Political party sanctioned with EUR 4,000 fine and corrective measures following a data breach caused by a phishing attack


On 15 March 2023, the Romanian DPA reported a EUR 4,000 fine imposed on a political party for failure to implement adequate technical and organizational measures to ensure a level of security appropriate to the processing risk.

The investigation was initiated in response to a data breach notification submitted by the controller following the loss of confidentiality and integrity of personal data stored on its servers hosting an application subject to a phishing attack.

During the investigation, the Romanian DPA concluded that the controller did not implement adequate technical and organizational measures to ensure an appropriate level of security, such as encryption/pseudonymization of personal data stored in the said application. This resulted in a breach of confidentiality that affected personal data such as name, surname, personal numerical code (“CNP” in Romanian), e-mail, telephone number, and data on political affiliation.

Corrective measures were also applied, the controller being ordered to implement appropriate technical and organizational measures following the risk assessment of the rights and freedoms of natural persons, including working procedures ensuring the protection of personal data.

The press release is available here (only in Romanian).