In 2018, the Morele.net store fell victim to an attack and its customer database was stolen. The criminals gained access to basic contact details and e-mail addresses and the so-called password hashes (passwords in the form of an encrypted string of characters).
The hackers tried to decipher the latter and link them to specific people. After just two weeks, they had a base of 350,000. passwords. Moreover, they managed to recover the data not only of current morele.net customers, but also of some people who had deleted their accounts on the website before the leak. In the case of users purchasing in installments, data regarding identity cards and PESEL numbers may also have been leaked.
Due to “insufficient protection of personal data” by the Morele.net store, . This was the highest penalty imposed by the President of the Personal Data Protection Office on any entity.
Morele.net punished with a record fine. This is not the first attempt of the Personal Data Protection Office
However, in 2023, the Supreme Administrative Court overturned the decision of the President of the Personal Data Protection Office. As he explains in an interview with i, “the Supreme Administrative Court, in its final judgment, pointed out to the office that it had conducted the evidentiary proceedings incorrectly.” The office conducted the proceedings again and again imposed a fine on the Morele.net store, but much higher, amounting to PLN 3.8 million – reports “Rz”.
The second proceeding showed that the personal data protection of the store’s customers had been breached due to the failure to apply appropriate security measures. Among the “sins” of the data controller, the Personal Data Protection Office lists, among others: lack of encrypted part of the data, lack of risk analysis and threats related to the possibility of logging into the store from a public network. Why such a high penalty?
Its amount was determined on the basis of the guidelines of the European Data Protection Board on the calculation of administrative fines
– says Adam Sanocki, spokesman for the Personal Data Protection Office, quoted by “Rz”.
However, experts interviewed by “Rzeczpospolita” have no doubt that this new UODO decision will also be appealed to court.
The path to the final decision on the penalty is long, because such a decision may reach the Provincial Administrative Court, and then even the Supreme Administrative Court, and return to the authority several times.
– explains attorney Jakub Wezgraj. – But eventually, at least in some cases, the authority’s arguments will be recognized and payment will have to be made. It’s a growing snowball, he adds.
It is worth recalling that in 2022. The Personal Data Protection Office fined Forum Marketing and Sales Polska a higher fine of PLN 4.9 million. However, the Office’s decision was overturned by the Provincial Administrative Court in Warsaw.
Morele.net customer data leak. Hackers blackmailed the store
In December 2018, Morele.net informed customers about “unauthorized access to personal data”. Cybercriminals then got their hands on e-mail addresses, telephone numbers, names and surnames, and password hashes (passwords in the form of an encrypted string of characters).
Shortly afterwards, information appeared on the Internet that the criminals responsible for the attack were blackmailing the store. In exchange for “returning” the database, they demanded PLN 200,000. PLN in bitcoins. However, negotiations with cybercriminals could not be concluded successfully.
After a few months, the case came back because the database stolen in December was published online. For several minutes, the file was available on the large file sharing website Gofile.io. Then it was deleted.
Source: Gazeta
Mabel is a talented author and journalist with a passion for all things technology. As an experienced writer for the 247 News Agency, she has established a reputation for her in-depth reporting and expert analysis on the latest developments in the tech industry.
