Dutch DPA imposes fine

Dutch DPA imposes fine for delayed report of a data breach

Dutch DPA imposes fine on international travel agency booking.com, for their delayed action in reporting a significant data breach. 

 

Netherlands based international travel agency, Booking.com was recently hit with a fine for their delayed action in reporting a data breach. The breach was discovered on January 13, 2019, after having occurred in December of 2018. However the incident was not reported to the DPA until February 7th 2019. Data breaches must be reported to the relevant authorities within 72 hours of their discovery, making this report about 22 days late. As a result, the Dutch DPA imposed a fine of €475,000 on the company. 

 

Because booking.com is an international company with customers from a range of different countries, the investigation into the breach was international in scope. The investigation however was conducted by the Dutch DPA, due to the fact that the company is based in the Netherlands. 

 

Cyber criminals posed as booking.com staff in emails and on the phone in order to steal personal information. 

 

These cyber criminals were able to collect information by posing as booking.com staff in emails and on the telephone. This scam targeted 40 hotels in the UAE in December 2018. The phishers, by using the booking information of these customers to appear more credible when posing as booking.com staff, attempted to gather as much personal and financial information on as many customers as they could, in order to steal money from them. This data included login credentials, as well as financial information. The scope of this data breach was so wide that the criminals were able to access the data of over 4000 people, including the credit card information of over 280 people. In 97 of those cases, even the security code for the credit card was obtained.

 

Booking.com does not object to the fine imposed and has compensated their customers for the financial losses suffered as a result of the breach. 

 

Although booking.com was made aware of the breach on 13 January 2019, it was not until February 4, 2019 that they informed the affected customers. Further still, the company waited until February 8 to inform the DPA of the breach. The company has offered several solutions including financial compensation for any losses suffered by their customers. Booking.com will not lodge any objections or apply for review of the fine imposed. 

 

There has been a significant increase in cyber crimes over the past year, making enhanced security measures even more invaluable. 

 

In recent times, particularly since 2020 there has been a significant increase in personal data theft and related attempts. 2020 saw a rise of 30% more data theft than the previous year. Many individuals have personally fallen victim and suffered financial losses as a result of phishing and other forms of data theft for the purposes of accessing financial information. DPAs have remarked on the explosive increase in these cases over the last year. Enhanced security, as well as timely reporting in the event of a breach, can greatly reduce the impact that this sort of theft has on individuals. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Facebook data leak

Facebook data leak affects over half a billion users worldwide

Facebook data leak results in the personal information of over half a billion users being made available publicly and free of charge. 

 

Facebook has recently been implicated in a massive data leak affecting over a half a billion users, as reported by Business Insider earlier this month. The personal data leaked was gathered during a data breach two years ago. However, in recent times, an individual has published all of this personal information in a black market online hacking forum, free of charge. It is believed that this information was previously available for sale but has since gone down in value, and is now being offered for free on a hacking forum. This data was obtained through the misuse of a feature prior to 2019 and affects approximately 533 million users, from over 100 countries. 

 

The personal data leaked does not include login information, however the details included contain enough information to facilitate impersonation or fraud. 

 

The personal data affected includes information like full names, identification credentials, locations, dates of birth, email addresses, and phone numbers. The information does not include financial information or health information. It is also said that login information is not included in the data, however, the information put out there could potentially be used for hacking. Security experts say that this information could be used to impersonate individuals and commit fraud. Facebook’s Product Management Director, Mike Clark says that this information was not obtained through hacking, but rather by scraping it from the platform, much like what happened with Facebook in their 2016 Cambridge Analytica fiasco. 

 

The Facebook data leak had resulted in information which was once available for sale in January, now published free of charge on a hacking forum. 

 

The data was first discovered in January, on a hacking forum where an individual or entity advertised an automated bot which could provide certain user data from Facebook. At the time this data was confirmed to be legitimate. However, since then the data has been publicized and is now available for free in a low level hacking forum. This information was discovered earlier this month by Alon Gal, the chief technology officer of the cybercrime intelligence firm, Hudson Rock. 

Facebook reports that the vulnerability which led to the data scraping has since been rectified, and that the company does not intend to notify the individual users affected by this leak. 

 

Facebook officials want to assure the public that the platform’s vulnerability which led to the 2019 data breach has since been rectified. The social media company has not notified the over 533 million users who were affected by this data breach, and according to company officials, they do not intend to do so. Facebook’s spokesman said the social media company was not confident that it had full visibility on which users would need to be notified. They also considered the fact that users could do nothing to fix the issue as well as claims that the data was already publicly available in their defense for not notifying users.

 

“One needs to understand that, under GDPR, data breaches of such nature need to be notified to data protection authorities and very likely to the affected users as well” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Polish DPA fined university

Polish DPA fined university for failing to issue a data breach notification

The Polish DPA has fined a university for neglecting to notify the authority as well as affected persons after a data breach.

In June of 2020, the Polish DPA was notified of a data breach at a medical university. According to the complaint received, during the university’s examinations held towards the end of May 2020, students were identified via videoconference. Following the examinations, these recordings were available not only to the students being examined, but also to others who had access to the system. In addition, any third party could have access to the examination recordings, and by extension, the examined students’ personal data presented during the identification process, by using a direct link. 

