AEPD (Spain) - EXP202309453
Spain's AEPD fines AXA €200K for failing to prevent former employee account takeover.
Summary
Spain's data protection authority (AEPD) fined AXA SEGUROS GENERALES €200,000 for violating Article 5(1)(f) GDPR after a former employee used a data subject's insurance number and partial payment card digits to impersonate them and access their online account. The DPA found the controller's security measures insufficient, including inadequate password change processes and lack of controls to prevent former employee impersonation. The authority ordered AXA to implement adequate technical and organizational security measures.
Full text
Help AEPD (Spain) - EXP202309453: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 11:24, 17 April 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators571 edits Tag: submission [1.0] Latest revision as of 11:26, 17 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators571 editsmTag: Visual edit Line 66: Line 66: === Facts ====== Facts === AXA SEGUROS GENERALES, S.A. DE SEGUROS Y REASEGUROS (the controller) is an insurance company. In 2023, a former employee of the controller contacted a data subject, requesting them to provide information on their insurance to match the price on bhalf of a different company. The data subject later received two SMS with a temporary code to access their online account, and a confirmation that their access data had been changed. The data subject contacted the controller, as they had not used the codes or accessed their account. In response, the controller blocked their account, but later informed them that the former employee had stolen their identity to access their account. The data subject filed a complaint with the DPA in 2023. AXA SEGUROS GENERALES, S.A. DE SEGUROS Y REASEGUROS (the controller) is an insurance company. In 2023, a former employee of the controller contacted a data subject, requesting them to provide information on their insurance to match the price on behalf of a different company. The data subject later received two SMS with a temporary code to access their online account, and a confirmation email that their access data had been changed. The data subject contacted the controller, as they had not used the codes or accessed their account. In response, the controller blocked their account, but later informed them that the former employee had stolen their identity to access their account. The data subject filed a complaint with the DPA. During the DPA’s investigations, the controller confirmed that the data subject’s password was changed. In addition, the controller stated that it implemented additional security measures after the incident to prevent future identity theft incidents. The controller argued that the DPA could not find a violation of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] based solely on the fact that the incident took place, as this article does not require controllers to have completely effective security measures in place.During the DPA’s investigations, the controller confirmed that the data subject’s password was changed. In addition, the controller stated that it implemented additional security measures after the incident to prevent future identity theft incidents. The controller argued that the DPA could not find a violation of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] based solely on the fact that the incident took place, as this article does not require controllers to have completely effective security measures in place. Latest revision as of 11:26, 17 April 2026 AEPD - EXP202309453 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Type: Complaint Outcome: Upheld Started: 28.05.2023 Decided: 15.04.2026 Published: 15.04.2026 Fine: 200,000 EUR Parties: AXA SEGUROS GENERALES, S.A. DE SEGUROS Y REASEGUROS National Case Number/Name: EXP202309453 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: ap The DPA fined an insurance company €200,000 for failing to ensure security of processing, which allowed a former employee to access a data subject’s account. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts AXA SEGUROS GENERALES, S.A. DE SEGUROS Y REASEGUROS (the controller) is an insurance company. In 2023, a former employee of the controller contacted a data subject, requesting them to provide information on their insurance to match the price on behalf of a different company. The data subject later received two SMS with a temporary code to access their online account, and a confirmation email that their access data had been changed. The data subject contacted the controller, as they had not used the codes or accessed their account. In response, the controller blocked their account, but later informed them that the former employee had stolen their identity to access their account. The data subject filed a complaint with the DPA. During the DPA’s investigations, the controller confirmed that the data subject’s password was changed. In addition, the controller stated that it implemented additional security measures after the incident to prevent future identity theft incidents. The controller argued that the DPA could not find a violation of Article 5(1)(f) GDPR based solely on the fact that the incident took place, as this article does not require controllers to have completely effective security measures in place. Holding The DPA found a violation of Article 5(1)(f) GDPR. The controller did not properly manage the process of changing the data subject’s password, which allowed a third party to access the data subject’s insurance account information. The DPA considered the controller’s security measures insufficient to ensure security of processing; for example, the third party was able to impersonate the data subject based on their insurance number and the last four digits of their payment method. The DPA noted that this was a systematic error and evidence of the lack of diligence from the controller, as it had not implemented measures to ensure that former employees could not impersonate data subjects. The DPA fined the controller €200,000. In addition, the DPA ordered the controller to implement adequate technical and security measures. The DPA stated that the fact that the controller operated in the insurance sector meant it was essential to ensure security of processing. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/53 • File No.: EXP202309453 RESOLUTION OF DISCIPLINARY PROCEEDINGS TABLE OF CONTENTS BACKGROUND..........................................................................................................2 FIRST: Complaint received...............................................................................2 SECOND: Transfer of the complaint.....................................................................3 THIRD: Admission of the complaint......................................................4 FOURTH: Preliminary investigative actions........................................................5 FIFTH: Agreement to initiate disciplinary proceedings......................................13 SIXTH: Allegations against the initiation agreement................................................................13 SEVENTH. Change of instructor of the proceedings.................................................13 EIGHTH: Proposed resolution..........................................................................13 NINTH: Turnover and number of clients..............................................13 PROVEN FACTS................................................................................................14 LEGAL GROUNDS.................................................................................16 I. Jurisdiction.........................................................................................................16 II. Preliminary issues...............................................................................................16 III. Objections to the initiation agreement and response thereto............................17 FIRST. Possible expiration of the preliminary investigative proceeding