The Norwegian Data Protection Authority (DPA) has been investigating a data breach by a public body. They looked at the breach in relation to Data Protection Regulations and GDPR.
The Breach
An employee of the public body was contacted by his bank after attempts were made to misuse their payment cards abroad. The employee notified the Body and it was then they realised they had been exposed to a data breach via unauthorized logins. This was linked to the email accounts of an unknown number of representatives and employees. As they investigated this it was discovered the following information had been taken:
- Bank account information
- Personal information about third parties
- Birth numbers
- Health information
Data Protection Regulations and GDPR
The Data Protection Regulations address situations such as this and organizations are expected to put measures in place to prevent breaches like this taking place. Article 5(1)(f) of the Regulations states that personal data shall be processed in a manner that ensures adequate security. This must include protection against unauthorized or illegal processing and unintentional loss, destruction or damage. There is also an obligation to have technical and organisational measures. These measure could include technical measures, such as authentication solutions, or organisational measures, such as procedures and training of personnel.
When the DPA analyses a case like this great weight is given to the company’s own risk assessment and the necessary measures they have in place. In the Body’s latest Return on Sales analysis there were a number of risks highlighted. A lack of two-factor authentication, a lack of security culture, and low competence and little focus on personal security. It was revealed that the Return on Sales analysis revealed vulnerabilities that could have been compensated for by organisational measures. This is required in article 32 of the GDPR. Some measures that could have been taken included, assessing employees’ knowledge of information security and personal data protection and targeted training.
Findings
It was found that the Body did not implement technical measures that could have prevented the infringement. By not having security measures or having inadequate ones greatly increased the likelihood of a security breach and attacks via employees emails are a well-known strategy. Secure authentication is considered a simple and essential security measure to reduce the risk of attacks just like this.
The intruders gained access to a number of the Body’s email accounts due to lack of security measures. A previous risk assessment done by the Body had concluded that two-factor authentication should have been introduced but this took a disproportionate amount of time.
It was clear that if the necessary measures had been taken and implemented at an earlier stage it’s likely the attack would have been avoided. By failing to introduce appropriate measures to deal with an indentified vulnerability they breached GDPR.
Outcome
The Body was ordered to pay a fine of NOK 2,000,000 ($222,600 USD). Some of the aggravating factors that were considered included:
- The nature, gravity and duration of the infringement
- Breach resulted in losing control of personal data and opened elected representatives up to blackmail
- Whether the offence was committed intentionally or negligently
- The Body was grossly negligent due to not implementing two-factor authentication or following up on known vulnerabilities
- Degree of responsibility of the controller or processor
- They took a significant risk by not setting up two-factor authentication when they should have
- Level of cooperation with the DPA
- There was no cooperation between the DPA and the Body’s administration to repair the damage
- Categories of personal data concerned by the breach
- The attackers had been able to access sensitive data
Some of the mitigating factors that were considered in the final decision included:
- Any measures taken by the controller or processor to limit damage suffered by the data subjects. Following the attack:
- New password requirements were introduced
- The scope of security logging was expanded
- Updated guidelines for mobile devices were issued
- Work began on two-factor authentication
- Training measures were implemented to increase employee awareness of information security
- The Body had no previous violations to take into consideration
- The Body themselves were the ones to report the breach to the DPA
Value Privacy
Although GDPR was implemented in 2018 there are still situations where data is put at risk. In this case data was accessed via intruders. Value Privacy are able to assess your company and any partners and associates you may work with to see whether you have any vulnerabilities such as the ones that led to the attack in this article. Cases like this can be costly and that’s not even considering the cost of the damage to your company’s reputation. Contact us today to find out how we can make your business safer.
