exposed to potential risks of discrimination identity theft fraud reputational risks and other prejudices in the economic and social sphere Article 83 paragraph 2 letters a and g of the Regulationpptaking into account the aforementioned risks to the rights and freedoms of the interested parties as well as considering on the one hand the current high level of cyber risk and on the other the state of the art in the IT security sector the conduct of the Order which consists in having failed to adopt the aforementioned technical and organizational measures to protect the data must be considered negligent without prejudice to the fact that the exfiltration and dissemination of the data are in any case attributable to malicious conduct carried out by a criminal organization NoEscape through a ransomware that has spread in relatively recent times art 83 par 2 letter b of the Regulationppit is believed that in this case the level of severity of the violation committed by the data controller is high see European Data Protection Board Guidelines 42022 on the calculation of administrative pecuniary sanctions under the GDPR of 24 May 2023 point 60ppThat said considering that the data controller although equipped with a limited organizational structure thirteen employees is a public body of regional importance which manages numerous members 25499 source wwwoplit it is believed that for the purposes of quantifying the sanction the following circumstances must be taken into considerationppthe violation which due to the nature of the data involved and the categories of interested parties to which they refer is characterised by particular gravity occurred as a result of the failure to adopt adequate technical and organisational measures for which the Order has a high degree of responsibility art 83 par 2 letter d of the Regulationppthe Order notified the Data Protection Authority of the personal data breach pursuant to art 33 of the Regulation and offered good cooperation with the Authority during the investigation having moreover adopted new technical and organizational measures aimed at strengthening the security of the processing and preventing any similar cyber attacks in the future art 83 par 2 letter f of the Regulationppthere are no previous relevant violations committed by the data controller art 83 par 2 letter e of the RegulationppOn the basis of the above elements assessed as a whole it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of Euro 30000 thirty thousand for the multiple violation of Articles 5 paragraph 1 letter f and 32 paragraph 1 of the Regulation as an administrative pecuniary sanction deemed pursuant to Article 83 paragraph 1 of the Regulation effective proportionate and dissuasiveppIt is also believed that pursuant to art 166 paragraph 7 of the Code and art 16 paragraph 1 of the Regulation of the Guarantor n 12019 it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor This as highlighted above in consideration of the particularly delicate processing context in which the violation occurred both due to the nature of the personal data being processed and the subjective characteristics of the interested parties among whom there are also vulnerable subjectsppFinally it is noted that the conditions set out in Article 17 of Regulation No 12019 existppGIVEN ALL THE ABOVE THE GUARANTORppdeclares pursuant to art 57 par 1 letter f of the Regulation that the processing has occurred in violation of art 5 par 1 letter f and 32 par 1 of the Regulation in the terms set out in the reasonsppORDERppto the Order of Psychologists of the Lombardy Region in the person of its legal representative protempore with registered office in Corso Buenos Aires 75 20124 Milan MI CF 97134770151 to pay the sum of Euro 30000 thirty thousand as an administrative pecuniary sanction for the violations indicated in the reasons It is represented that the offender pursuant to art 166 paragraph 8 of the Code has the right to settle the dispute by paying within 30 days an amount equal to half of the sanction imposedppENJOINSppto the aforementioned Order in the event of failure to resolve the dispute pursuant to art 166 paragraph 8 of the Code to pay the sum of 30000 thirty thousand according to the methods indicated in the attachment within 30 days of notification of this provision under penalty of the adoption of the consequent executive actions pursuant to art 27 of Law 6891981ppHASpp pursuant to art 166 paragraph 7 of the Code and art 16 paragraph 1 of the Regulation of the Guarantor n 12019 the publication of the injunction order on the website of the Guarantorpp pursuant to art 154bis paragraph 3 of the Code and art 37 of the Guarantor Regulation no 12019 the publication of this provision on the Authoritys websitepp pursuant to art 17 of the Regulation of the Guarantor n 12019 the annotation of the violations and the measures adopted in accordance with art 58 par 2 of the Regulation in the internal register of the Authority provided for by art 57 par 1 letter u of the RegulationppPursuant to Articles 78 of the Regulation 152 of the Code and 10 of Legislative Decree no 1502011 an appeal against this provision may be lodged before the ordinary judicial authority under penalty of inadmissibility within thirty days of the date of communication of the provision itself or within sixty days if the appellant resides abroadppRome April 29 2025ppPRESIDENT
stationppTHE RAPPORTEUR
PeelppTHE ACTING SECRETARY GENERAL
FilippippPig ironppThe opinions expressed in this article are those of the authorppRead the latest news on wwwpresskititppLest we forget The problems that will arise in all of our lives from the improper use of electronic health record data explained by Barbara BalanzonippLest we forget Electronic health record there is a risk that our data will be fed to pharmaceutical companies lawyer FusilloppLest we forget The red thread that links WHO Agenda 2030 PNRR electronic health record explained by Dr Laura TeodorippLest we forget Electronic health record Who needs data that is 1012 years old Certainly not for us doctors we need new tests related to this specific moment Dr Roy De VitappYou may also be interested in The right to privacy is a human right and terms of service that force people to provide their most private data to any company or government in exchange for participation in the digital public square must become illegalppLest we forget Electronic health record to keep data hidden you have to pay and not deduct anything from taxespp ppfollow us on Facebook httpswwwfacebookcompresskititppFollow us on X httpsxcomPresskitppFollow us on Sfero httpssferomeuserspresskitquotidianoonlineppFollow us on Telegram httpstmepresskitppCopy the article if you want we only ask that you put a link to the original pieceppPRESS KIT
ONLINE DAILY
Registration Court of Busto Arsizio VA
No 0804 of 6 December 2004
ROC Registration 30430ppppDIRECTOR IN CHARGE CLEAR DOOR
EDITORIAL GRAPHICS EOIPSOIT
PUBLISHER EOIPSOIT
CONTACTS redazionepresskititp