Updated: Wednesday January 29th, 2025
Dear Sir or Madam,
EuroCert Sp. z o.o., headquartered in Warsaw, fulfilling its duties as a data controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereby informs that on January 12, 2025, during the night hours, a hacker attack (ransomware) was detected. This attack resulted in a breach of personal data protection due to malicious software encrypting files stored on our servers, with a high probability of theft. The breach may have concerned your personal data.
This incident resulted in the loss of availability and, most likely, confidentiality of personal data, including that of EuroCert Sp. z o.o. customers, contractors, and employees.
Was the security of qualified certificates compromised?
We have conclusively excluded the possibility of any issued certificates being compromised. They have not been stolen, and there is no need to invalidate the certificates.
- Certificates on physical devices (cards/tokens) remain in the possession of their owners and are not part of EuroCert’s infrastructure. Please note that using a certificate requires access to the device and a PIN code.
- In the case of cloud-based ECSigner certificates, cryptographic keys were not compromised. All passwords have been reset, and users must set new passwords before use (How to set a new password for the ECSigner cloud signature?). Additionally, besides the password, authentication also involves a one-time code via a mobile app (two-factor authentication).
What actions were taken in response to the incident?
Immediately upon detecting the security incident, necessary measures were taken to prevent further breaches of personal data, and law enforcement authorities as well as institutions responsible for cybersecurity were notified.
The incident is currently under investigation by the Police and CERT Polska (Computer Emergency Response Team Polska).
Additionally, the incident was reported to the President of the Personal Data Protection Office as a data protection breach associated with a high risk of violating the rights and freedoms of natural persons.
EuroCert Sp. z o.o. is making every effort to minimize the consequences of the attack and to restore full functionality of IT systems as soon as possible.
What personal data was affected by the breach?
As a result of the attack, the availability and confidentiality of your personal data may have been compromised. The affected data may include:
- Email address, phone number provided during certificate issuance,
- PESEL number (Polish national identification number),
- First name, middle name(s), and last name,
- Date and place of birth,
- Citizenship,
- Series and number of ID card or passport, issuing authority and expiration date,
- Username and/or password,
- Image (only in cases of remote verification).
Currently, we cannot confirm that your data was stolen, but such a possibility exists. The extent of the incident is still being determined, so as a precaution, we recommend carefully reading these security recommendations and monitoring updates on the main website www.eurocert.pl.
Who can you contact regarding the personal data protection breach?
For any questions related to the breach, you can contact EuroCert Sp. z o.o. by sending an email to Ms. Magdalena Chmielewska (Data Protection Officer) at iod@eurocert.pl.
What could be the potential consequences of the personal data protection breach?
The breach of your personal data could lead to:
- Processing of personal data for marketing purposes without prior consent (e.g., sending marketing materials to your e-mail address or phone number);
- Publication or disclosure of personal data, potentially infringing on your personal rights;
- Harassment or blackmail using disclosed data;
- Increased risk of phishing attacks aimed at obtaining further personal data;
- Creation of online accounts using your personal data (e.g., on social media platforms);
- Attempts by third parties to obtain loans in your name from non-bank institutions (e.g., online or via phone) without needing to present an ID;
- Attempts to access systems handling medical services to view your health data (often requiring only a PESEL number for access);
- Use of personal data to exercise civic rights (e.g., voting in participatory budgeting);
- Third-party attempts to obtain insurance or claim insurance benefits using your data;
- Attempts to enter into civil-law contracts using your personal data;
- Use of your personal data by third parties to conceal their identity (e.g., for receiving fines);
- Registration of prepaid SIM cards, which could be used for criminal purposes.
What can you do to minimize the negative impact of the breach?
To minimize potential negative consequences, we recommend the following actions:
- Block your PESEL number (this can be done online – click Block PESEL and log in. The system will redirect you to pl, or use the mObywatel app (Services – Block PESEL), or download and complete the form at home, or do it at your municipal office). From June 1, 2024, financial institutions (e.g., banks) are required to verify whether a PESEL number is blocked when entering into agreements such as credit or loan contracts;
- Set up an account with a credit and business information system to monitor your credit activity (there are various systems and institutions offering such services, e.g., Biuro Informacji Kredytowej S.A. https://www.bik.pl, Biuro Informacji Gospodarczej InfoMonitor S.A. https://big.pl, Krajowy Rejestr Długów Biuro Informacji Gospodarczej S.A. https://krd.pl, or CHRONPESEL https://www.chronpesel.pl);
- Change your login or password in systems where your PESEL number was used;
- Enable additional security measures on platforms that allow two-factor authentication;
- Pay close attention to login attempts and email alerts;
- be cautious of suspicious e-mails, calls and SMS messages – especially avoid responding to unknown e-mail addresses and phone numbers, especially those from unknown locations or countries. Do not click on links or open attachments, and do not provide any personal information if an e-mail or SMS message seems unusual or comes from an unknown sender;
- Be cautious in interactions with banks or other financial institutions, telecommunications companies or other organizations especially if someone asks for details such as your ID number, bank account information, passwords, credit card details etc. citing your PESEL number;
- Exercise caution when using social media, particularly when receiving private messages with links;
- If someone impersonates you, report it to law enforcement as a potential crime;
- If your personal rights have been violated due to the use of compromised data, consider using the means of personal rights protection outlined in the Civil Code;
- report suspicious activity or fraud to the police or to CERT Polska (https://incydent.cert.pl/) if you receive suspicious messages or phone calls.
You can check the security of your data independently at:
https://bezpiecznedane.gov.pl/.
Taking these actions should minimize the negative consequences of the breach and protect your personal data from misuse.
We apologize for any inconvenience caused by this incident.
