ANSPDCP Investigation: €5,000 Fine for AG-BROKER ASIGURARE S.R.L. Following Major Data Breach
In April 2025, the Romanian Data Protection Authority (ANSPDCP) concluded a detailed investigation into AG-BROKER ASIGURARE S.R.L., following a data breach notification submitted under Article 33 GDPR. The authority found violations of Article 32(1)(b) and 32(2) of the GDPR, relating to insufficient technical and organizational security measures.
As a result, the operator received an administrative fine of 24,887 RON (approx. €5,000).
Incident Overview: Cyberattack Exposing Highly Sensitive Personal Data
The operator reported that a cyberattack compromised a significant volume of personal data belonging to clients. The exposed data included:
- CNP (national identification numbers)
- Full names
- ID card photos
- Birth certificates
- Driver’s licenses
- Vehicle registration certificates
- Email addresses
- Phone numbers
These categories represent high-risk personal data, and their exposure can lead to identity theft, fraud, unauthorized access to services, and long-term reputational harm.
ANSPDCP Findings: Lack of Adequate Security Measures
The investigation revealed that AG-BROKER ASIGURARE S.R.L. had not implemented appropriate security controls, specifically:
- insufficient access control to network storage
- inadequate protection against unauthorized access
- lack of resilience and integrity safeguards
- absence of robust confidentiality mechanisms
- no effective technical and organizational measures aligned with GDPR requirements
The breach occurred not only due to the cyberattack itself, but also due to internal vulnerabilities and insufficient security governance.
Article 32 GDPR – Security of Processing
Article 32 requires operators to implement measures appropriate to the risk, including:
- encryption and pseudonymization
- ensuring confidentiality, integrity, and availability
- regular testing and evaluation of security controls
- strong access control and authentication mechanisms
ANSPDCP concluded that the operator failed to meet these obligations, directly enabling the unauthorized disclosure of personal data.
Impact and Key Lessons for Organizations
This case highlights several critical points:
- reporting a breach does not eliminate liability
- cyberattacks are not a valid excuse if systems were poorly secured
- inadequate security controls lead to GDPR sanctions
- sensitive data requires enhanced protection
Organizations must prioritize:
- periodic security audits
- advanced cybersecurity solutions
- employee training
- penetration testing and vulnerability assessments
- strong internal security policies
Conclusion
The fine imposed on AG-BROKER ASIGURARE S.R.L. reinforces that GDPR penalizes not only unlawful processing, but also failure to protect personal data adequately.
In an era of increasingly sophisticated cyber threats, security is not optional — it is a legal obligation and a core element of customer trust.