On September 17, 2021, the Agency for Access to Public Information (“AAPI”), controlling authority of Personal Data Protection Law No. 25,326 (“PDPL”), sanctioned Cencosud SA for violating the provisions of the data protection legal framework as a consequence of a security incident.
The AAPI became aware of a data breach that affected the systems of Cencosud, a multinational conglomerate that operates in Argentina through the companies Jumbo, Easy, Vea and Disco Supermarkets, in November 2020. The security incident was triggered by a computer attack known as “Egregor ransomware”, a malware that encrypts information.
The National Directorate for the Protection of Personal Data (“NDPPD”), a governmental body within the administrative structure of the AAIP, considered that said security incident could involve the leakage of Argentine data subjects’ personal data, thus affecting the protective principles of the PDPL as well as the security and confidentiality duties in charge of Cencosud. Consequently, the NDPPD requested the company to provide information about the incident.
The defenses filed by Cencosud were considered insufficient. The NDPPD determined that neither preventive measures nor corrective measures to minimize its impact or to prevent future violations were properly taken. Also, it highlighted the fact that after the NDPPD’s request sent to the company some users received fraudulent emails under a “phishing” scheme.
Therefore, the NDPPD sanctioned the company for the commission of the following infringements:
- Failure to take the technical and organizational preventive measures necessary to guarantee the security of the information, which constitutes a serious infringement pursuant to AAIP’s Rule No. 7/2005.
- Failure to take the necessary technical and organizational corrective measures to guarantee the security duty within the organization, which constitutes a serious infringement.
- Failure to report the clients that they could be affected by personal data leaks due to the security incident at the first opportunity, which constitutes a very serious infringement.
- Failure to report their clients that they could be...