 

While information in the complaint indicated a high risk to the rights and freedoms of those persons affected, the data controller disagreed.

 

The information contained in the complaint indicated that the incident may have presented a high risk to the rights and freedoms of those persons who took the examination. UODO wrote to the university for further clarification, however, the data controller replied in writing, arguing that the incident presented a very low risk to the rights and freedoms of the affected persons and therefore it was not necessary to notify the authority in connection with this data breach. The university also indicated that the system was modified after the incident, to ensure that the recorded examinations were not mistakenly shared. In addition, the controller indicated that it had identified the persons who downloaded the examination file and informed them of their responsibility in having access to this data. 

 

While the Polish DPA acknowledged the efforts made by the controller to secure the data moving forward, the authority maintains that notifications were necessary. 

 

The UODO has taken the stance that the university, as the data controller in this situation is responsible for the data, and not the individuals who downloaded the files, and that due to this controller’s negligence, this breach occurred, posing a high threat to the rights and freedoms of the affected students. While the authority acknowledged that the modifications to the e-learning platform being used for the examinations will serve to protect students’ data, by preventing these files from being downloaded, the UODO believes that notification still should have been made to the authority as well as the students affected. 

 

The UODO believes that the controller has inaccurately assessed the risk associated with this data breach, and as a result failed to meet its obligations.

 

The Polish DPA found that after the data breach had occurred, the controller failed to meet its obligations to notify both the supervisory authority and the persons affected by the breach. These notifications become necessary when, due to the breach, there is a high risk to the rights or freedoms of the persons affected. The authority believes that the  controller had incorrectly assessed the risk involved. In its decision, UODO has also indicated that it does not matter, as the controller claims, that the file with the course of the examination was downloaded only by a limited number of persons, as there really is no assurance that it will not eventually be made available further to unauthorized persons.

 

The Polish DPA fined the University over EUR 5 850 for neglecting their obligation for notification over several months.

 

The University has incurred a fine of almost 6,000 Euros. The President of the Office took into account, not only neglecting to notify the DPA and the affected students, but also the duration of the breach (from the breach to the issuing of the decision several months passed), the deliberate inaction of the controller after being informed that notifications were necessary, and the lack of cooperation on the part of the controller with the authority, despite the letters sent and the proceedings initiated. The imposition of this should also serve as a preventive function, as it shows that one cannot neglect their obligations as controllers in connection with a personal data protection breach.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

 

Healthcare Committee Data Breach

Healthcare Committee Data Breach in Örebro County, Sweden.

Healthcare Committee Data Breach in Örebro County, Sweden after sensitive personal data of a patient was published on the region’s website.

 

A healthcare committee data breach was uncovered after complaints were filed with the Swedish Data Protection Authority (DPA), concerning the publication of a patient’s personal data on the region’s website. According to an article by the European Data Protection Board, the complaints were concerning a patient admitted to forensic psychiatry whose personal details were found, through an audit, to have been published on the region’s website. The Swedish DPA found that the region’s website published sensitive data wrongfully, with neither legitimate purpose nor legal basis, nor eligibility for exemption from the proscription of handling sensitive personal data under the General Data Protection Regulation (GDPR). As a result, the DPA has fined the Committee and ordered some changes to ensure compliance moving forward.

 

Swedish DPA audit uncovers lack of written instructions for publishing, increasing risk of a data breach.

 

The Swedish DPA performed an audit after receiving a complaint about the data breach in question and discovered that there were no written instructions in place for the publication of information on the Committee’s website. The Committee had depended solely on oral communication for passing on instructions for publication. The publication of this patient’s personal data was the result of those instructions not being followed. While it was accidental, the publication of that personal data was the result of insufficient organisational measures to ensure protection of personal data.

 

Healthcare Committee Data Breach results in a fine of 120,000 Swedish kronor and an order for corrective action. 

 

The Swedish DPA has ordered the Committee to establish written instructions and to institute measures to ensure compliance with those instructions for those who are tasked with publishing data on their website. In addition to ordering the Committee to bring its handling of personal data into full compliance under the GDPR, the DPA has also ordered the payment of a 120,000 Swedish kronor administrative fine (approximately 11,000 Euro). The published document resulting in the data breach has since been removed from the region’s website. 

 

What should have the Healthcare Committee done in order to avoid the breach?

 

-Have in place an adequate internal data protection policy providing written and clear instructions about how to process and secure the personal data held by the Committee. 

Pursuant to Article 24 GDPR “(1) Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary; (2) Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller”.

-Deliver relevant training to the employees. When it comes to reducing the risk of data breaches, it is paramount to train the staff so that they understand the new processes you have put in place and also the data protection rules behind them.

Why are the measures above especially important in this case?

The data compromised involves health information, which is a special category of personal data, therefore additional safeguards should apply, plus the bases for processing it are limited to some specific scenarios. However, it should be noted that the breach would have taken place even if the personal data published in their website was not sensitive, because there was no legitimate basis to make the information public.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.