The Greek data protection authority has imposed fines of 5.85 million euros to COSMOTE and 3.25 million euros to OTE, or a total of 9.1 million euros for the OTE Group, for leaking sensitive customer communication due to a cyberattack.

As the agency said in its announcement, COSMOTE infringed at least eight articles of the GDPR, including violating its duty to inform affected customers of the true impact of the incident.

An internal investigation conducted by COSMOTE in 2020 revealed that a hacker social engineered one of its employees through LinkedIn and later used brute-forcing tools to derive the target's account credentials. According to the findings of the investigation, the adversary used a Lithuanian IP address for accessing one of OTE's servers repeatedly. The threat actor leveraged the account credentials to steal database files on five separate occasions. The size of the stolen data amounted to 48GB.

COSMOTE keeps call details on its servers for 90 days for service quality assurance, and maintains an anonymized version of the data for another 12 months for statistical analysis that helps in targeted service improvement.

As the data protection authority probe discovered, the anonymization process wasn't properly done, and the data holding periods weren't strictly respected. Nearly 4.8 million subscribers were affected by various data breaches.