Datatilsynet (Norway) - 20/02144
Datatilsynet - 20/02144 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 32(1) GDPR Article 32(2) GDPR Article 58(2)(d) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 24.02.2020 |
Decided: | 09.01.2023 |
Published: | 11.01.2023 |
Fine: | n/a |
Parties: | PostNord AS |
National Case Number/Name: | 20/02144 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Norwegian Norwegian |
Original Source: | Norwegian DPA Datatilsynet (in NO) Norwegian DPA Datatilsynet (press release) (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA held a courier and logistics company violated Article 32 for insufficient risk assessment of and security in the app MyPostNord, allowing several people to access others' personal data when using their new phone number in the app, where the number used to belong to a former app user.
English Summary
Facts
The courier and logistics company PostNord (the controller) offers their customers the service "MyPostNord", where they can schedule and track parcels and obtain advantages such as faster bookings. MyPostNord can also be accessed through an online app.
In February and March 2020, the controller submitted two data breach notifications to the Norwegian DPA Datatilsynet, relating to cases where unauthorized people could access the customer profile of others. This was possible because the controller used phone numbers as the only means of authentication and entering someone else's number (for example an incorrect one) could give them access to their personal data in the profile, including name, gender, postal address, email address, phone number, order- and payment history, shipments underway and sender name. The same happened in cases where someone got a new phone number which was already used for the MyPostNord service.
In addition to the controller's breach notifications, the DPA received tips from the public about similar incidents.
For the DPA's request for information to the controller, they specifically asked for the risk assessment for the service MyPostNord and related processing systems. The controller submitted one, but could not state when the risk assessment was conducted. The DPA stresses in the decision that controllers must be able to report this to sufficiently demonstrate compliance with Article 5(2) GDPR and Article 24(1) GDPR. In addition, the DPA notes that the risk assessment lacked a systematic overview of relevant risks related to the controller's processing of personal data in the service, and the assessment was further insufficient. The DPA recommends that the controller implements an established methodology, for example based on ISO 27001.
In August 2022 the DPA informed the controller of their intent to impose an order to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk as per Article 32 GDPR. The controller accepted the notification and informed the DPA that they were planning to implement two-factor authentication to ensure confidentiality in the service MyPostNord.
Holding
The DPA held that PostNord, the controller, had violated Article 32(1) and 32(2) GDPR for insufficient risk assessment of and security in the service MyPostNord, and ordered them to implement sufficient technical and organisational measures.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
POSTNORD AS PO Box 6441 Etterstad 0605 OSLO Your reference Our reference Date 20/02144-16 09.01.2023 Decision on order - PostNord AS 1 Introduction We refer to the notice of order of 25 May 2022 and their comments of 25 August 2022. We understand the comments to mean that PostNord AS accepts the notified order, and that the company plans to introduce two-factor authentication using a personal password and one-time code on SMS to ensure confidentiality in "mypostnord". Based on your comments, we make decisions in line with the notice. 2 Resolution Pursuant to the Personal Protection Regulation article 58 no. 2 letter d is imposed POSTNORD AS, reg. no. 984 054 564, to implement suitable technical measures to achieve a suitable level of protection that ensures the confidentiality of the service "mypostnord", cf. the personal protection regulation article 32 no. 1 and no. 2. The deadline for carrying out the orders appears in section 7 of the decision. 3 More about the facts of the case The background to the case is two notifications of breaches of personal data security from POSTNORD AS ("PostNord"). The notice of 24 February 2020 (doc. no. 20/00643-1) applies to a person who has taken over a mobile phone number and thus gained access to the previous owner of the number's customer profile at POSTNORD ("Message 1"). The notice of 6 March 2020 (doc. no. 20/00799-1) applies to a POSTNORD customer who registration entered the wrong mobile number. All subsequent information was then sent to this the mobile number, and the owner of the mistyped mobile number gained access to the whole the customer profile ("Message 2"). Postal address: Office address: Telephone: Org. no: Website: PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 0105 OSLO 0191 OSLOAs both messages concern unauthorized access to customer profiles, we process the messages together. You explain in the messages that access to customer profiles means access to the customer's name, gender, date of birth, postal address, e-mail address, telephone number, order and payment history, as well as an overview of consignments en route and sender name. In addition, gives access to a customer profile possibility to change notification settings. In the report of 24 February, it appears that the breach took place