AEPD (Spain) - PS/00552/2023
Spanish DPA fines e-commerce company €1.09M for data breach affecting 1M+ records and GDPR violations.
Summary
The Spanish Data Protection Authority (AEPD) fined CECOTEC INNOVACIONES €1,090,000 for a data breach involving over one million customer records that were offered for sale on the dark web in April 2023. The company violated GDPR Articles 5(1)(f) (integrity and confidentiality), 32 (security), 33 (breach notification), and 34 (data subject notification) by maintaining an insecure legacy e-commerce system, failing to notify authorities within 72 hours, and not informing affected data subjects of the breach.
Full text
Help AEPD (Spain) - PS/00552/2023: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 22:23, 20 March 2026 view sourceNiovi (talk | contribs)16 edits Tag: Visual edit← Older edit Latest revision as of 13:25, 24 March 2026 view source Rp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators192 edits Tag: Visual edit Line 69: Line 69: }}}} The Spanish DPA fined an e-commerce company €1,090,000 after a database containing over one million records was offered on the dark web, finding breaches of Article 5(1)(f), Article 32, Article 33 and [[Article 34 GDPR]].The DPA fined an e-commerce company €1,090,000 after a database containing over one million records was offered on the dark web, finding breaches of Article 5(1)(f), Article 32, Article 33 and [[Article 34 GDPR]]. == English Summary ==== English Summary == Latest revision as of 13:25, 24 March 2026 AEPD - PS/00552/2023 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Article 32 GDPR Article 33 GDPR Article 34 GDPR Type: Investigation Outcome: Violation Found Started: 01.04.2024 Decided: Published: 18.03.2026 Fine: 1,090,000 EUR Parties: AEPD CECOTEC INNOVACIONES, S.L.U. National Case Number/Name: PS/00552/2023 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: Niovi Gkioka The DPA fined an e-commerce company €1,090,000 after a database containing over one million records was offered on the dark web, finding breaches of Article 5(1)(f), Article 32, Article 33 and Article 34 GDPR. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts CECOTEC INNOVACIONES, S.L.U. (the controller) operated an e-commerce platform used to manage customer orders and accounts. In early 2021, it decommissioned the platform but kept the legacy system accessible for internal purposes. On 5 April 2023, the Instituto Nacional de Ciberseguridad (INCIBE), Spain's national cybersecurity institute, informed the controller that a database allegedly belonging to it, containing over one million records, was being offered for sale on the dark web. On 12 April 2023, INCIBE sent a second notification, after which the controller carried out an internal investigation. The controller questioned the existence and scope of the breach, arguing that only a limited number of records matched its database and that it could not confirm unauthorised access. It considered the risk to be low. On 19 April 2023, it notified the Spanish Data Protection Authority (AEPD) but did not inform affected data subjects. The AEPD carried out preliminary investigations and, on 1 April 2024, initiated sanctioning proceedings. It found that the data originated from the controller’s database and that the legacy system remained accessible via the internet, relied on outdated software and lacked adequate monitoring, logging and access control measures. Holding First, the Spanish Data Protection Authority (AEPD) held that storing personal data in a legacy system that remained accessible and relied on outdated software without adequate security measures infringed Article 5(1)(f) and Article 32 GDPR. Second, the AEPD held that a controller cannot delay breach notification on the basis of uncertainty as to the existence or scope of a breach and must act upon reasonable indications of compromise. The controller therefore infringed Article 33 GDPR by failing to notify the authority within 72 hours. Third, the AEPD held that the failure to inform data subjects constituted an infringement of Article 34 GDPR, as the breach involved a large volume of personal data and potential risks could not be excluded. The AEPD fined the controller €1,090,000. Comment In a related development, in April 2025 consumer association FACUA filed a separate complaint with the AEPD against CECOTEC, criticising the company for only notifying affected customers of the breach nearly two years after it occurred. No outcome of that complaint has been reported as of March 2026. Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/173 • File No.: EXP202305790 Disciplinary Proceeding No. PS/00552/2023 - RESOLUTION OF SANCTIONING PROCEEDINGS From the proceedings initiated by the Spanish Data Protection Agency and based on the following: BACKGROUND FIRST: On April 19, 2023, the Technological Innovation Division of this Agency was notified of a personal data breach by the data controller, CECOTEC INNOVACIONES, S.L.U., with Tax Identification Number (NIF) B97937890 (hereinafter, the company), concerning the exfiltration and sale online of a database containing personal data of clients and employees with more than 1 million records, detected on April 5, 2023, by the Spanish Cybersecurity Institute (INCIBE). The following key information is revealed in the breach notification: - Incident Summary: The company received a notification from INCIBE on April 5, 2023, informing them that a malicious actor had posted on a dark web forum claiming to possess a database belonging to a Spanish company with approximately 1 million records. The company's name was not mentioned, but based on various details provided, it appears to be their company. INCIBE alerted them to this post and requested that they verify the cyberattack on their database, providing 17 data records posted by the malicious actor as a sample. The company was unaware of the notification sent until it received a second notification from INCIBE on April 12, 2023, informing its Data Protection Officer of the incident and initiating an investigation on April 14, 2023, which did not conclude until April 17, 2023, the date on which the Data Protection Officer informed INCIBE that it did not believe the attack was viable and, if so, genuine, having detected only 6 real records out of the 17 submitted that belonged to a company database that was closed in 2021, to which only employees have access. It was also indicated that the company had taken security measures regarding the database, reinforcing its access and usage limits. - The breach affects the following types of data: “Basic data (e.g., name, surname, date of birth), National Identity Document (DNI), Foreigner's Identity Number (NIE), Passport, and/or any other identification document, Contact information”). - The data controller states that the identified personal data is located on a data platform that was closed in 2021, but which employees can access to consult matters related to clients and orders. 28001 – Madrid 6 sedeagpd.gob.es 2/173 - Affected parties: 6 data subjects. The data was not encrypted. - The breach is classified as a confidentiality breach of low severity. - The incident occurred due to a failure, deficiency, or non-compliance with implemented security measures: Unknown - It has not been reported to the authorities. - New measures have been adopted following the breach, but these are not detailed. - The affected parties will not be notified. - It considers that it has taken all possible actions and considers the breach resolved. SECOND: On May 3, 2023, the Director of the Agency ordered the General Sub-Directorate of Data Inspection to carry out the appropriate preliminary investigations in order to determine both the occurrence and scope of the reported confidentiality breach, as well as the possible liability of the company CECOTEC for a possible breach of its obligations as the data controller responsible for the protection of personal data contained on said platform, given that: - There are doubts about the veracity of the cyberattack denied by the defendant, as well as the occurrence of a confidentiality breach, and its s