| Authority: | APD |
|---|---|
| Jurisdiction: | Angola |
| Relevant law: | Personal Data Protection Act |
| Type: | Own Assessment |
| Outcome: | Violation |
| Started: | March 2024 |
| Decided: | 19 July 2024 |
| Published: | No |
| Fine: | US$75,000 |
| Parties: | COSAL – Comércio e Serviços de Angola, Lda |
| Case No.: | N/A |
| Appeal: | N/A |
| Original Source: | APD |
| Original contributor: | MZIZI Africa |
Banco de Poupança e Crédito (BPC), an Angolan public bank, was fined for violating data protection laws after a document listing terminated employees' personal data was leaked on social media. The violations included inadequate data protection measures, unauthorized disclosure, and processing of personal data without proper authorization, affecting 278 employees.
The Angolan Data Protection Agency ("APD" or “DataReg”) initiated an own assessment of the effectiveness of COSALs IT infrastructure after an alleged inappropriate implementation of cybersecurity measures rendered the company's IT infrastructure susceptible to a ransomware attack that compromised customer and employee data.
The cyber attack was claimed by a threat actor, the BlackCat Ransomware Group, via Twitter, who declared themselves responsible for what happened to the COSAL Group.
Dark Web Intelligence on Twitter / X
According to the DataReg, COSAL failed to comply with the duty to put in place appropriate technical and organizational measures to protect the personal data of its employees, customers and workers.
COSAL was sanctioned with a fine equivalent in AKZ to 75,000 USD (Seventy-five thousand US dollars).
The full text of the ruling is not available but press releases in respect of the same is available below.
AGÊNCIA DE PROTECÇÃO DE DADOS - Notícias - Deliberação sobre processos contravencionais
Hacker group "BlackCat" claims cyber attack on ENDE and COSAL - Menos Fios