On 10.9.2020, a Security Incident Report was submitted to the Communications Privacy Authority by COSMOTE. From this report it was concluded that a file leakage took place, containing subscriber data (traffic data and base station coordinates of a large number of COSMOTE subscribers and other providers) to a foreign cloud computing provider during the period 1/9/2020 - 5/9/2020.
The checks subsequently carried out by the Authority finally revealed the following:
a) leaked data identifying the company and the access account (user name and password) with the rights of the company's PES (Information and Communication Systems) administrator, in violation of the applicable legislation on the protection of the confidentiality of communications and in particular the provisions of paras. 1 and 2 of Article 2 , 3 par. 3 and 4 par. 1 of Law no. 3674/2008
b) deviations were found, at the time of the occurrence of the incident under review, with regard to the implementation of the Security Policy for the Safeguarding of the Confidentiality of Communications of COSMOTE, as approved by the Decisions of the A.D.A.E. No. 155/2012 and 327/2013.
For the infringements found and taking into account all the legal criteria, the Authority imposed a fine of EUR 3.200.000 by majority vote at its meeting of 30 May 2022 on COSMOTE.