Data breach Postel S.p.A.: the provision of the Garante

Indice

The newsletter of the Garante per la Protezione dei Dati Personali (Italian Data Protection Authority) publicises as news measure No. 572 of 4 July 2024 concerning the data breach suffered by Postel S.p.A. on 17 August 2023 and extensively documented in this article.

A ‘tough but fair’ measure

The measure offers some food for thought that stems from some very harsh considerations made by the Authority on the subject of personal data security and processing. Italy, which is ever closer to the various NIS 2 deadlines, can no longer afford to have organisations that neglect or betray the constraints imposed by the legislation, and the Garante’s measure seems to want to emphasise this.

Impact, fine and problems

With an impact of about 25,000 interesting, the Postel S.p.A. data breach caused a stir on social media because of a few things that seemed to be unclear from the outset, including the quality of the communication published by the company on which DPO Christian Bernieri had made himself very clear.

Months later, the Data Protection Authority, in its inspection activities, found the following:

In particular, it has been ascertained that the Company, despite the significance of the data breach suffered, has
submitted an incomplete breach notification to the Authority; it was also established that the
Company did not conduct itself in compliance with data protection regulations even
with regard to the security measures that it should have adopted in the terms to be
indicated.

The measure is very instructive because in the first part (before ‘chapter 3’) we learn some of the ‘defensive’ reasons of the company Postel S.p.A., among which is the one aimed at justifying the non-installation of a patch that was fundamental and had been widely reported by both Microsoft and the international CSIRTs (including by ACN itself). Postel, in this regard, reports the following:

the failure to patch the vulnerabilities in question did not result from the absence of corporate ‘patch and vulnerability management’ procedures and protocols, or from the inadequacy of such procedures and protocols.” […] Unfortunately, however, due to a human error in the configuration of the scanning activities, the Exchange server targeted by the attack was excluded from the scan: this accidentally resulted in the failure to patch the aforementioned vulnerabilities, with regard to that system only.

In essence, Postel S.p.A. makes two points:

  1. That the damage did not result from an absence of safety procedures and protocols, nor from their inadequacy.
  2. That the damage was created by a human error in the configuration of the scanning activities, which would have excluded the Exchange server from the patching activity.

Postel S.p.A. is an ISO 27001 certified company, a ‘parent’ standard in the ISO world. In responding to this claim, the inspectors of the Garante reported the following:

It notes that the aforementioned vulnerabilities had already been disclosed, in September 2022, by the Microsoft Security Response Center, which had also published the appropriate mitigation actions; furthermore, in November 2022, Microsoft had made available the necessary updates to be made to the Exchange platform to overcome precisely the vulnerabilities indicated (moreover, considering that they had been assessed as highly critical). By the way, also in Italy, several months before the event, the existence of the aforementioned vulnerability had been duly reported by the National Cybersecurity Agency

Thus, reconstructing the timeline:

  1. Microsoft discovered and reported the vulnerability in September 2022.
  2. Microsoft makes a solution available in November 2022.
  3. Postel ignored the vulnerability up to the time of the August 2023 data breach, also ignoring the report sent by ACN.

There is therefore a continuing problem despite official reports from the manufacturer and also from the CSIRTs. A human error prevented the correct configuration but no control cycle detected the problem and this shifts the argument from technical to organisational.

Not only technique

There is a need to pay attention not only to‘technical‘ controls but also (and especially) to those of an organisational nature. Those who are really familiar with standards know that there is often talk of procedures, policies, strategies, and thus a formalisation of organisational aspects that are often overlooked. We learn a very useful piece of information in this regard from the Garante’s provision.

The assessment carried out by the Authority, therefore, was not limited to taking into consideration the occurrence, as such, of the data breach […] but, starting from the data breach under investigation, it proceeded to verify whether the Company had adopted all those technical and organisational measures that could have prevented the personal data breach.

Organisational measures are subject to inspection and evaluation! There has always been a false notion that control takes place outside this context, and this is clearly an erroneous conclusion. The Garante della Protezione dei Dati Personali therefore sheds light on an important aspect that allows him to enjoin Postel S.p.A.“to set up a formalised procedure for the management of vulnerabilities , which provides, in particular, for the planning of the control of all the organisation’s IT assets in order to detect the possible presence of known or potential vulnerabilities as well as the identification of the relevant correction and mitigation procedures“.

ISO 27001 certification

As stated by Postel S.p.A. itself, the company is ISO 27001 certified, an ambitious and comprehensive certification, which if fully complied with makes the organisation very well structured and protected against incidents. ISO 27001 includes several essential security controls including:

  • Organisational control 5.24: The organisation shall plan and prepare for information security incident management by defining, establishing and communicating information security incident management processes, roles and responsibilities.
  • Organisational control 5.25: The organisation must evaluate information security incidents and decide whether they should be classified as information security incidents.
  • Technology Control 8.08: Information on the technical vulnerabilities of the information systems in use must be obtained, the organisation’s exposure to these vulnerabilities must be assessed, and appropriate measures must be taken.

To claim to be ISO 27001 certified is therefore to declare that you know, understand and have implemented these security controls, many of which relate to strategic, organisational and monitoring activities.

Conclusion

With a fine of 900,000 euros and some very harsh penalties, it is to be hoped that Postel S.p.A. can build on what happened, also and above all with respect to that ISO 27001 certification, which includes a particularly interesting security check, the 5.27:

The knowledge gained from information security incidents is used to strengthen and improve information security controls.