Morele.net data breach
Attackers stole the customer database of the Polish e-commerce group Morele.net, exposing data on about 2.2 million customers and launching an SMS-phishing campaign that demanded a fake PLN 1 'top-up' via a counterfeit payment gateway. Poland's UODO issued its then-largest GDPR fine of EUR 660,000.
- Victim
- Morele.net
- records
- 2.2M
- users
- 2.2M
In late 2018, the Polish e-commerce group Morele.net β operator of a family of popular online electronics and general-merchandise stores β suffered a database breach that exposed data on roughly 2.2 million customers and fuelled a large SMS-phishing (smishing) fraud campaign. The case produced what was then Poland's largest GDPR fine.
What happened
The breach surfaced publicly in November 2018, when customers began receiving SMS messages claiming they needed to make an additional payment of PLN 1 to complete a recent order. Each message carried a link to a counterfeit Dotpay electronic-payment gateway designed to harvest payment-card credentials. The personalised nature of the messages β referencing real orders β made clear that the attackers had obtained customers' order and contact data from Morele's systems.
Investigation determined that an unauthorised party had accessed the company's customer database, exfiltrating records used to make the phishing lures convincing.
Impact
- Data on approximately 2.2 million customers was compromised.
- Exposed information included names, email addresses, delivery addresses, phone numbers, and password hashes; one analysis catalogued nearly 2.5 million unique email addresses.
- The follow-on smishing campaign attempted to defraud customers through the fake payment gateway, turning a data breach into direct financial-fraud risk.
Regulatory outcome
On 19 September 2019, the Polish Personal Data Protection Office (UODO) imposed a fine of over PLN 2.8 million (about EUR 660,000) β at the time the highest data-protection penalty in Poland. UODO identified three core failings: Morele.net breached the GDPR confidentiality principle, failed to effectively monitor unusual activity such as anomalous data downloads, and did not react quickly enough when large volumes of data were being exfiltrated. The regulator concluded the company's organisational and technical safeguards were simply inadequate for the volume and sensitivity of data it held.
Years later, the criminal track produced results: in 2025, a Polish suspect was charged in connection with the breach, roughly seven years after the event.
Why it matters
The Morele.net breach became a defining early test of GDPR enforcement in Poland and a textbook example of how a database compromise chains into mass smishing fraud. The record fine signalled that regulators would penalise deficient monitoring and slow detection β not merely the fact of a breach β establishing that real-time anomaly detection is a baseline expectation for large consumer platforms.
Timeline
Customers of Morele.net begin receiving SMS messages demanding a PLN 1 'top-up' payment via a link to a fake Dotpay payment gateway.
Morele.net identifies the database breach and the linked smishing campaign and begins warning customers.
The company reports the incident, confirming data on about 2.2 million customers was compromised.
Poland's data-protection authority (UODO) imposes a fine of over PLN 2.8 million (EUR 660,000), then the largest in the country.
A Polish suspect is charged in connection with the breach roughly seven years after the incident.
Sources
- itgovernance.euhttps://www.itgovernance.eu/blog/en/polish-dpo-issues-fine-to-online-retailer-for-data-breach
- mondaq.comhttps://www.mondaq.com/data-protection/848252/eur-660000-fine-in-poland-for-violation-of-personal-data-protection-regulations
- bitdefender.comhttps://www.bitdefender.com/en-us/blog/hotforsecurity/polish-hacker-charged-seven-years-after-massive-morele-net-data-breach
- dudkowiak.comhttps://www.dudkowiak.com/blog/morele-net-is-punished-with-a-record-penalty-for-violating-the-provisions-of-the-gdpr.html