The Italian data protection authority, Garante, has imposed a fine of €25,000 on Innova Camera, a special agency of the Rome Chamber of Commerce, Industry, Crafts, and Agriculture (the Rome Chamber of Commerce), for GDPR violations.
The Rome Chamber of Commerce fell victim to a cyberattack that allowed access to its database and resulted in the manipulation of application users to implement malicious files, enabling remote access to the Chamber’s system. Innova Camera, responsible for managing the institution’s website, received a report about the presence of a link to a CSV file online, from which a list of 22,000 users could be downloaded. The personal data involved included names, surnames, tax codes, email addresses, landline or mobile phone numbers, and access and identification data (usernames and passwords).
The personal data was not found on the institution’s website but in a database consisting of a backup copy of one of the systems used by the Chamber. The backup copy was created during the migration of the system to another server to optimize hardware resources and was not deleted after the period necessary to verify the system’s functionality.
Furthermore, the passwords of users registered in the appointment management system were stored in a file created by Innova Camera and were not encrypted.
Garante found that Innova Camera violated GDPR and imposed a fine of €25,000.