The facts are as follows. In November 2020 the DPA became aware of a security breach in Cencosud’ s computer systems, as a result of a computer attack known as “Egregor ransomware”.
During the investigation, the DPA also found out a second security incident by which Cencosud clients received fraudulent emails aiming at deceiving users and obtaining additional personal data from them.
Therefore, the DPA requested Cencosud to confirm the occurrence of the security breach and, in the affirmative,
- to detail the measures adopted by the company to mitigate any damages and in order to avoid future incidents;
- to report if there was indeed a leak of personal data of Argentine data subjets;
- to explain the measures adopted in order to guarantee the security and confidentiality of the data; and
- to report the existence of ongoing judicial or criminal procedures related to the occurrence of the incident.
Cencosud replied and stated that it effectively suffered a malware that had slightly affected its Argentine infrastructure, confirming there was no damage. In addition, the company declared to have implemented new measures for vulnerability management.
The DPA considered Ceconsud’s response to be insufficient, noticing that the company did not implement the necessary security measures in order to prevent and manage security incidents recommended under the Resolution No. 47/2018, and article 9 of the PDPL.
On this basis, the DPA imposed a monetary fine of AR$ 290,000 for
- not having taken the preventive technical and organizational measures in order to guarantee its security duty, and not having taken the necessary corrective measures to guarantee the duty of security; and
- not having communicated to its clients that they could be victims of personal data leaks on either occasion. The decision was included in the Registry of Infringers to the PDPL.
Article provided by INPLP member: Diego Fernandez (Marval O’Farrell Mairal, Argentina)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)