between 31 March 2017 and 21 February 2020. In the report of 6 March, it appears that the breach took place between 8 August 2019 and March 6, 2020. The Norwegian Data Protection Authority has on two occasions asked PostNord to explain the facts of the case, including for risk assessment of and security in the mypostnord service, as well as for the location of processing responsibility in the PostNord group. In addition to the messages from PostNord and the company's explanations, the Norwegian Data Protection Authority has received tips from users who have experienced gaining access to other users' personal data. In the notes to the notice, PostNord writes that the company takes note of the notice of order, and that the company has now carried out a risk assessment and identified suitable measures to ensure the confidentiality of the mypostnord service. 4 The requirements of the regulations 4.1 Data controller The "controller" is the person who determines the purpose of the processing and which ones means to be used, cf. the Personal Data Protection Ordinance, Article 4 No. 7. 4.2 Basic principles for processing personal data The basic principles for processing personal data follow the personal protection regulation article 5 no. 1. We refer to article 5 no. 1 letter a, b, c and f: 1. Personal data must a) is processed in a legal, fair and transparent manner with regard to the data subject ("legality, fairness and transparency"), b) is collected for specific, expressly stated and legitimate purposes and not is further processed in a way that is incompatible with these purposes (...) ("purpose limitation"), 2 c) be adequate, relevant and limited to what is necessary for the purposes they processed for ("data minimization"), (...) f) processed in a way that ensures sufficient security for the personal data, including protection against unauthorized or illegal processing (...) using suitable technical or organizational measures ("integrity and confidentiality")". 2. The controller is responsible for and must be able to demonstrate that the privacy principles are observed, cf. Article 5 no. 2. 4.3 Safety of processing Article 32 of the Personal Data Protection Regulation sets out requirements for security around the processing of personal data: 1. Taking into account the technical development, implementation costs and the nature, scope, purpose and context of the processing, as well as the risks of varying degrees of probability and severity for the rights of natural persons and freedoms, the data controller and the data processor must carry out suitable technical and organizational measures to achieve a level of security that is suitable with consideration of the risk, including, among other things, depending on what is suitable, a) pseudonymisation and encryption of personal data, b) ability to ensure continued confidentiality, integrity, availability and robustness in the treatment systems and services, (…) d) a process for regular testing, analysis and assessment of how effective the processing's technical and organizational security measures are. 2. When assessing the appropriate level of security, special consideration must be given to the risks associated with the processing, particularly as a result of (...) unauthorized disclosure of or access to personal data that has been transferred, stored or otherwise treated". 5 The Norwegian Data Protection Authority's assessment 5.1 Data controller Based on the information PostNord has sent us, we assume that the company PostNord AS is responsible for the processing of personal data through the mypostnord service, cf. the personal data protection regulation article 4 no. 7. 35.2 Security of processing According to PostNord, "mypostnord" is a service created for private customers who use the company's forwarding services. The purpose of the service is to give the customer an overview of consignments on their way to or from them: The purpose of MyPostNord for private recipients is to give consumers their own, private space towards PostNord, where they can get information about their consignments and adapt their delivery by making changes to shipments that are on their way to them. The background to this case is two notifications of a breach of personal data security from PostNord, where new users have gained access to previous users' personal data. This happened because the new users had been assigned phone numbers that previously belonged to others users at PostNord. The Norwegian Data Protection Authority has also received tips from people who have experienced receiving access to other users' personal data in mypostnord. PostNord explains the incidents the company has reported as follows: Access to the "previous owner's" profile will be possible if the mobile number changes ownership telecom operator, and "former owner" of the telephone number has not deleted his profile at PostNord before changing the telephone number or it has not been at least 2 years since "previously owner" cancels his number with the telecom operator until the "new owner" is assigned the number from telecom operator. "New owner" will then be able to log in to the profile linked to the telephone number (since this is verified through SMS that the "new owner" can receive, and will not be asked about creating a new profile at PostNord. For the telecommunications operators, it is also common practice that telephone numbers that become available, blue. because subscriptions are terminated, not transferred from to a new owner before three have passed months precisely to ensure that new owners receive inquiries concerning the previous owner which is the situation here. The exception is in the case of direct sales of telephone numbers between two people persons, i.e. "former owner" and "new owner", where you go outside the system to the telecommunications operators, see case 2 below. "Previous owner" in this case has not updated the services within this period. Previous shipments are also not available in profile this procedure of not transferring phone numbers after a minimum of three months, since shipments are deleted from the profile after 14 days. The reason why the "new owner" will gain access to the profile is that the "previous owner" e.g. do not have updated his profile with his new phone number in the online store that makes shipments through PostNord and/or in the profile at PostNord or that "old owner" in the event of an oversight, enter their previous telephone number when ordering i online store. The online store will then use the former number of the "former owner" at shipment to "new owner", and "new owner" will then receive notification with shipment from PostNord with link to profile at PostNord. On the other hand, "previous owner" enters his new one phone number when ordering or have updated their profile, the relationship will not arise, and that may be part of the reason why such events happen very rarely. 4 "New owner" does not have to access the profile to get information about shipments (The SMS provides the name of recipient, sender (company) and collection point, or to receive packages. But the "new owner" can then choose to access the profile themselves. This despite the fact that the person concerned is aware that the SMS is not for him, since that appears from the SMS by who is the recipient. "New owner" has thus accessed one profile this person knows does not have the right to access. Article 32 of the Personal Data Protection Regulation requires the data controller to carry out technical and organizational measures to achieve a level of security that is suitable with regard to the risk. The question in our case is whether the level of protection in mypostnord is suitable with regard to the risks when processing personal data in the system, including the current level of protection i sufficiently ensures ongoing confidentiality of the personal data in the system, cf. article 32 no. 1 letter b. The risks to the rights and freedoms of natural persons Before we assess whether the current level of protection is suitable, we want to say something about the risks involved data subject's rights and freedoms related to the processing of personal data i mypostnord. According to Article 32 no. 1 and no. 2, the data controller must carry out suitable technical measures in their treatment systems based on the risks associated with the treatment. The measures must, among other things, safeguard the "ability to ensure continued confidentiality" in it the controller's systems and services, cf. article 32 no. 1 letter b. When assessing which measures are suitable, the data controller must take into account the technical development, implementation costs and the nature, scope, purpose of the processing, and the context in which it is carried out, as well as the risks of varying probability and degree of severity for the rights and freedoms of the data subjects. As a first step in ensuring an appropriate level of security, Article 32(1) imposes it controllers to identify the risks associated with the processing of personal data. This objective assessment, often called "risk assessment", must identify the risks of the rights and freedoms of natural persons. The risks identified by the controller through the assessment is the governing body for which technical and organizational measures it takes data controllers must implement to ensure a suitable level of protection, cf. article 32 no. 1 and No. 2. Paragraph 76 of the Personal Data Protection Regulation states the following about the assessment: How likely and serious the risk to the data subject's rights and freedoms is, should determined based on the nature, scope, purpose and context of the processing in which it is carried out. The risk should be assessed based on an objective assessment in which it is determined whether the treatment of the personal data involves a risk or a high risk. 5 (our emphasis). In our demand for an explanation, we asked PostNord to send us the company's risk assessment mypostnord and related processing systems. In its statement, PostNord refers to the document "Security assessment MyPostNord". In the submission, PostNord has not documented when the assessment was carried out. In order to be able to demonstrate that the principles are adhered to, cf. art. 5 no. 2, and to be able to "ensure and demonstrate that the processing is carried out in accordance with this regulation", cf. art. 24 no. 1, it is necessary a systematic approach to the work with regulatory compliance. PostNord must be able to demonstrate the time of the assessment, including so that the Norwegian Data Protection Authority can check that it was carried out before the processing of personal data started. This is not possible from the documentation PostNord has sent. Furthermore, the submitted risk assessment lacks a systematic overview and assessment of relevant risks related to the company's processing of personal data in the service. The Personal Data Protection Regulation does not specify a methodology for carrying out risk assessments, but the controller must, in light of the accountability principle, have a systematic approach to regulatory compliance, which means