The Eiffage Group in Poland, which includes the companies listed in section 5.3. below of this notice (hereinafter “Eiffage Poland” or “the Eiffage Poland companies”), which individually or jointly with other above companies are the controller of your personal data, announces a personal data breach that occurred on 4 March 2021.
- WHAT HAPPENED ?
- Please be advised that on 4 March 2021 a breach of personal data protection was found in the Eiffage Poland companies consisting in the loss by these companies of access to personal data processed in particular in the recruitment process, employee management, legal service of the companies and service of the contractors and clients.
- The findings of the investigation have shown that the incident was caused by malicious software (ransomware) called sodinokibi/REvil interfering with data availability, which is a deliberate and intentional action of third parties who gained access to the IT system of the Eiffage Poland companies with the intention to disable it and demand a ransom.
- WHAT COULD BE THE CONSEQUENCES OF THIS INCIDENT ?
- In the opinion of the Eiffage Poland companies there has been a breach of availability of the above personal data. No breach of confidentiality and integrity of the aforementioned data has been identified as of today (i.e. it has not been identified that your personal data has been leaked and could have been published and/or used by unauthorised third parties in any way).
- In the interests of prudence and concern for the security of your data, we therefore point out the following potential consequences of the above incident, in addition to the limitation of your ability to exercise your rights, including your rights under Articles 15 – 20 of the RODO: obtaining loans by third parties from non-banking institutions, gaining access to use healthcare services, exercising civic rights, e.g. using data to vote on participatory budgeting measures, fraudulent use of insurance or insurance funds, receiving unsolicited commercial communications via e-mail, post or telephone.
- WHAT ACTION HAS EIFFAGE POLAND TAKEN SINCE BECOMING AWARE OF THE BREACH ?
- Immediately upon becoming aware of the occurrence of the incident, each Eiffage Poland company took action to end the data breach and minimise its adverse effects.
- Immediately upon discovery of a personal data breach, each Eiffage Poland company took action to remedy the personal data breach by:
- disconnecting all servers from the public network and the Eiffage IT network;
- sending to employees of the Eiffage Poland companies a message advising not to use company’s equipment, to report all suspicious events to the IT department and not to open attachments from untrusted sources;
- provision of replacement IT equipment to restore current operations; and
- engaging an external entity specialised in IT security to manage the incident, analyse the incident, determine its scope and remove its negative effects.
- In addition, the Eiffage Poland companies have performed the following actions to remedy the personal data breach:
- regular monitoring of the internet network through the resources of the Eiffage Group in France to check, based on “keywords”, whether there has been a breach of data confidentiality, and
- performing a volumetric analysis of network traffic and monitoring the dark web.
- We also cooperate with the supervisory authority, the President of the Office for Personal Data Protection (“PUODO”). On 8 March 2021, we reported a personal data protection breach to the PUODO and took the action requested by the authority.
- WHERE CAN I GET MORE INFORMATION ON A DATA BREACH ?
- For further information regarding this personal data breach and the processing of your personal data by the Eiffage Poland companies, please write to the address of respective Eiffage Poland company listed in section 5.3. below, i.e. 28 Domaniewska Street, 02-672 Warsaw (marked “EIFFAGE-RODO”), or electronically to privacy.poland@eiffage.com.
- WHAT CAN BE DONE TO AVOID THE NEGATIVE CONSEQUENCES OF THE BREACH ?
- In order to safeguard against the potential negative consequences of the breach occurring and the unauthorised use of your data, we recommend that you take the following actions:
- set up an account in a credit and business information system in order to monitor your credit activity, which will allow the detection of a possible attempt or obtaining a loan by an unauthorised person;
- be cautious about giving out personal information to others, especially over the Internet or telephone, as those who may have unauthorisedly come into possession of personal information may use it or pass it on to others and then, by obtaining additional information, gain further access, for example to bank accounts;
- change your access passwords to the bank account (in particular Internet banking), e-mail and other access channels where the passwords may have consisted of data that has been compromised;
- check your accounts for any suspicious activity;
- be wary of unsolicited correspondence that asks for personal information or refers you to a website asking for personal information;
- avoid opening links or downloading attachments from suspicious e-mails.
- We emphasise that we have made every effort to minimise the risk of negative consequences of the breach occurring. We have also taken technical, legal and organisational measures to eliminate similar incidents in the future.
- The breach to which this notice relates involved personal data processed by the following companies: Eiffage DOD Poland sp. z o.o. with its seat in Warsaw, Eiffage Projekt 1 sp. z o.o. with its seat in Warsaw, Eiffage Inwestycja Poznań sp. z o.o. with its seat in Warsaw, Eiffage Galeria S.A. with its seat in Warsaw, Quadrat Postępu sp. z o.o. with its seat in Warsaw, Eiffage Immobilier Polska sp. z o.o. with its seat in Warsaw, Eiffage Polska Budownictwo S.A with its seat in Warsaw, Eiffage Polska Koleje sp. z o.o. with its seat in Warsaw, Eiffage Polska Serwis sp. z o.o. with its seat in Warsaw, and Eiffage Construction SAS with its seat in Vélizy-Villacoublay (Francja).
- In order to safeguard against the potential negative consequences of the breach occurring and the unauthorised use of your data, we recommend that you take the following actions: