Datatilsynet (Denmark) - 2020-31-4326

From GDPRhub
Datatilsynet (Denmark) - 2020-31-4326
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32(1) GDPR
Type: Complaint
Outcome: Upheld
Decided:
Published: 22.10.2021
Fine: None
Parties: jo:ga ApS
National Case Number/Name: 2020-31-4326
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Tetyana Porokhonko

The Danish DPA reprimanded the company Jo:ga ApS for using its members' date of birth as a permanent password and failing to implement appropriate security measures such as access restrictions after unsuccessful login attempts.

English Summary[edit | edit source]

Facts[edit | edit source]

In January 2020, a complainant (a member of Jo:ga) contacted Sport Solution to inform them about possible security issues in relation to the registration and membership management system on Jo:ga's website and app. The complainant claimed that the company uses its members´ dates of birth as a permanent password to login to its website and app, and that the members cannot change it. Additionally, the complainant argued that the company had not implemented any access restrictions after several failed login attempts.

Sport Solution confirmed that Jo:ga was one of its customers but informed the complainant that the customer decides on its own which security measures should be implemented regarding registration and login. Sport Solution however informed that it would contact Jo:ga and notify them about the issue.

In August 2020, the complainant noticed that no improvement were made since January 2020 and filed a complaint with the Danish DPA.

Holding[edit | edit source]

The DPA reprimanded Jo:ga for failing to process the members´ personal data in accordance with Article 32(1) GDPR. The DPA found in particular that the company had not implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, namely by allowing an unlimited number of failed login attempts, and by using its members' dates of birth as a permanent password.

The DPA emphasized that known or easily accessible information such as a date of birth should only be used as an initial password, and should not be imposed as a permanent password. The DPA also stressed that the lack of sufficient security measures makes it possible for unauthorised persons to gain access to members´ personal information, e.g., by using a brute-force attack or acquiring members´ data.

The DPA ordered the company to bring the processing of its members´ personal data in line with the requirements set out in the Article 32(1) GDPR.

Comment[edit | edit source]

The original of the decision can be found here.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

 Criticism of [jo:ga] ApS' lack of processing security
Date: 22-10-2021
Decision

The data protection supervisor has criticised Joga for not having adequate security. The DPA also issued an injunction to the company to bring the processing of personal data into compliance with the GDPR.

File number: 2020-31-4326. 
Summary

The Data Protection Authority has ruled in a case where a member of Joga complained that the password for login to Joga's site and app was the complainant's date of birth and that there were no limits on the number of login attempts.

The EDPS found that Joga - by failing to set limits on unsuccessful login attempts, and by using members' date of birth as a password that could not be changed - had not taken adequate security measures.

In its assessment, the EDPS emphasised that known or easily accessible information, such as a date of birth, should only be used as an initial password that must be changed subsequently.

The EDPS also considered that the inadequate security measures allowed unauthorised persons to gain access to members' personal data.

Against this background, the EDPS criticised the fact that Joga's processing of personal data had not been carried out in accordance with the rules on security of processing.

The data protection supervisor also ordered Joga to bring the processing of personal data into line with the data protection rules by forcing current and new Joga members to change their passwords to a sufficiently secure password at the first login, with requirements for the complexity of the code.

On 13 October 2021, Joga indicated that it had complied with the injunction.

Decision: The EDPS hereby returns to the case where [...] (hereinafter the complainant) complained on [date] 2020 that [jo:ga] ApS (hereinafter Joga) does not process data about her in a sufficiently secure manner.
1. Decision

Having examined the case, the EDPS considers that there are grounds for criticising Joga's failure to process personal data in accordance with the rules laid down in Article 32(1) of the Data Protection Regulation[1].

The EDPS also finds grounds for ordering Joga to bring the processing of personal data into line with Article 32(1) of the GDPR by forcing Joga's current and new members to change their passwords to a sufficiently secure password at the first login, with a requirement for the entropy of the code.

The injunction is issued pursuant to Article 58(2)(d) of the Data Protection Regulation.

The deadline for compliance with the injunction is 7 October 2021. The EDPS shall request confirmation of compliance by the same date.

Section 41(2)(5) of the Data Protection Act[2] provides for a fine or imprisonment for up to 6 months for failure to comply with an order issued by the DPA pursuant to Article 58(2)(d) of the GDPR.

The following is a detailed description of the case and the reasons for the decision of the Data Protection Authority.

2. Summary

It appears from the file that the complainant is a customer of Joga and that her membership number is "jo" followed by seven digits. The complainant's password for login to the Joga website and app was originally the complainant's date of birth. 

