On 10 September 2019, the Polish Data Protection Authority gave the online retailer, Morele.net, a record fine of PLN 2,830,410 (Euro 650,000) following a cyber-attack.


The Authority found that Morele.net did not have proper organizational and technical security measures and - according to the Authority - this allowed hackers to penetrate Morele.net’s platform. The attack took place in November and December 2018. As a result of these attacks, personal data (including national identification numbers) of over 2,200,000 of clients were stolen. Hackers used that information to extort fake payments.

The Authority found two key failures with Morele.net’s security:

  • It did not have proper access authentication processes. It only used one-factor authentication, which is more susceptible to security breaches. They did not follow general security recommendations, such as those proposed by ENISA, that two-factor authentication should be used.
  • There was ineffective monitoring by Morele.net of potential threats related to unusual online activities. One way to manage this issue is to use an intrusion detection system to highlight suspect activity.

More fines for poor data security

The Authority consider this to be a serious hack in light of the information exfiltrated and large number of people affected. It created a high risk of negative consequences for those whose data had fallen into the wrong hands. The data included: name and surname, telephone number, e-mail address, delivery address, PESEL number, series and number of the ID document, and the amount of credit commitments. This all creates risks for individuals particularly the risk of identity theft or fake invoicing.

Morele.net has announced that it does not agree with Authority’s decision and intends to appeal the findings in the courts. This is the highest fine imposed by DPA, three times higher than the current highest fine imposed on Bisnode. It is part of a wider trend of increasing fines for data protection, and particularly data security breaches. While the fines are not quite as high as those imposed by some data protection authorities (such as the UK Information Commissioner’s proposed fine of £183,900,000 against British Airways) they are a very good reminder of the importance of protecting your systems against cyber-attacks.

The content of the decision (in Polish) can be found at the following link: https://uodo.gov.pl/decyzje/ZSPR.421.2.2019.