In recent days the Guarantor for data protection
personal (Privacy Guarantor) has
announced that he "prescribed ad
Aruba Pec S.p.a. the implementation of measures for making your own safe
certified e-mail service, which manages over six million
boxes used by public entities (such as central administrations and
State premises), private companies and individual professionals ".
The news was deliberately delayed in
so as to allow the company to implement the prescribed measures is
prevent the detected vulnerabilities from being exploited by
any attackers. The company has fulfilled what was requested. The vulnerabilities have been
identified during a
inspection assessment regarding the management of the PEC service, conducted
in the second half of 2019. "The Authority has adopted a measure
urgent to prevent different categories of data subjects involved
(PEC mailboxes, message senders and recipients,
subjects whose data are present in messages or attachments)
were exposed to serious risks to the rights and freedoms deriving from
possible misuse of personal data or identity theft. "
The investigations revealed that approx 560,000 users
they still used the initial password to access their PEC mailbox,
chosen for them by one of the company's 8,900 partners (such as orders
professionals, PA and private subjects) without it being imposed, as it would have
due, the obligation to change the first access.
The IT procedures adopted also contained
additional serious vulnerabilities. For example, technical management passwords
some IT services were reported in clear text in the
tracking operations, thus considerably increasing the
possibility of illicit access, both by non-internal subjects
authorized that in case of cyber attack.
Another criticism concerned the possibility of
consult and export, from the Internet, the logs of the messages exchanged by
over 6 million PEC mailboxes. This operation was otherwise possible
by a user, with elevated administration privileges (superadmin),
used by several people, in violation of the most basic principles of
security of processing (which instead requires attribution to each
operator of individual credentials) and without an adequate evaluation of the
risks associated with the possibility of accessing this information, also at
outside the corporate network.
The Guarantor therefore imposed Aruba Pec S.p.a. there
mandatory change of access passwords to mailboxes
certified issued in an unsafe way, the redefinition of modalities
tracking, providing that the logs produced do not contain information
not indispensable for control and security purposes, as well as a
intervention on how to consult and export logs of
messages sent or received from all PEC mailboxes.
With subsequent provision, the Guarantor will evaluate
further aspects of the data processing carried out by Aruba Pec S.p.a.,
as well as the complex of violations detected. Aruba, for its part, has
released a note explaining that "no illegitimate state access
carried out on the system and no identity theft, data occurred
or password. Regarding the indications, improvements and modifications
required by the provision of the Privacy Guarantor, Aruba Pec has
immediately took steps to do so raise
further the level of security of the system, which – it is reiterated – does not
never been violated".