The complainant contacted Sport Solution in January 2020 about a possible security breach in the booking and membership system the company sells. The complainant stated that Sport Solution's customers generated consecutive membership numbers and that the password was always the member's date of birth. The complainant further stated that she could ask for combinations of membership number and password as many times as she wanted.

Sport Solution responded that Joga is one of their customers and that it is the customer's decision what security standards are set up. Sport Solution stated that they would contact Joga and advised the complainant to do the same.

The complainant then contacted Crossfit Copenhagen (now Arca), which stated that Arca was in dialogue with the provider of the system.

In August 2020, the complainant informed Sport Solution that Arca had informed her that they were jointly making improvements to the set-up, but that the complainant could not see that they had made any security improvements since her January 2020 approach.
2.1. Joga's observations

On 19 January 2021, Joga made a statement in the case. Joga argued that some time ago it had introduced a limit on the number of login attempts.

Joga has stated that it is possible to change the password by writing to the company. Joga is also in the process of implementing the possibility to change one's password directly in the app.

In addition, Joga has stated that when logging into the booking app, there is no personal data. There is only first name and training history.

On 4 May 2021, Joga provided additional information that Joga has implemented the ability to change one's password. In addition, Joga will implement a security measure whereby after five failed login attempts, you will be locked out for one hour and after 10 times you will have to write to Joga to be unlocked again.
2.2. The complainant's observations

The complainant states that the password is systematically the date of birth of all Joga customers and that it is not possible to change one's password via Joga.dk. On the other hand, one can change one's password via booking.sport-solutions.dk/login, but the complainant had to figure that out himself. Neither Joga nor Sport Solution had provided any information about this possibility.

The complainant also stated that the problem with the described system of login details is that Joga does not have any limits on the number of incorrect login attempts. The complainant has therefore been able to write a very simple script which finds valid login details of other private customers by trying to log in with membership numbers and passwords following the described system. In this context, the complainant has stated that the system does not reset passwords or detect that she is using a script. The complainant has stated that the script is slow and that it only finds the login details of one private customer. That customer was initially the complainant herself, but the complainant has also tried using the login details of an acquaintance, who has consented to the complainant using the information as evidence to the Data Protection Authority.

Following Joga's initial statement, the complainant stated that she was unsure whether the restriction on the number of login attempts had actually been imposed and, if so, whether the restriction was sufficient, as a minor modification of the complainant's script managed to make over 300 login attempts before the code guessed the complainant's known date of birth, which is 23 December.

3. Reasons for the decision of the Data Protection Authority

It follows from Article 32(1) of the Data Protection Regulation that the controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing of personal data by the controller.

Thus, the controller has a duty to identify the risks that the controller's processing poses to data subjects and to ensure that appropriate safeguards are put in place to protect data subjects from those risks.

The EDPS is of the opinion that the requirement under Article 32 for adequate safeguards will normally imply that the controller must ensure that information on data subjects does not come to the knowledge of unauthorised persons.

The EDPS considers that Joga - by not having implemented restrictions on unsuccessful login attempts, and by using members' date of birth as a permanent password - has not taken adequate organisational and technical measures to ensure a level of security appropriate to the risks represented by Joga's processing of personal data, as required by Article 32(1) of the GDPR.

In this respect, the EDPS has emphasised that known or easily accessible information should only be used as an initial one-time password and that the insufficient security measures allow unauthorised persons to gain access to members' personal data, for example through a so-called brute force attack, or by obtaining information about a member.

Having examined the case, the EDPS considers that there are grounds for criticising Joga's failure to process personal data in accordance with the rules laid down in Article 32(1) of the GDPR.

The EDPS also finds grounds to order Joga to bring the processing of personal data into line with Article 32(1) of the GDPR by forcing Joga's current and new members to change their passwords to a required secure password at the first login, with requirements for the entropy of the code. The injunction is issued pursuant to Article 58(2)(d) of the Data Protection Regulation.

For guidance on strong passwords, the EDPS refers to the Center for Cybersecurity's Password Guide[3] or NIST 800-63B.

The DPA has noted that, following this case, Joga has implemented that after five unsuccessful login attempts, the user is locked for one hour and that after 10 attempts, the user must write to Joga to be unlocked again.

 
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

[2] Act No 502 of 23 May 2018 on additional provisions to the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Act).

[3] https://cfcs.dk/globalassets/cfcs/dokumenter/vejledninger/-vejledning-passwordsikkerhed-2020.pdf