that it has documented and can demonstrate compliance, cf. Article 5 No. 2. The data controller must at least be able to demonstrate that they have an overview of relevant data risks, that they have assessed them to a sufficient extent and implemented suitable measures to reduce them the risk of a breach of personal data security. We cannot see that the risk of that one user receives their personal data astray via mypostnord is assessed to a sufficient extent i the documentation the company has sent us. PostNord has not assessed the special one either the risk of breach of confidentiality that the service entails for new users telephone number via direct sales, where confidential information can be disclosed unauthorized. The most widespread way of carrying out risk assessments is to list relevant ones risk scenarios and assess the probability and consequence of these. With basis in it the assessment determines whether the risks are acceptable or whether measures must be implemented. If the risks are not acceptable, various risk-reducing measures are assessed and a decision made which are suitable. You then specify who will carry out the various measures and the deadline for implementation. We recommend that PostNord adopts a recognized methodology for implementation of risk assessments, for example based on ISO27001. Our preliminary assessment is that the risk assessment PostNord has sent us is not sufficient degree identifies the risks associated with the company's processing of personal data i mypostnord. The assessment has key shortcomings that make it unsuitable for identifying the risks in the processing as required by Article 32 no. 1 and no. 2. 6In what follows, we will say something overall about the risk to the rights and freedoms of the data subjects when using mypostnord, as the risks govern which technical measures PostNord takes which the data controller must carry out in the service. According to PostNord, the following information is stored in a customer profile in mypostnord: • First name, last name, mobile number, e-mail, photo, date of birth and gender (where the last three is not required to be filled in, and is rarely filled in by users). • Address • Packages on the way with the name of the sender (company name). This information is kept only for 14 days in the archive in the profile. • Notification settings, i.e. which notifications the person concerned wants to receive from PostNord, as e-mail or SMS. • Business recipients or contract customers you are associated with (and administration of these if the role dictates it). • What types of notification (ie notification of receipt of shipment) sent when, channel and status (but not content). • Payment history (date, type, shipment number, amount, status, payment method, reference and transaction identifier). This is only data against PostNord if there is purchased additional services from PostNord, such as Flex, i.e. changed delivery location (but then says only "Flex" in the profile), own shipment (then only "Mypack GO") or cash on delivery (is then only "CashOnDelivery"). Payment history may be deleted by the user. • PostNord Plus level, if you are a member of PostNord, which only indicates how many packages sent from PostNord and which user level you are at ("Gold", "Silver" or "Basic"), but no information about packages etc. This information is not, in principle, special categories of personal data according to Article 9 of the Personal Data Protection Regulation. However, the information may still be of a sensitive nature for the data subjects, and this applies in particular to the dispatch history with information on the name of the sender. PostNord has one large market share in the Nordics, and is used by many different types of online shops, including pharmacies. 1 PostNord is not only covered by the provisions of the Personal Data Protection Ordinance, but also the Postal Act. Section 30 of the Postal Act states that providers of postal services have a duty of confidentiality for: [...] information about the sender's and recipient's use of the postal service, [...] the sender and recipient's business or personal circumstances and [...] content of postal delivery'. According to the Postal Act, the provider is obliged to "implement measures to prevent that unauthorized parties become aware of the information". The Norwegian Data Protection Authority is not the supervisory authority for 1See, for example, the online stores of Apotek 1, Boots Apotek, Vitusapotek and Farmasiet.no, https://www.apotek1.no/kundesenter/frakt-og-levering, https://www.boots.no/frakt-og-levering, https://www.vitusapotek.no/kundeservice/levering-og-betaling/a/A1361, https://www.farmasiet.no/kundesenter/frakt-og-levering (last visited 25.05.22). 