Back to all lessons
Awareness Lessons
last week

Altex România Fined €10,000 After Customer Data Exposed to Third Party

Altex România failed to implement adequate technical and organisational measures to prevent unauthorised access to customer personal data, allowing one customer to view another's information — a classic access control failure. Compounding the breach itself, the company did not notify the Romanian DPA (ANSPDCP) or the affected individual within the mandatory GDPR timeframes, demonstrating a broken incident response process. These dual failures — preventable exposure and inadequate breach response — highlight how organisations must treat data protection as an operational discipline, not just a compliance checkbox. GDPR Articles 25, 32, 33, and 34 each impose concrete obligations that Altex visibly failed to meet, resulting in reputational and financial penalties.

Tactical Insight

Immediate actions

  • Audit all customer-facing application flows to ensure user sessions are strictly isolated and cannot retrieve another user's personal data.
  • Establish and document a GDPR breach notification procedure, including a 72-hour DPA notification checklist and a template for notifying affected individuals.

Long-term improvements

  • Embed Privacy by Design principles (GDPR Article 25) into the software development lifecycle so data segregation is validated before any feature goes live.
  • Conduct regular penetration tests and application security reviews focused on insecure direct object reference (IDOR) and broken access control vulnerabilities.
  • Assign a dedicated Data Protection Officer or privacy lead with authority to trigger breach notifications without management delay.

Detection & monitoring measures

  • Implement logging and alerting for anomalous data access patterns, such as a single session retrieving records belonging to multiple user accounts.
  • Schedule annual tabletop exercises simulating a personal data breach to rehearse DPA notification and affected-individual communication workflows.