In a security gap which resulted in an unauthorized person being able to retrieve from the websites of APOEL and Omonia, data of their fans, concern the violations found by the Commissioner for Personal Data Protection Irini Loizidou Nikolaidou.
According to an announcement by the Commissioner, in relation to the recent publications regarding the above issue and following the Notification of violation of an event submitted by APOEL and OMONIA, as well as the investigation carried out by her Office, Ms. Loizidou states how it issued and sent today to the said unions and to the contractor company, which designed and developed the said systems, on their behalf, at first sight Decisions.
In the prima facie Decisions, the 3 involved parties were informed that, violations of the General Data Protection Regulation were ascertained and their positions were requested, before proceeding with the issuance of final Decisions.
These violations concern a security gap which resulted in an unauthorized person being able to retrieve from the websites of the clubs, details of their fans (name, fan card number and ID card number), who had purchased tickets, at the material time of the breach. Therefore, the Commissioner states, by posting the last two items on the CMO website, the unauthorized person could see and download the Fan Cards of the affected fans.
Ms. Loizidou states that it is expected that the unions and the contractor company submit their positions for the above within a set deadline, so that it can proceed to the issuance of final Decisions.
Although it was found, after a relevant audit and written report of the CMO to her Office, that the CMO system concerning the Fan Card had not been violated, Ms. Loizidou suggested and it was accepted to apply an insurance clause, so that access and possibility receipt of the Fan Card by its holder, be further enhanced by sending and using a unique security code.