[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fkbSq0KiPasIu4FIJuWs2vNttLZDfPbB8Y2-OsXeM0dg":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":25,"created_at":26,"published_at":27,"article":28,"tags":32,"podcasts":51},"15b3ac3e-746c-4db2-b256-52710431f830","altex-romnia-fined-10000-after-customer-data-exposed-to-third-party","0cdaf296-aa52-46a4-bfbb-cf728ea1d3ae","Altex România Fined €10,000 After Customer Data Exposed to Third Party","Altex România failed to implement adequate technical and organisational measures to prevent unauthorised access to customer personal data, allowing one customer to view another's information — a classic access control failure. Compounding the breach itself, the company did not notify the Romanian DPA (ANSPDCP) or the affected individual within the mandatory GDPR timeframes, demonstrating a broken incident response process. These dual failures — preventable exposure and inadequate breach response — highlight how organisations must treat data protection as an operational discipline, not just a compliance checkbox. GDPR Articles 25, 32, 33, and 34 each impose concrete obligations that Altex visibly failed to meet, resulting in reputational and financial penalties.","**Immediate actions:**\n- Audit all customer-facing application flows to ensure user sessions are strictly isolated and cannot retrieve another user's personal data.\n- Establish and document a GDPR breach notification procedure, including a 72-hour DPA notification checklist and a template for notifying affected individuals.\n\n**Long-term improvements:**\n- Embed Privacy by Design principles (GDPR Article 25) into the software development lifecycle so data segregation is validated before any feature goes live.\n- Conduct regular penetration tests and application security reviews focused on insecure direct object reference (IDOR) and broken access control vulnerabilities.\n- Assign a dedicated Data Protection Officer or privacy lead with authority to trigger breach notifications without management delay.\n\n**Detection & monitoring measures:**\n- Implement logging and alerting for anomalous data access patterns, such as a single session retrieving records belonging to multiple user accounts.\n- Schedule annual tabletop exercises simulating a personal data breach to rehearse DPA notification and affected-individual communication workflows.",[12,13,14,15,16,17,18,19,20,21,22,23,24],"GDPR Article 5(1)(f) — Integrity and confidentiality principle","GDPR Article 25 — Data protection by design and by default","GDPR Article 32 — Security of processing","GDPR Article 33 — Notification of breach to supervisory authority (72-hour rule)","GDPR Article 34 — Communication of breach to data subject","CIS Control 3 — Data Protection","CIS Control 6 — Access Control Management","CIS Control 17 — Incident Response Management","NIST SP 800-53 AC-2 — Account Management","NIST SP 800-53 AC-3 — Access Enforcement","NIST SP 800-53 IR-6 — Incident Reporting","NIST SP 800-53 SA-15 — Development Process, Standards and Tools (Privacy by Design)","OWASP Top 10 A01:2021 — Broken Access Control","published","2026-06-25T10:21:14.714843+00:00","2026-06-25T10:21:14.412+00:00",{"id":7,"url":29,"slug":30,"title":31},"https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=ANSPDCP_(Romania)_-_18.06.2026&diff=52001&oldid=0","anspdcp-romania-18-06-2026-064641","ANSPDCP (Romania) - 18.06.2026",[33,39,45],{"id":34,"name":35,"slug":36,"description":37,"color":38},"182e11d5-57c4-444e-8ec8-4682ad60261b","Incident Response","incident-response","Slow detection, poor containment, missing playbooks","#14b8a6",{"id":40,"name":41,"slug":42,"description":43,"color":44},"1ec88fde-2d0f-4ed8-932a-33f5ccc0fdc7","Access Control","access-control","Excessive privileges, missing MFA, weak auth","#f97316",{"id":46,"name":47,"slug":48,"description":49,"color":50},"c0dcc566-3654-4d70-8ede-262a198e732f","Regulatory Compliance","regulatory-compliance","GDPR, NIS2, DORA, sector-specific violations","#ec4899",[]]