Bizum It has ten years under its belt and a pretty solid safety record, so far. The National Data Protection Agency has fined Bizum SL with 80,000 euros after the theft of personal data of several thousand users due to a ‘inadequate implementation’ of protective measures. This is established in resolution EXP202318538 of the AEPD published last August and which has now been echoed by the media Bandaancha.eu.
The security breach occurred in 2023but the AEPD had already been informed in 2020 of the vulnerability of the platform to tactics of scraping. That is, when software is used to extract data from websites automatically.
Data leakage through scraping
In the case of Bizum, cybercriminals They took advantage of one of the platform’s functionalities. When you enter a phone number in Bizum, the system displays the name and initials of its owner. A user informed the AEPD that this system could be abused to relate phone numbers to usernames in a widespread way. The agency studied it, but did not take measures after knowing what Bizum had established to prevent this type of abuse. Among them, the blocking of accounts that started more than 30 shipments without finishing them.
However, in September 2022 A security breach occurred using that scraping technique. The leak occurred through the website of one of the entities participating in the instant payment system. The unusual increase in directory requests was detected and the user blocked after two hours of scrapingbut by then the cybercriminals had already obtained the data of 20,070 users by Bizum.
Despite this, Bizum did not inform the affected users considering that there was no high risk for the rights and freedoms of the interested parties and that with the data obtained – telephone number, name and initials of the surnames – the interested parties could not be subject to any fraud. The platform presented an evaluation of the severity of the gap, using the methodology proposed by the European Agency for Cybersecurity (ENISA)which concluded that the degree of severity was ‘Low’.
Bizum’s leaked phone numbers
The AEPD reproaches Bizum for not informing usersdespite the fact that it complied with what was established in the article 34.3 of the GDPR about when the leak of their data should be communicated to those affected. The reason for the sanction is not this lack of communication, but the article 32 of the RGPD referring to the security of data processing.
One of the reasons is the long period of time elapsed since the breach occurred until Bizum became aware of it. This happened a year later, in November 2023when he appeared in the Dark Web a database with a sample of 2,634 records of the 20,070 obtained for sale. The AEPD also criticizes that Bizum will not detect the leak through its internal toolsbut for this fact.
The telephone numbers that appeared in said sample range from the 600,000,000 to the 600 007 494but that of the complete leak, which has not been revealed, is greater. Bizum has assured that it hired a specialized company to make all the leaked information disappear from the network and that Currently it is not possible to find replicas of it.
The measures that Bizum must take
In addition to the economic sanction, which was initially 100,000 euros but it is reduced 20% for voluntary payment by the company, the AEPD resolution forces it to take corrective measures. These are:
- Accredit the adoption of appropriate technical and organizational measures to guarantee a level of security appropriate to the risk of the data processing carried out.
- Restrict access to personal informationwhich must occur only at the time of the transfer operation when it is strictly necessary.
- The measures must be designed to prevent Access to said information may be made by unauthorized persons..
The AEPD warns that failure to comply could be considered an administrative offense classified in the articles 83.5 and 83.6 of the RGPD, cause for opening a new sanctioning procedure.