Nearly usd 3 million fine for the store for personal data breaches


We got to know the UODO decision.

The Office for Personal Data Protection imposed a financial penalty on usd 2.8 million. This is the finale of the loud leak of personal data of customers of the popular online electronics store.

Dear customers, when in 2018 we fell victim to a cybercriminal who had unauthorized access to the customer database of the store, we immediately engaged the company's strategic resources in cooperation with the relevant services. The incident was reported to the Police and forwarded to the Personal Data Protection Office in accordance with the legislator's guidelines. – informs the company in a special statement, the full content of which you will find on this page.

Store representatives inform that a number of system and process actions have been taken to strengthen and improve infrastructure security. Part of the changes that have been made are: two-stage verification when changing the email address and phone number assigned to the user's account, changing the hashing method and hashing a larger data set, expanding the monitoring of internal systems or additional anti-bot verification, as well as enabling purchases without registration.

Data theft and blackmail

Recall, scammers came into possession of customer data Apricots in November last year. They used them to send fake SMSs and extort money.

The case became more public when a person who had a stolen database containing data of up to 2.2 million customers decided to demand a ransom. There are even screens of conversations between the blackmailer and store representatives. It's not over – in April 2019,'s customer database in the form of 2.5 million records was thrown into the network.

Over usd 2.8 million fine

The President of UODO found that the organizational and technical measures of personal data protection used by the company were not adequate to the existing risk associated with their processing, which means that the data about 2 million 200 thousand people they fell into the wrong hands. There was not enough response procedures in case of unusual network traffic. When imposing a penalty, the supervisory authority stated that the violation that had occurred in this case was of considerable gravity and serious nature and concerned a large scale of persons. In its decision, the supervisory authority also indicated that as a result of the violation there was a high risk of negative consequences for persons whose data fell into the wrong hands, such as identity theft.

Mostly it was such data as: name and surname, telephone number, e-mail address, delivery address. However, in the case of about 35 thousand people leaked data from their installment applications. And the scope of data also included a PESEL number, series and ID number, education, registered address, correspondence address, source of income, net income, household maintenance costs, marital status, credit or maintenance obligations.

You will find the full content of the UODO decision on this page.

The Group has already announced that it will use the available remedies.

Source: UODO, Apricots