Dear Sir/Madam,
EuroCert Sp. z o.o., based in Warsaw, fulfilling its obligations as a data controller pursuant to Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereby informs you that on 12 January 2025, during the night hours, a hacker attack (ransomware) occurred, which led to a breach of personal data protection through the use of malicious software encrypting files stored on our servers. This breach may have involved your personal data.
The incident resulted in the loss of availability and also the confidentiality of personal data, including that of clients, contractors, and employees of EuroCert Sp. z o.o.
Was there a breach of qualified certificate security?
We have ruled out, beyond any doubt, the compromise of the certificates issued to you. There is no need to revoke the certificates.
- Certificates on physical devices (cards/tokens) are in the possession of their owners and not within the resources of the EuroCert infrastructure; the use of a certificate requires access to the device and the PIN code.
- For cloud-based ECSigner certificates, cryptographic keys have not been compromised, and all passwords have been reset. Before use, the user must set a new password. Moreover, in addition to the password, authentication is performed using a one-time code in a mobile phone application (two-factor authentication).
What actions were taken in response to the incident?
Immediately upon detecting the security incident, the necessary actions were taken to prevent further breaches of personal data, and the law enforcement authorities and institutions responsible for cybersecurity were notified.
Currently, the incident is under investigation by the Police and CERT Polska (Computer Emergency Response Team Poland).
Furthermore, the incident has been reported to the President of the Personal Data Protection Office as a data protection breach associated with a high risk to the rights and freedoms of natural persons.
EuroCert Sp. z o.o. is making every effort to minimize the impact of the attack and restore full functionality of its IT systems as quickly as possible.
What personal data was affected by the breach?
As a result of the attack, the availability and confidentiality of your personal data may have been compromised, including:
- identification data;
- contact details (email address, phone number);
- PESEL number;
- first name(s) and surname;
- date of birth;
- series and number of your ID card;
- username and/or password;
- image;
Who can you contact regarding the personal data breach?
If you have any questions concerning the breach, you can contact EuroCert Sp. z o.o. by sending an email to: iod@eurocert.pl
What could be the potential consequences of the personal data breach?
The breach of your personal data could result in:
- processing of personal data for marketing purposes without prior consent (in the case of traditional marketing, such as sending marketing content to your home address);
- publication or disclosure of personal data, which could violate your personal rights;
- risk of harassment or blackmail using disclosed data;
- increased phishing attacks aimed at obtaining personal data;
- creating online accounts using your personal data (e.g., on social media platforms);
- attempts by third parties to obtain loans in your name from non-banking institutions, e.g., online or by phone, without requiring ID verification;
- attempts by third parties to gain access to systems that manage medical services and view your health information (patient registration systems often require PESEL number verification);
- using personal data to exercise civic rights, such as voting in participatory budgeting;
- attempts by third parties to obtain insurance or insurance benefits using your personal data;
- attempts by third parties to enter into civil-law contracts using your personal data;
- use of your personal data by third parties to conceal their identity (e.g., when receiving fines);
- registering prepaid SIM cards for criminal purposes;
What can you do to minimize the negative effects of the breach?
To minimize potential negative consequences of the incident, we recommend:
– securing your PESEL number (you can do this online – click the “Secure PESEL” button and log in; the system will redirect you to mObywatel.gov.pl, or you can download and complete a form at home or visit your local municipal office). From 1 June 2024, financial institutions (e.g., banks) are required to verify whether the PESEL number is secured before concluding a loan or credit agreement;
– creating an account in a credit and economic information system to monitor your credit activity (available systems and services include Biuro Informacji Kredytowej S.A. https://www.bik.pl, Biuro Informacji Gospodarczej InfoMonitor S.A. https://big.pl, Krajowy Rejestr Długów Biuro Informacji Gospodarczej S.A. https://krd.pl, and CHRONPESEL https://www.chronpesel.pl);
– changing the login or password for systems where the PESEL number was used as a login or password;
– enabling two-factor authentication in services that offer it;
– paying special attention to login attempts and monitoring alerts sent to your email address;
– being cautious in dealings with banks or other financial institutions, especially when someone asks for information such as your ID card number or bank account number, citing your PESEL number;
– exercising caution on social media, particularly with private messages containing links;
– reporting any instances of impersonation to law enforcement as potential criminal offenses;
– if you believe your personal rights have been violated due to the misuse of your data involved in this breach, we recommend using the personal rights protection measures specified in the Civil Code.
You can check the security of your data at:
https://bezpiecznedane.gov.pl/.
Taking these actions should help minimize the negative consequences of the breach and protect your personal data from improper use.
For inquiries related to personal data protection, please reach out to our Data Protection Officer, Magdalena Chmielewska, at iod@eurocert.pl
