Data: 4.11.2024
The President of the Office for Personal Data Protection (PUODO) fined the Municipal Social Welfare Center (MOPS) and the Municipal Sports and Recreation Center (MOSiR) in Kutno, as well as the company servicing them, for data protection violations. MOPS received a fine of PLN 15,000, MOSiR PLN 20,000, and the company over PLN 24,000. The breach involved the loss of an unencrypted USB drive containing personal data of approximately 1,500 individuals.
Cause of the Breach
During the data transfer to a new HR and payroll system, the institutions failed to implement adequate security measures. An employee of MOPS, who also worked for MOSiR, shared the data with the company responsible for the transfer. The company stored the data on an unencrypted USB drive, which an employee subsequently lost. This incident led to a potential data breach. The USB drive contained names, PESEL numbers, bank account details, and other sensitive information.
PUODO emphasized that the absence of a risk analysis and insufficient process oversight contributed to the breach. The institutions and the company could have prevented the issue by ensuring data was properly secured against unauthorized access.
Source: President of the Office for Personal Data Protection