Uipath – GDPR fine
On August 21, 2023, the National Supervisory Authority for Personal Data Processing (ANSPDCP) issued a press release regarding the fine imposed on UiPath for violating the General Data Protection Regulation (GDPR). The link to the release is above, and what we set out to do today is to analyze the causes that led to the personal data breach and the lessons that can be learned by companies.
Causes of the personal data breach
1. Lack of Adequate Technical and Organizational Measures: the company did not implement adequate technical and organizational measures to protect personal data.
These include:
- No measures were in place to ensure the confidentiality and continued resilience of processing systems and services.
- There is no process for periodically testing, evaluating and assessing the effectiveness of security measures.
2. Unlimited Access to Personal Data: The system has not been configured in a way that limits access to personal data, thereby allowing unauthorized access by an unlimited number of individuals.
3. Unauthorized Disclosure and Unauthorized Access:These deficiencies led to unauthorized disclosure of and unauthorized access to the personal data of approximately 600,000 users of the Academy Platform belonging to UiPath.
- Type of Data Affected: User’s first and last name, each user’s unique identifier, e-mail address, the name of the company where the user is employed, the country and details about the level of knowledge obtained in the UiPath ACADEMY courses.
- Exposure Period: Data was exposed for a period of approximately 10 days.
- Consequences and What Companies Need to Understand – The fine imposed by the ANSPDCP is a wake-up call for all organizations that process personal data. The security incident at UiPath SRL underscores the importance of implementing appropriate security measures and a robust process for evaluating and monitoring them. That is to say, it is not enough to have formal documents stating that GDPR requirements are being met, but these security controls must actually be in place, there must be simulations, tests, etc.
The lack of such measures can lead to serious consequences, including the exposure of the personal data of large numbers of individuals. This case is a clear example of the need to treat data security seriously and to invest in effective safeguards.
Complying with GDPR regulations and investing in adequate security measures are not only legal obligations, but also an ethical responsibility towards customers and partners.
For assistance in assessing and improving data security in your organization, feel free to contact our team of data protection experts.
An incident-free day, everyone!