This month we witnessed the first GDPR fine in South East Europe region involving Unicredit Bank from Romania. At the same time neighboring Bulgaria suffered the biggest data breach in the history of the country. The new reality of enforcing GDPR regulation and its proprietary sanctions are setting in and both the private and public actors are, expectedly, not prepared for the dangers of digital age and resulting data protection requirements.
Unicredit bank S.A. was fined with EUR 130.000 as a result of failure to incorporate technical and organisational measures required by the new regulation on data protection and privacy. By failing to implement data protection principles such as minimizing data to a minimum and integrating the necessary safeguards in the processing, sensitive data of 337.042 targeted persons, including their personal identification numbers, addresses and financial data were available to online payment recipients.
Alongside these news, last week the National Revenue Agency of Bulgaria released a statement that the tax agency has suffered the biggest data breach in the history of Bulgaria compromising personal and financial data of 5 million adult citizens. Since GDPR fines are not limited to only the private enterprises, Bulgaria’s NRA tax agency is facing consequences of up to EUR 20 million or 4% of the agency’s annual turnover. Multiple Bulgarian media sources provided information that an unknown hacker emailed them links to 11GB of stolen data (taxpayer’s personal identifiable numbers, addresses and financial data). Previously mentioned statement by the NRA states that the stolen data originates from the country’s tax reporting service.
The remedies for this situation are being applied as the Ministry of the Interior and the State Agency for National Security of Bulgaria are assessing the vulnerabilities in the NRA’s system which might have been exploited by the hackers to breach into the databases.
Its hard to emphasize enough the importance of incorporating new security features in the digital age. Multi-factor authentication (MFA), access authorization, data encryption and data anonymization represent only the necessary and basic foundation specially for private and public financial institutions.
Organizations need to move further, to a Strong Customer Authentication (SCA) model. This particularly applies to financial institutions and payment service providers because of the upcoming deadline for all companies within the EU to comply with PSD2’s Regulatory Technical Standard (RTS) pertaining to directive (EU) 2015/2366 (PSD2) by September 14, 2019. SCA assumes number of security measures that need to be in place in order for customer to prove their identity prior to granting access to personal data and account to third parties. SCA model is broader than MFA and requires creating a single digital authentication platform for all the customer journeys across various services.
The current model of relying on passwords for online services is broken, as we are able to witness. In the words of famous Frank Abagnale Jr, its astonishing that 60 years after developing passwords as security protocol, we are still using them as a primary way of accessing security services.