7 of the Postal Act, but the provision on confidentiality is nevertheless suitable to say something about sensitivity for the information to which this case applies. We also note that the correspondence of natural persons is at the core of the right to privacy Article 8 of the European Convention on Human Rights. The integrity and confidentiality principle is a fundamental principle for the processing of personal data. cf. article 5 no. 1 letter f. Measures to achieve a suitable level of security with respect to the risk The next question is whether PostNord has implemented suitable technical measures that ensure a suitable level of protection in mypostnord in light of the risks involved in processing personal data, cf. the personal protection regulation article 32 no. 1. PostNord states that the technical measures which as of today have been introduced in mypostnord fulfill the requirement for technical measures and ensures a suitable level of security according to Article 32: Confidentiality is ensured by requiring authentication from a telephone number, see above, and that the risk of access when changing the telephone number is very small. Plus are there no alternative measures that would increase security with regard to personal data which is available in the solution and accessibility for users, see below. Use of telephone number is also an industry standard, and this is also the solution that, among other things, The mail uses. The duty of confidentiality under the Postal Act is respected according to the solution that has been chosen, and it will not be solutions or measures that provide more security. Previously, a notification about a package was sent out by post in the mailbox, and such a solution provides less security (because most people do not have locked mailboxes) than the solution currently used. It should also be specified that given the level of security as mentioned, the incident is due to it data subject's own relationship, as well as that the recipient of the SMS notification ("new owner") has acted against their better judgment, if the person concerned has accessed the previous owner's profile. As of today, PostNord uses the telephone number as an identifier for access to services and profiles at the company: Mobile number is used as identifier for access to services and profiles at PostNord which, according to PostNord's assessment, see the attached risk assessment, provides a adequate security level and risk level considering the information that is processed and which is available on the recipient's (the registered person's) profile as well as in the SMS notification, that this is limited information and not of a sensitive nature or special categories and that it is need to receive notifications about packages quickly and easily, and correspondingly for access to own profile and the services therein (type, scope, purpose and the context in which they are performed), see also below, the availability of the services (usability), the level of security which is available and practices for such information and services (the technical 8 the development), the implementation costs (such that this is a more expensive solution than e-mail (a cost of approx. NOK 2.6 million per year, but BankID is a very expensive solution, with approx. NOK 10.8 million per year). (Our emphasis) We disagree with this assessment. Our view is that the authentication of users in mypostnord only with the use of a telephone number does not ensures a suitable level of protection that ensures the confidentiality of the service, cf. the personal data protection regulation article 32 no. 1 letter b. Firstly, the current arrangement with a telephone number as the only authentication means that people who buy phone numbers via direct sales, and who visit mypostnord, will get access to the previous owner's personal data, including shipment information. PostNord states that the shipment information is only stored for 14 days, and that confidentiality for this information can only be broken if a telephone number changes owner through one direct transaction, where the telephone number is not covered by the telecommunications operators' quarantine period. PostNord is aware that direct sales of telephone numbers take place in Norway, and that this is not the case illegal, even if it takes place to a lesser extent than the allocation of telephone numbers from the telecom operators. As telephone numbers are a limited resource, and there are still more of us in Norway, it follows logically that there will be an increasing probability of similar cases of breach of confidentiality in the future. If PostNord's market share increases in Norway, it will the probability increases further. Secondly, the current arrangement means that people who are allocated a new telephone number from a telecommunications operator, will gain access to the personal data of the former owner of the phone number, when the new owner uses mypostnord. According to the Personal Data Protection Ordinance, PostNord is further obliged to ensure the confidentiality of everyone personal data it processes as data controller. After shipment information has been deleted after 14 days, mypostnord stores the rest the personal data for one year before they are deleted. As the quarantine period for reuse of telephone numbers distributed via the telecom operators is less than a year, it is much higher likelihood that the confidentiality of this information will be breached. The arguments about telephone numbers as a limited resource and potential increase in PostNord's market share is yet to come more relevant here. PostNord itself states that "The information [...] is basic information that is necessary for recipients from PostNord, and not to be regarded as sensitive or intrusive the receiver". This is hardly a valid argument for all users, and in any case not a free pass to allow breaches of confidentiality, even if this applies to a small number of users. 