Cyberattack on Polish public procurement platform

e-Procurement Platform

The Platform provides free electronic services to support the public procurement process. The platform offers services related to the award of contracts, from publication, submission and opening of offers to the exchange of information at all stages of the public procurement process. 

DDoS attack

The actions that shut down the Platform’s operations took the form of a DDoS (distributed denial of service) attack. Its primary objective is to disrupt, and ultimately stop, the operation of an internet service.

Consequences of the attack on the Platform

The effects of the cyber-attack on the e-Procurement Platform were mainly experienced by the participants of the proceedings in which the deadline for the submission of offers expired on the day of the attack. According to available information, the deadline for submitting offers in 75 public procurement proceedings expired on that day.

This raised the question of what should the contracting authorities - the organisers of these proceedings - do? The attack caused a situation in which contractors wishing to submit offers on the last day of the deadline for submission may not have had access to the platform and thus may have been deprived of the opportunity to submit an offer. 

This situation has highlighted an important gap in the Polish legislation. The Polish law did not foresee that the IT system used to conduct the proceedings may not function when the deadline for the submission of offers expires. In such a case, the law does not provide for an automatic postponement of the deadline for the submission of offers.

In consequence if it was not possible to submit an offer on the attacked Platform on the last day of the deadline for submission of offers, the contracting authorities could only invalidate the proceedings under Article 255(6) of the Public Procurement Law (PPL). Pursuant to this provision, the contracting authority should invalidate the contract award procedure if the procedure suffers from an irremovable defect preventing the conclusion of a non-cancellable public procurement contract.

The inability to submit an offer due to reasons resulting from the malfunctioning or non-functioning of the IT tool used to conduct the procedure restricts fair competition and equal treatment of contractors. Continuing the procedure where not all contractors interested in the procedure were able to submit offers violates the above-mentioned basic principles of public procurement. As a result, the situation of contractors differs depending on whether they decided to submit a tender on the last day or submitted it earlier. The first group was deprived of the chance to submit an offer, while the second group had this opportunity.

In theory, contracting authorities conducting proceedings in which deadlines for the submission of offers passed during the time when the Platform was not working, could postpone the deadline for the submission of offers. However, according to PPL changing the deadline for the submission of offers is possible only before this deadline. When the Platform is not working, the contracting authority cannot inform the contractors about deadline modification. This solution is impossible in practice.

We analysed a few proceedings in which the deadline for submission of offers fell during the hacking attack. Interestingly, a significant group of the contracting authorities simply ignored the failure of the Platform. The contracting authorities did not cancel the proceedings and opened offers immediately after the Platform was restarted. On the other hand, some contracting authorities formally decided to postpone the opening of tenders until the following day.

The contracting authorities probably assumed that if a contractor failed to submit an offer because the Platform did not work, it would lodge an appeal and then possibly decide to invalidate the procedure. However, this does not change the fact that such a procedure suffers from a material defect, which should result in obligation to cancel the procedure.

Probably the best solution for the future would be that in such a case (system failure at the time of the deadline for submission of offers), the deadline for submission of offers would be automatically extended based on the law, and the contracting authority would be obliged to provide a new deadline for its completion. However, for the time being it seems that the Polish public procurement law is not protected against DDoS attacks.