国际资讯 | 朝鲜黑客从韩国窃取1,014GB数据等（5.11-5.16）

North Korean Hackers Stole 1,014GB of Data from South

朝鲜黑客从韩国窃取1,014GB数据

North Korean hackers stole 1,014 gigabytes of data and documents from a South Korean court network over two years, according to the results of a joint probe released on May 11, 2024. 

根据2024年5月11日公布的联合调查结果，朝鲜黑客在两年时间里从韩国法院计算机网络系统中窃取了1,014GB的数据和文件。

The investigation, which was conducted jointly by the National Police Agency’s National Investigation Headquarters, the state prosecution service and the National Intelligence Service, concluded that the heist was likely carried out by a North Korean hacking group known to South Korean and U.S. intelligence as Lazarus.

此项调查由国家警察厅国家调查本部、国家检察院和国家情报局联合进行，得出的结论是，这起数据窃取案很可能是由一个被韩国和美国情报部门称为“Lazarus”的朝鲜黑客组织实施的。

The stolen data included detailed personal information, such as names, resident registration numbers and financial records, according to the probe report.

根据调查报告，被盗数据包括详细的个人信息，如姓名、居民登记号和财务记录。

The National Investigation Headquarters said that data was stolen between Jan. 7, 2021 and Feb. 9, 2023 via methods used by North Korean hackers in the past, such as planting malicious computer codes that exploit software vulnerabilities. According to the investigative team, a total of 1,014 gigabytes of data was taken out of the court’s computer network during this period through eight servers, four of which are located in Korea. Investigators were able to identify data that had been transmitted overseas through one of the domestic servers and confirmed that 5,171 files had been taken out of the court system through that server. But the figure represents only 4.7 gigabytes’ worth of stolen files, or 0.5 percent of total stolen data. Investigators said they were unable to pinpoint which data had been transmitted through the other seven servers as those records had already expired.

国家调查本部表示，这些数据是在2021年1月7日至2023年2月9日期间被朝鲜黑客设法窃取的（如植入利用软件漏洞的恶意计算机代码）。据调查小组称，在此期间，共有1,014GB的数据通过八个服务器从法院的计算机网络系统中被窃取，其中四个服务器位于韩国。调查人员能够识别出通过其中一个国内服务器向海外传输的数据，并确认有5,171个文件通过该服务器从法院系统中被窃取，但这一数字仅代表价值4.7GB的被盗文件，占被盗数据总量的0.5%。调查人员说，他们无法确定哪些数据是通过其他七台服务器传输的，因为这些记录已经过期。

上述资讯源自koreajoongangdaily，详见：

https://koreajoongangdaily.joins.com/news/2024-05-12/national/northKorea/North-Korean-hackers-stole-1014GB-of-data-from-South-/2044975

Germany DSK Publishes Guidance on AI Applications

德国数据保护机构发布人工智能应用指南

On May 6, 2024, the German Data Protection Conference (DSK) published a Guidance on artificial intelligence and data protection (the Guidance). In particular, the Guidance focuses on Large Language Models (LLM), without excluding its possible application for other artificial intelligence (AI) applications.

2024年5月6日，德国数据保护机构发布了《人工智能与数据保护指南》（以下简称“《指南》”）。《指南》侧重于大语言模型的适用，但也不排除将其应用于其他人工智能应用的可能性。

The Guidance includes examples and is aimed at the deployers of AI applications, as well as indirectly at developers, manufacturers, and providers of AI systems.

《指南》提供了参考实例，其适用于人工智能应用的部署者，也间接适用于人工智能系统的开发者、制造者和提供者。

The Guidance outlines that deployers of AI applications must determine their field of application and the purposes for which they will serve. In particular, the deployers must consider whether:

• the field of application of the AI application is legal;

• personal data is processed;

• the training of the AI application was done in accordance with the data protection regulations;

• the legal basis for the processing, which can vary depending on whether the deployer is a public or non-public body and the field of application, such as human resources, healthcare, or processing in the area of a consumer or service contract;

• the AI application develops proposals that are used as a primary basis for decisions that have legal effects on individuals and thus lead to infringement of Article 22 of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”);

• the AI application is part of a closed or open system (i.e., restricted and technically closed environment or not);

• the transparency requirements under GDPR are fulfilled, including regarding input and output history, as well as the option to exclude the use of the data for training;

• the individuals are provided with data subject rights, in particular rights to rectification and erasure; and

• the involvement of the data protection officers and employee representatives in the decisions regarding the AI application.

