On Thursday, Niezależna reported a leak of sensitive personal data belonging to judges, court employees, and likely also parties to legal proceedings, from databases maintained by the Warsaw Court of Appeals. In response to Niezależna’s article, the court’s leadership published a statement confirming their findings. Notably, the scandalous breach was summarized as an “unpredictable breach of trust” of a former employee. At the same time, the consequences of the breach, which the court’s leadership itself reported to the President of the Personal Data Protection Office (UODO), were called into question.
A Serious Breach
Lax procedures, and possibly also a lack of proper oversight, led to a leak of sensitive data pertaining to judges and all court staff via the Electronic Services Platform of the Social Insurance Institution (PUE ZUS). It was revealed that individuals who had previously been dismissed were not stripped of their login credentials to the system.
As admitted in a letter to court employees by Director Katarzyna Adamczyk-Czubik, “two identified individuals logged into the system and accessed personal data including names, PESEL numbers, and health information concerning sick leave.”
Niezależna’s investigation further revealed that there had also been unjustified retrieval of data from the PESEL database, which allows for the verification of participants in court proceedings, including, inter alia, witnesses and legal representatives.
The press office of the court declined to confirm the information Niezależna obtained, claiming it was unable to open the attachment containing a scanned press credential. However, Niezależna’s findings were confirmed by Piotr Antoni Skiba, spokesperson for the District Prosecutor’s Office in Warsaw, who informed the portal that the court’s leadership had submitted a notice of suspected criminal activity. The spokesperson for the Personal Data Protection Office also confirmed that “in both cases, the data controllers reported breaches of data protection to the President of the Personal Data Protection Office.”
The Court Responds
Following the above-mentioned publication, the Warsaw Court of Appeals posted a statement on its website confirming Niezalezna.pl’s findings. It assured the public that “all available measures, including legal ones, have been undertaken not only to clarify the circumstances and motives behind the unauthorized access to protected data but also to strengthen security protocols and hold accountable those responsible for the violations.”
In its explanation of the scandalous breach, the court’s leadership effectively admitted that data protection procedures were flawed and reliant on… trust. “A breach of trust placed in an employee is, as a rule, unpredictable until it occurs,” the statement read. Let us emphasize that this concerned a former employee.
Addressing the information the portal uncovered regarding unjustified access to the court’s PESEL database, the statement declared that “no instances of unauthorized access to protected data of witnesses, parties, or legal representatives have been identified.”
However, the core issue lies in the fact that while access to the aforementioned database may have been formally authorized, it was not necessarily justified. Obtaining information from the system requires legal grounds and the citation of a case reference number. According to Niezależna’s findings, this procedure was not followed—a fact the court’s leadership itself reported to the President of the Personal Data Protection Office.