On the Treasury, the Judiciary and the security of your business

I know this is not the first time I have spoken about this.

And, probably and sadly, it will not be the last.

News in the press these days:

A hack through the judiciary steals data of half a million taxpayers from the Treasury.

The Information Services speak of an unprecedented data leak that also includes the name, DNI or address of about 50,000 members of the National Police Corps.


In other words, I can think of few things more sensitive than the economic data that the Treasury has on citizens or the name and address information of the National Police.

Perhaps the plans of the Military General Staff?

Or the recordings of private government meetings?

I think that for the half a million Spanish citizens and for the national police officers affected, theirs is more serious.

What misuse can a criminal do with all that information?

Of course, when there is unauthorized access to personal data, the data controller is obliged to notify the Supervisory Authority.

But in addition, where the risk is high, the controller must also notify the affected individuals of the security breach.

The deadline for notifying the supervisory authority is 72 hours from the time the organization becomes aware of the breach.

I believe that 72 hours have already passed since the press became aware of the breach.

And it appears that the cyber-attack was detected in October. It’s been almost a month since proceedings were opened on this.

And I don’t know of anyone who has been notified.

Considering that half a million citizens is a significant percentage of the population, it is curious that I don’t know anyone who has been notified. Even more so, if we discount minors or people who do not need to report annually all their financial details to the Treasury.

Could it be that it is not considered serious for taxpayers’ rights that their tax data are circulating freely?

Or is it simply that we were lucky not to have been hit?

Apparently, the cyber-attack was carried out via the infrastructure of the General Council of the Judiciary.

(Fortunately, it seems that no data relating to judicial proceedings have been compromised).

The Treasury and the Judiciary.

Those who handle citizens’ most sensitive information.

Those who have the means and the legal and moral obligation to put in place all possible measures to protect the sensitive information they handle.

Even so, they have not been able to prevent a cyber-attack.

As a cybersecurity expert recently told me: the hacker can fail every time and keep on trying. The security manager can fail just once and he or she is finished.

The logical concern for any businessman, who is ultimately responsible for the information his company handles, is: do I have sufficient measures in place to prevent any cyber-attack?

The obvious answer, based on what has happened with the Treasury and the Judiciary, is no. If they can’t, no one can.

If they can’t, no one can.

Preventive measures can never be enough to prevent any cyber-attack.

They can prevent many.

But all?

Of course, all reasonable measures must be put in place.

But, even so, you have to be aware that they may not be sufficient.

The second concern is: can I cope with the penalties if it happens? Will my company survive?

The penalty for a minor infringement for not providing all the information required by Articles 13 and 14 of the GDPR can be up to 40,000 euros.

The penalty for a serious infringement is between 300,001 and 20 million euros.

So, do the maths.

And, of course, the ultimate question for every tax-paying citizen is who will pay the fine for not putting measures in place to prevent access to that information?

The answer is obvious: The Treasury is all of us.

If you are responsible for your business and are not lucky enough to be the Treasury, I can help you sleep better with more secure systems and procedures. Just in case something happens.