《指南》规定，人工智能应用程序的部署者必须确定其应用领域和服务目的，部署者必须考虑如下方面：

• 人工智能应用程序的应用领域是否合法；

• 是否处理个人数据；

• 人工智能应用程序的训练是否符合数据保护规定；

• 处理的法律依据，这取决于部署者是公共机构还是非公共机构以及具体的应用领域，如人力资源领域、医疗保健领域或处理消费/服务合同；

• 人工智能应用程序开发的建议被用作对个人具有法律效力的决策的主要依据，从而导致违反《通用数据保护条例》（以下简称“GDPR”）第22条的规定；

• 人工智能应用程序属于封闭系统还是开放系统（即是否属于受限和技术封闭的环境）；

• 符合GDPR规定的透明度要求，包括输入和输出历史，以及排除将数据用于培训的选项；

• 个人享有数据主体权利，特别是更正和删除的权利；以及

• 数据保护官和员工代表参与有关人工智能应用的决策。

The Guidance states that deployers of the AI applications must:

• define responsibility and regulate it bindingly, including with external providers and joint controllers;

• issue and document internal regulations determining the conditions and specific purposes for the use of the AI applications;

• carry out a Data Protection Impact Assessment (DPIA) before processing personal data;

• provide devices and accounts for the professional use of AI applications by employees;

• take into account principles of data protection by design and by default when designing the AI system;

• in addition to the technical and organizational measures required by Articles 25 and 32 of the GDPR, also meet the requirements applicable to IT systems;

• raise awareness by providing training, guidelines, and discussions; and

• monitor future legal and technical developments.

《指南》规定，人工智能应用程序的部署者必须：

• 明确责任并对其进行约束性管理，包括与外部提供商和联合控制方的责任；

• 发布并记录内部规定，确定使用人工智能应用程序的条件和具体目的；

• 在处理个人数据前进行数据保护影响评估；

• 为员工使用人工智能应用程序提供专门的设备和账户；

• 在设计人工智能系统时考虑到设计和默认情况下的数据保护原则；

• 除了GDPR第25和32条要求的技术和组织措施外，还要满足适用于IT系统的要求；

• 通过提供培训、指导和讨论来提高认识；以及

• 关注未来的法律和技术发展。

The Guidance highlights that AI application deployers must take particular care when entering and outputting personal data, as well as with special categories of personal data. Furthermore, the deployers must check results for inaccuracies and discriminatory effects.

《指南》强调，人工智能应用程序的部署者在输入和输出个人数据以及特殊类别的个人数据时必须更加谨慎。此外，部署者必须检查结果是否不准确以及是否会产生歧视性影响。

上述资讯源自dataguidance，详见：

https://www.dataguidance.com/news/germany-dsk-publishes-guidance-ai-applications

Spain AEPD Fines 4Finance Spain €480,000 for Data Security Failures

西班牙AEPD因数据安全漏洞对西班牙4Finance公司罚款480,000欧元

On May 7, 2024, the Spanish data protection authority (“AEPD”) published its decision in Proceeding No. PS-00424-2023, in which it imposed a fine of €480,000 on 4Finance Spain Financial Services, S.A.U. (“Vivus”) which was subsequently reduced to €360,000, for violations of the GDPR, following a data breach.

2024年5月7日，西班牙数据保护机构（以下简称“AEPD”）在编号为PS-00424-2023的诉讼案中公布了一项决定，其中对4Finance Spain Financial Services, S.A.U.（以下简称“Vivus”）公司处以480,000欧元的罚款，随后又将罚款减至360,000欧元，原因是该公司在发生数据泄露事件后违反了GDPR。

The AEPD stated that on February 17, 2023, Vivus notified the AEPD that the company had suffered a data breach which led to the exposure of the financial data of customers. Following the notification, the AEPD ordered Vivus to inform the affected customers of the data breach.决定背景

AEPD指出，2023年2月17日，Vivus通知AEPD该公司发生了数据泄露事件，导致客户的财务数据外泄。在接到通知后，AEPD命令Vivus将数据泄露事件告知受影响的客户。

Following an investigation, the AEPD found that Vivus violated Article 32 of the GDPR by failing to implement appropriate technical and organizational data security measures that could have prevented the breach. The AEPD noted that the impact assessment Vivus conducted prior to the breach focused on the financial risks to the company rather than the specific risks to individuals' rights and freedoms arising from the processing.Additionally, the AEPD found that Vivus had violated Article 5(1)(f) of the GDPR for failing to ensure that it processed data securely.

