The Spanish Data Protection Agency has fined the sports store chain Décimas 120,000 euros for a security breach that exposed the personal data of more than 330,000 customers following a cyberattack suffered in April 2024.
The case adds a relevant element to the resolution. The company did not detect the access to its database on its own and learned of the leak when the National Cybersecurity Institute notified it that the information was already circulating on the internet, despite the AEPD considering that the vulnerability could have been avoided.
SQL injection opened access to data of more than 330,000 customers
The incident occurred through an SQL injection attack that allowed cybercriminals to enter the company's database. Among the compromised information were names, surnames, email addresses, dates of birth, gender, and ID numbers.
The Agency's resolution concludes that the company did not have adequate mechanisms to detect suspicious movements in its infrastructure. This lack of control explains why the alert did not come from its own systems, but from the state cybersecurity agency.
The AEPD reduced the fine after the acknowledgment of the facts
The imposed sanction started at 200,000 euros, but was reduced after Décimas acknowledged the facts and opted for early payment. With this reduction, the final amount was 120,000 euros for the security breach.
In addition to the economic fine, the Agency has required the company to demonstrate a review of its protection systems. The order stipulates that it must demonstrate the reinforcement of its security measures within a period of six months.
The resolution places this requirement in a specific period and obliges Décimas to prove to the Agency, within those six months, that it has already corrected the deficiencies that allowed the attack.