Icelandic DPA fines InfoMentor for a data breach affecting hundreds of children from 2019.
The Icelandic Data Protection Authority has fined the company InfoMentor EUR 23,100 for not ensuring the proper security of personal data of several data subjects, mainly affecting children. According to this report from the EDPB, in an incident reported in February 2019, their system, Mentor, an information system for schools and other parties, which provides services for working primarily with children,was subject to a data breach. A vulnerability on their part, led to the six-digit system number of each user being visible in the URL address of a particular page within the Mentor system. This resulted in unauthorised parties gaining access to the personal information of these students, including the national identification numbers and avatars of over 400 children.
At its core, this data breach was caused primarily by human error, including a delay in fixing a vulnerability that the company had been aware of.
InfoMentor acknowledged that the company had been aware of the vulnerability which led to this data breach, and that a solution had already been created. However, due to human error, the solution was not fully implemented into their Mentor system until after the data breach had already occurred. This data breach could have been avoided, had those vulnerabilities been addressed once the relevant persons had been made aware of them. In addition, InfoMentor sent national identification numbers of students affected by the data breach to the wrong schools and data protection officers in error.
The Icelandic DPA fined InfoMentor based on the number of data subjects affected, and the fact that those affected were children.
The rights and freedoms of children were directly affected by this data breach. The most significant factors considered by the Icelandic DPA in determining the administrative fine were the number of data subjects directly and potentially affected, and the fact that the data subjects are children. The Icelandic DPA also considered that InfoMentor‘s main activity is the development and operation of an information system intended for schools and other entities working with children. On the plus side, there was no indication of harm suffered by the data subjects as a result of this breach. In addition, InfoMentor has taken numerous steps to improve their security and address the vulnerabilities which caused this breach, affecting the personal data within their system.