Morele.net Sp. z o.o.

What happened

Poland's UODO fined Morele.net, a popular Polish online electronics retailer, PLN 2.83 million (approximately €660,000) after a data breach exposed the personal data of approximately 2.2 million customers. The breach occurred when attackers exploited a vulnerability in Morele.net's systems to access the customer database, which included names, email addresses, phone numbers, and delivery addresses. The UODO found that the company had failed to implement adequate technical and organizational security measures, including insufficient access controls, lack of multi-factor authentication for administrative access, and inadequate network segmentation. As an SMB-sized e-commerce company, this case demonstrated that smaller businesses face the same GDPR obligations as large enterprises.

Articles violated

Lessons learned

E-commerce companies of all sizes must implement robust security measures including multi-factor authentication, network segmentation, and regular vulnerability assessments. The size of a company does not reduce GDPR obligations — security measures must be proportionate to the volume and sensitivity of data processed. Even for mid-market retailers, a breach affecting millions of customers results in significant fines. Regular security audits and penetration testing are cost-effective prevention measures compared to the financial and reputational damage of a breach.