Poland’s Personal Data Protection Office has issued a PLN 2.8 million (€645,000) GDPR penalty to an online retailer for a lack of appropriate safeguards to protect the personal data of its customers.

In November 2018, Morele.net discovered its systems had been compromised and hackers had gained access to the personal information of 2.2 million of its customers. Names, contact telephone numbers, email addresses, and postal addresses were stolen by the attackers and 35,000 of those customers had additional sensitive information stolen such as payment installment details, personal ID numbers, education level, source of income, net income, marital status, and household maintenance costs.

The breach came to light when Morele.net customers reported receiving SMS messages telling them that they needed to make additional payments to complete past orders. The scam SMS messages included a link to a payment gateway controlled by the attackers.

The data breach was reported to Poland’s Personal Data Protection Office (UODO), as required by the EU’s General Data Protection Regulation (GDPR) and an investigation was launched to determine whether sufficient safeguards had been implemented prior to the breach.

UODO found that insufficient technical safeguards had been implemented by Morele.net across its 9 websites, in violation of article 5, 1(f) of GDPR – The principle of confidentiality – and that there were also insufficient administrative safeguards in place.

The fine is significant, although well below the maximum possible fine under GDPR, which is €20 million or 4% of global annual turnover, whichever is higher.

Even with a risk of such high financial penalties, many companies are still not fully complying with GDPR. A recent study by Capgemini Research Institute revealed just 28% of companies are fully compliant with GDPR. 81% of the 1,000 companies surveyed for the study believed that they were fully compliant with GDPR.

Compliance was lowest in Sweden where just 18% of companies were found to be fully compliant, closely followed by Spain and Italy on 21% each. UK and German companies had much higher levels of compliance with 33% of companies in each country found to be compliant. The highest percentage of GDPR-compliant companies were in the United States (35%). Considering GDPR became enforceable 16 months ago on May 25th 2018, those percentages are particularly worrying.