In connection with the address by the President of the Office for Personal Data Protection of 4 March 2019, in accordance with art. 34 s. 1 of the Regulation 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (“GDPR”) the Controller (i.e. Centrum Astronomiczne im. M. Kopernika PAN (Nicolaus Copernicus Astronomical Center of the Polish Academy of Sciences), hereinafter referred to as CAMK) informs that:
1. On 23 October 2018, the computer was infected with malware, which tried to use CAMK's service mail to send advertising mail (so-called spam). Therefore, malicious software could have access to the contents of the correspondence on the infected computer. As a consequence, an unauthorized person could have access to personal data in the following areas: name, surname, telephone number, e-mail address, and invoice data.
2. Detailed information referring to the incident can be obtained from data protection officer: Tomasz Tkacz, e-mail: iodo@camk.edu.pl
3. The breach of confidentiality of data may cause a high risk of violation of the rights and freedoms of data subjects. Possible consequences of the violation are the unauthorized use of personal data, including but not limited to:
-
obtaining by third parties, to the detriment of persons whose data have been violated, loans in non-bank institutions, because many such institutions allow to obtain a loan or credit in an easy and quick way, e.g. via the Internet or by phone without the need to show an identity document;
-
gaining access to the use of health care services for persons who have been violated and their health data, because often access to patient registration systems can be obtained by phone confirming their identity by means of a PESEL number;
-
the exercise of civil rights of persons who have been violated, for example to vote on the funds of the civic budget. This would make it impossible for the right people to exercise their right.
4. In order to minimise the possible adverse effects of the infringement it is recommended to, inter alia:
-
-
immediately remove without opening attachments, unrecognized or suspicious looking e-mails;
-
be cautious when providing personal information to other people, especially via the Internet or telephone;
-
caution by children and members of the immediate family when dealing with strangers;
-
consider the possibility of setting up an account in a credit and economic information system to monitor one’s own credit activity.