9Our assessment is that with the current level of protection, unauthorized persons will regularly receive access to users' personal data in mypostnord. We note that the responsibility for ensuring the security of personal data according to the data protection regulation lies with the data controller, and that PostNord cannot push this responsibility on the end user with the argument that a user with a new telephone number should have understood that it was in the process of gaining access to other people's personal data and thus "acts against better judgment". Based on this, our assessment is that PostNord has not carried out suitable technical measures measures to achieve a suitable level of protection in the mypostnord service. The company has not implemented suitable measures that ensure continued confidentiality in the service. Our conclusion is therefore that PostNord has breached Article 32 of the Personal Data Protection Regulation. 6 Assessment of corrective measures Our assessment is that PostNord has not implemented suitable technical measures to ensure a suitable level of protection and confidentiality in mypostnord, cf. the personal data protection regulation article 32 and article 5 no. 1 letter f, as the service is designed today. We therefore consider it necessary to order PostNord to carry out technical measures to ensure a adequate level of protection and safeguard confidentiality in mypostnord. The order means, firstly, that PostNord must identify the risks associated with the processing of personal data in mypostnord in line with article 32 no. 1 and no. 2, cf. advocacy point 76. Furthermore, the order implies that PostNord must implement suitable technical measures to ensure a suitable level of protection and confidentiality in mypostnord. The company must take measures such as prevents people who get a new telephone number through direct sales or allocation from a telecom operator gains unauthorized access to other users' personal data at PostNord. In the notes to the notice, PostNord writes the following: On the basis of this case, PostNord has carried out a risk assessment (see attached appendix). In the risk assessment, we have mapped the risks we perceive to be relevant, i in addition to identifying suitable technical and organizational risk-reducing measures. PostNord has assessed that the risk will be reduced considerably by the introduction of suitable measures. In order to satisfy PostNord's own target requirements for adequate security, PostNord has decided to introduce additional requirements for logging into the MyPostNord application. PostNord has assessed that the introduction of two-factor identification will raise the security level in MyPostNord. This will mean introducing in person password in addition to the current solution with a code via SMS. Furthermore, considered 10 the probability of an unauthorized person gaining access to the system as negligible (provided that one does not have access to the personal password or SMS code). As mentioned in the notice, we do not require PostNord to carry out certain technical measures in order to achieve a suitable level of security and confidentiality. This is because it is the company's task to itself identify suitable technical measures in light of the identified risk to natural persons rights and freedoms arising from the processing of personal data in the service. We nevertheless mention that we agree that the described measures will be an appropriate way to ensure the confidentiality of mypostnord on Our authority to order the company to implement suitable technical measures to achieve a suitable level of protection and confidentiality is the Personal Data Protection Regulation article 58 no. 2 letter d. 7 Right of appeal and further proceedings You can appeal the decision. Any complaint must be sent to us within three weeks of this the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will forward the case to the Privacy Board for complaint processing. The deadline for carrying out the order is 4 weeks after the expiry of the appeal period. If you don't appeal the order, you must send us a written confirmation within this deadline, as well as documentation that the order has been carried out. 8 Publicity, transparency and confidentiality We would like to inform you that all documents are basically public, cf. Public Relations Act § 3. If you believe there are grounds for exempting all or part of the document from public inspection, we ask you to give reasons for this. The Norwegian Data Protection Authority has a duty of confidentiality regarding who has notified us of a breach the Personal Data Act with the Personal Data Protection Regulation, and about their personal circumstances. The duty of confidentiality follows, among other things, from the Personal Information Act § 24 and the Administration Act § 13. As a party to the case, you may nevertheless be made aware of such information by the Norwegian Data Protection Authority, cf. Administration Act § 13 b first paragraph no. 1. You also have the right to inspect the case's documents, cf. Section 18 of the Public Administration Act. We draw your attention to the fact that you have a duty of confidentiality regarding information you receive from the Norwegian Data Protection Authority the identity of persons who report breaches of the Personal Data Act with the Personal Data Protection Regulation, personal circumstances and other identifying information, and that you can only use this information to the extent necessary to safeguard their interests in this matter, cf. the Public Administration Act § 13 b second paragraph. We do too note that breach of this duty of confidentiality can be punished according to Section 209 of the Criminal Code. 11 If you have any questions about the case, you can contact us by e-mail omm@datatilsynet.no or telephone 22 39 69 59. With best regards Ylva Marrable section manager Ole Martin Moe senior legal advisor The document is electronically approved and therefore has no handwritten signatures 12