The Hungarian National Data Protection Authority (HDPA) imposed a record fine of 282.000 EUR on telecommunications service provider DIGI, for violating the principles of purpose and storage limitation of the GDPR.
Author: Dr. Nándor Barta
Hennelné dr. Komor Ildikó Ügyvédi Iroda
Roosevelt Irodaház – House of Business – Tower “C”
H-1051 Budapest, Széchenyi István tér 7-8.
Phone: +36 30 345 0191 email: office@komorhennel.hu
The Case
According to the HDPA’s investigation, the personal data of certain customers and newsletter registrants became publicly available through DIGI’s website, which was caused by DIGI’s negligence. The investigation revealed that an ethical hacker had access to a customer database through DIGI’s public website.
Though it was a test database originally created for troubleshooting purposes, its contents were not deleted nor pseudonymized (anonymized) after the necessary tests were run, so large number of customer data remained in DIGI’s systems without purpose, and in an identifiable manner.
The exposed personal data of customers and subscribers included their names, mothers’ name, place and time of birth, address, identity card number (sometimes personal number), e-mail address, landline and mobile phone numbers.
HDPA’s reasoning
HDPA explained that DIGI did not apply sufficient security measures that were proportionate to the amount of personal data it processed and the nature of the data processing (online).
First, the bug in the database management software had been known for 9 years, and an update had also been available for a long time, but it was not installed by DIGI.
Second, DIGI did not apply encryption (pseudonymization, anonymization) to the personal data concerned, though encryption procedures have been given particular weight by data protection authorities since the entry into force of the GDPR. When assessing compliance, the fact that encryption requirements were listed and included in DIGI’s internal data management policies but not met in real life were against DIGI.
Key takeaways
One of the important lessons of the case is that if the IT system is considered to be vulnerable given the nature and volume of the specific data processing, this fact alone – i.e. without specific data loss or theft – justifies the application of a severe sanction. Therefore, special attention shall be given the secure processing of personal data.
Another takeaway of the HDPA’s decision is that internal access restrictions and limitations in a company (that previously seemed sufficient) are no longer sufficient. Encryption protocols (especially in web environment) must be essential.
Furthermore, the decision states that HDPA considers the publicly described software defects and fixes made available by the manufacturers to be „well-known“, so it expects data controllers to assess and manage such data security risks.
The fine
When imposing the record fine, HDPA also considered the following:
- DIGI should have fixed the bug long time ago as this vulnerability could be easily detected by anyone, and given that the update had been available for years;
- As a result of this error, administrator rights could also be accessed via their website;
- DIGI’s market position, based on the principle of “with great power comes great responsibility”;
- that DIGI did not comply with its own rules and internal procedures;
Conclusion
When testing internal systems, it is advisable to avoid the use of personal data suitable for identifying specific data subjects. Instead it is worth working with fictitious or non-personal data, or if this is not possible, personal data shall be used in a non-identifiable way, and strictly until the end of the test period.