Are the country's municipalities unprotected in cyber attacks? The recent hacking incident in the Municipality of Thessaloniki is one of the many that is likely to happen, taking into account the general situation in the infrastructure and procedures of the Municipalities of the country.
Only lightning in the air is not an incident of cyber attack in a municipality of the country and in fact one of the largest. When the level of protection is not what is expected and the potential benefit is significant, a cyberattack becomes possible.
The Municipality of Thessaloniki had been partially warned at least since December 2019, when Your Data Matters had completed and published its research on the degree of adaptation of the country's Municipalities to the GDPR. We say in part, as the audit concerned only the website of the Municipality, where a number of factors were measured that show the level of adaptation of the Municipality to the requirements of the legislation.
We remind you here that one of the most important issues in personal data protection is their security, especially in the digital world. The triptych Confidentiality - Integrity - Availability is a central principle in information security. This principle is required to comply with the GDPR.
When the survey of Your Data Matters was completed, all the Municipalities of the country were informed with separate letters about the general result and it was possible to be more specifically informed about the results of each Municipality separately, if it wished, without any financial burden of course.
The Municipality of Thessaloniki was interested to know its results, with the protocol number 257385 / 23-12-2019 with the signature of the Deputy Mayor Mr. Avarlis.
Your Data Matters responded immediately with a letter stating, among other things:
"The data of the research indicate that on the website of your Municipality there is a limited to low level of compliance with the General Data Protection Regulation 679/2016 / EU and the e-privacy legislation (law 3471/2006)."
"The criteria of the research do not exhaust the overall evaluation of the website of your Municipality."
At the same time, Your Data Matters expressed its availability "for exchange of views, information and cooperation in relation to issues of personal data protection of the Municipality".
Since then there has been no other communication with the Municipality of Thessaloniki to Your Data Matters.
In the detailed presentation of the research of Your Data Matters, it was emphasized that the website of the Municipality (as well as any body) is its public image from which conclusions of a general nature are drawn. A body that shows the required provision and does what is necessary to comply with the requirements of the GDPR is expected to be reflected in its public image. Conversely, if the public image is not good, this is an indication that the problem is not just public image.
A question that arises effortlessly is "if the Municipality of Thessaloniki that has more resources than most Municipalities is in such a situation, what happens to smaller Municipalities?".
A second question is whether the APDPH has taken any action towards the Municipalities of the country. Note that the survey of Your Data Matters with the detailed data of the Municipalities had been officially sent to the APDPX as early as December 2019.
Third question: have the GDPR been met in cases of breach? Within 72 hours there was detailed information on whether (in any way) personal data was violated, who was affected, how will the problem be remedied (and to what extent)? Does the fact that there is no relevant announcement mean that this has not happened or that the Municipality has not been able to meet its obligations to the citizens and the supervisory authorities?
In any case, this incident and its response must ring bells for the level of protection of citizens' personal data 3 years and more after its implementation GDPR Compliance.
Source of information: news247.gr