AEPD经过调查发现Vivus违反了GDPR第32条的规定，因为它没有实施适当的技术和组织数据安全措施来防止数据泄露。AEPD指出，Vivus在数据泄露前进行的影响评估侧重于公司的财务风险，而不是处理过程中对个人权利和自由造成的具体风险。此外，AEPD还认定Vivus违反了GDPR第5(1)(f)条的规定，因为它未能确保安全处理数据。

In light of the above, the AEPD imposed a fine of €480,000 on Vivus. On this, the AEPD provided that Vivus had already paid the fine in the amount of €360,000, making use of the voluntary payment procedure and acknowledging its responsibility.

鉴于上述情况，AEPD对Vivus处以480,000欧元的罚款。对此，AEPD提供的信息是，Vivus已通过自愿支付程序支付了360,000欧元的罚款，并承担了相应的责任。

上述资讯源自dataguidance，详见：

https://www.dataguidance.com/news/spain-aepd-fines-4finance-spain-480000-data-security

Spain AEPD Fines Dentalcuadros €20,000 for Lack of Security Measures and Delayed Breach Notification

西班牙AEPD因Dentalcuadros缺乏安全措施和延迟通知漏洞对其处以20,000欧元罚款

On May 8, 2024, the Spanish data protection authority (“AEPD”) published its decision in Proceeding No. PS/00078/2024, in which it imposed a fine of €20,000 on Dentalcuadros BCN SLP, which was subsequently reduced to €12,000, for violations of the GDPR following a data breach notification.

2024年5月8日，西班牙数据保护机构（以下简称“AEPD”）公布了其在第PS/00078/2024号诉讼案中的决定，其中对Dentalcuadros BCN SLP公司处以20,000欧元的罚款，随后又将罚款降至12,000欧元，原因是该公司在数据泄露通知后违反了GDPR。

The AEPD highlighted that on May 12, 2023, it was notified by Dentalcuadros of a ransomware attack that took place on April 20, 2023, affecting the availability and confidentiality of personal data, including contact data, identification data, and health data of the patients.

AEPD强调指出，2023年5月12日，Dentalcuadros于2023年4月20日通知AEPD其发生了勒索软件攻击事件，影响了个人数据的可用性和保密性，包括患者的联系数据、身份数据和健康数据。

Following its investigation, the AEPD noted that Dentalcuadros did not have the appropriate security measures in place, pursuant to Article 32 of the GDPR, including the absence of a sufficiently strong antivirus and recent backups to the external server. In particular, four Data Protection Impact Assessments that were carried out included a list of measures to be implemented for the mitigation of risk. However, Dentalcuadros was not able to prove the implementation of such measures.

经过调查，AEPD注意到Dentalcuadros没有根据GDPR第32条采取适当的安全措施，包括没有足够强大的杀毒软件和外部服务器的最新备份。特别是，已进行的四次数据保护影响评估包括了一份为降低风险而实施的措施清单。然而，Dentalcuadros无法证明这些措施的执行情况。

Furthermore, the AEPD highlighted that Dentalcuadros did not respect the deadline of 72 hours to notify the AEPD of the data breach, pursuant to Article 33 of the GDPR. The notification was delayed by 22 days, and Dentalcuadros was not able to provide reasons for the delay.

此外，AEPD还强调，Dentalcuadros没有遵守GDPR第33条的规定，没有在72小时内向AEPD通报数据泄露事件。通知延迟了22天，且Dentalcuadros无法提供延迟的原因。

Subsequently, the AEPD found that Dentalcuadros had violated Articles 32 and 33 of the GDPR regarding the implementation of security measures and data breach notification.

随后，AEPD认定Dentalcuadros在实施安全措施和数据泄露通知方面违反了GDPR第32条和第33条。

In light of the above violation, the AEPD imposed a fine on Dentalcuadros of:

• €15,000 for the violation of Article 32 of the GDPR; and

• €5,000 for the violation of Article 33 of the GDPR.

鉴于上述违规行为，AEPD对Dentalcuadros处以罚款：

• 因违反GDPR第32条，罚款15,000欧元；以及

• 因违反GDPR第33条，罚款5,000欧元。

However, the total fine was subsequently reduced to €12,000 after Dentalcuadros made use of the voluntary payment procedure and acknowledged its responsibility.

然而，在Dentalcuadros使用自愿付款程序并承认其责任后，罚款总额随后减少至12,000欧元。

上述资讯源自dataguidance，详见：

https://www.dataguidance.com/news/spain-aepd-fines-dentalcuadros-20000-lack-security

01

想要获得更多资讯内容

请扫码关注我们

M姐 数据合规评论

微信号｜M_DigitalLawandLife