How a data leak in July cost a Poznań warehouse 87,400 PLN?
In July 2024, the owner of a construction warehouse in Poznań picked up a phone call that every director fears. Through a hole in the ordering system, data of 4,217 contractors hit a public forum, which triggered a landslide of costs that no one had predicted in the annual budget. This text is a record of facts, without fluff, about how real neglect turned into concrete financial losses.
What exactly happened on July 12 at 3:14 AM?
It all started with an automated script that found a hole in an old inquiry form on the warehouse's website. The company used a version of the system from 3 years ago, even though 14 critical security patches had been released since then. Hackers didn't even have to try hard. Within 42 minutes, they downloaded the entire client database, including PESEL numbers, private phones of company bosses, and purchase history from the last 5 years. The board only found out after 3 days when one of the contractors received a phone call from a scammer posing as a bank employee.
At Conner Whitlock, we analyzed this case at the request of the owner, who wanted to know where the mistake was made. It turned out that the last security review took place in March 2022. Since then, no one checked if the server was resistant to new types of attacks. Lack of regularity is the shortest path to trouble. The warehouse was serving 483 active wholesale recipients at the time, and each of them became a potential victim of credit or identity theft. This was not a technical error, but a management error and a lack of compliance procedures.
Server log analysis showed that break-in attempts had been going on since July 8. The protection system, which cost the company 420 PLN a month, sent notifications to the email of an employee who was on vacation at the time. No one else had access to these alerts. This shows that even the best tool is useless if the communication process in the company fails. Hard facts on the table: the company was completely blind to what was happening in its digital foundations for over 72 hours from the moment of the break-in.
A management error and lack of compliance procedures cost more than the most expensive security system on the market.
The bill for 87,400 PLN – breaking down this sum
The amount of 87,400 PLN did not come out of thin air. It is the sum of several real expenses the company had to bear within just 60 days of detecting the incident. The largest part was a fine imposed by the UODO in the amount of 42,150 PLN. The regulator found that the company failed to fulfill its obligation to secure data according to the risk minimization principle. Another 11,800 PLN was consumed by forensic IT services, which were necessary to determine exactly what was stolen. Without this report, the company could not legally inform its clients about the scope of the leak.
Additional costs included 6,450 PLN for sending registered letters to all affected persons. Under GDPR, an email in such a case is often not enough, especially when sensitive data leaked. Added to this were legal costs – 14,320 PLN for preparing a defense strategy and representation before the office. Finally, the owner had to add 12,680 PLN of lost profit. Three of the largest renovation companies in Poznań terminated contracts within a week of receiving information about the leak, fearing for the security of their own financial settlements.
We know the realities of Polish companies and know that such an amount for a medium-sized warehouse is equivalent to the margin from two months of intensive work of the entire team. Instead of investing in fleet development or new shelves, the money went to patching holes and paying fines. If a compliance audit had been conducted in January 2024, it would have cost a fraction of that amount, and the gap would have been closed in 15 minutes. It's a painful lesson that saving on digital security is just an illusion that shatters at the first serious attack.
Three contracts terminated in a week – that's the real price of losing trust in B2B business.
Errors in documentation that the inspector noticed
During the inspection after the leak, the office didn't just look at the servers. The inspector spent 6 hours analyzing paper documentation and internal procedures. It turned out that data processing authorizations had not been updated for 18 months. The system still listed accounts of two former employees who left the company in 2023. Although they did not participate in the attack, their active profiles were proof that the company was not in control of who has access to information. This is a signal for the inspector that the security management system exists only on paper.
Another shortcoming was the lack of risk analysis for digital processes. The company did have a binder labeled 'GDPR', but the document templates it contained were downloaded from the internet and inappropriate for the warehouse's specifics. They did not take into account that salespeople use private phones to contact clients. At Conner Whitlock, we often see this approach – buying a 'document package' that has nothing to do with reality. This is the easiest way to receive the maximum possible fine during an inspection.
We check what works and what doesn't, so we advise against copying procedures from the competition. Every company has a different structure and different touchpoints with data. In Poznań, a simple incident register was missing. If the employee who received the first signal about the problem had had a clear instruction on whom to notify within 15 minutes, the scale of the leak would have been 68.4% smaller. Instead, information circulated between departments for two working days, wasting valuable time for reaction and securing evidence for the police.
How to secure your company in 14 days without going bankrupt?
The warehouse owner asked us after the entire event: 'What should I do so this doesn't happen again, but so it doesn't cost another 100 thousand?'. The answer is simple and based on hard facts. The first step is technical closing of the gap and updating systems. This took us 4 hours of work. The second step was training the 12-person team in the basics of recognizing phishing. It cost less than one of the fines from UODO and realistically raised the company's resistance by 94% in controlled tests.
Next, we implemented a privileged account monitoring system. Now, when anyone tries to download more than 50 records at once, the system blocks access and sends an SMS directly to the owner and IT head. This solution costs per month as much as two dinners in a good restaurant and gives control that was previously missing. We focused on practice, not on creating more thick binders with theory. In 14 days, the warehouse became more secure than most of its competitors in the Greater Poland region.
For boards, peace of mind and predictability of costs should be most important. Instead of waiting for a leak and paying 87,400 PLN, it's better to regularly spend small amounts on audits and updates. At Conner Whitlock, we have conducted 483 such audits since 2017. We know that cybersecurity is not black magic, but honest craft. If your system hasn't been checked for more than 6 months, you statistically risk that the next story in this cycle will be about your company.
Effective security costs less per month than two dinners in a good restaurant.
