Geopost

DPD, also known as Geopost, functions as a parcel delivery and logistics provider that moves goods from senders to recipients through collection, sorting, transportation and last‑mile delivery services for business and private customers. The organisation is part of the GeoPost group, which constitutes the international parcel division of the French postal service La Poste. Its headquarters are situated in Spain, as noted in the organisational context. DPD/Geopost operates a network that spans numerous European countries, facilitating cross‑border shipments as well as domestic deliveries. The service model relies on collecting personal data such as names, addresses, email addresses and telephone numbers to address parcels and communicate with customers. This information is used exclusively for the purpose of fulfilling transport obligations and is retained only for the duration necessary to complete the delivery process. By focusing on the logistics chain, the company supports e‑commerce growth and the movement of goods within the single market. Its operational expertise lies in managing high volumes of parcels while maintaining traceability and timely delivery.

On 19 June 2024, the Spanish subsidiary of Geopost detected unauthorised access to a database that stored customer information required for its transport services. The compromised dataset consisted of names, postal addresses, email addresses and, in certain cases, phone numbers—limited to the details needed to address and deliver parcels. Upon discovery, the company engaged external cybersecurity specialists to conduct a forensic investigation and determine the scope of the breach. It promptly informed the Spanish data protection authority and, in accordance with applicable regulations, began notifying potentially affected individuals. Remediation actions included forcing password renewals for all accounts linked to the affected systems, reformatting compromised devices, upgrading firewall configurations and deploying additional intrusion‑detection sensors. The organisation also enhanced its monitoring capabilities by implementing real‑time alerts for anomalous access attempts and increasing log‑retention periods. Official statements clarified that the incident was not a ransomware attack, but the exposed personal data could increase the likelihood of unsolicited messages or phishing attempts directed at the individuals concerned. These events underscore the organisation’s specialisation in parcel logistics, its responsibility for safeguarding personal data linked to transport activities, and its ability to activate incident‑response procedures while operating as a subsidiary within the broader Geopost structure.