Editing Datatilsynet (Denmark) - 2020-31-4326

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 73: Line 73:
  
 
==English Machine Translation of the Decision==
 
==English Machine Translation of the Decision==
 +
/
 +
 
<pre>
 
<pre>
Criticism of [jo:ga] ApS' lack of processing security
 
Date: 22-10-2021
 
Decision
 
 
The data protection supervisor has criticised Joga for not having adequate security. The DPA also issued an injunction to the company to bring the processing of personal data into compliance with the GDPR.
 
 
File number: 2020-31-4326.
 
Summary
 
 
The Data Protection Authority has ruled in a case where a member of Joga complained that the password for login to Joga's site and app was the complainant's date of birth and that there were no limits on the number of login attempts.
 
 
The EDPS found that Joga - by failing to set limits on unsuccessful login attempts, and by using members' date of birth as a password that could not be changed - had not taken adequate security measures.
 
 
In its assessment, the EDPS emphasised that known or easily accessible information, such as a date of birth, should only be used as an initial password that must be changed subsequently.
 
 
The EDPS also considered that the inadequate security measures allowed unauthorised persons to gain access to members' personal data.
 
 
Against this background, the EDPS criticised the fact that Joga's processing of personal data had not been carried out in accordance with the rules on security of processing.
 
 
The data protection supervisor also ordered Joga to bring the processing of personal data into line with the data protection rules by forcing current and new Joga members to change their passwords to a sufficiently secure password at the first login, with requirements for the complexity of the code.
 
 
On 13 October 2021, Joga indicated that it had complied with the injunction.
 
 
Decision: The EDPS hereby returns to the case where [...] (hereinafter the complainant) complained on [date] 2020 that [jo:ga] ApS (hereinafter Joga) does not process data about her in a sufficiently secure manner.
 
1. Decision
 
 
Having examined the case, the EDPS considers that there are grounds for criticising Joga's failure to process personal data in accordance with the rules laid down in Article 32(1) of the Data Protection Regulation[1].
 
 
The EDPS also finds grounds for ordering Joga to bring the processing of personal data into line with Article 32(1) of the GDPR by forcing Joga's current and new members to change their passwords to a sufficiently secure password at the first login, with a requirement for the entropy of the code.
 
 
The injunction is issued pursuant to Article 58(2)(d) of the Data Protection Regulation.
 
 
The deadline for compliance with the injunction is 7 October 2021. The EDPS shall request confirmation of compliance by the same date.
 
 
Section 41(2)(5) of the Data Protection Act[2] provides for a fine or imprisonment for up to 6 months for failure to comply with an order issued by the DPA pursuant to Article 58(2)(d) of the GDPR.
 
 
The following is a detailed description of the case and the reasons for the decision of the Data Protection Authority.
 
 
2. Summary
 
 
It appears from the file that the complainant is a customer of Joga and that her membership number is "jo" followed by seven digits. The complainant's password for login to the Joga website and app was originally the complainant's date of birth.
 
 
The complainant contacted Sport Solution in January 2020 about a possible security breach in the booking and membership system the company sells. The complainant stated that Sport Solution's customers generated consecutive membership numbers and that the password was always the member's date of birth. The complainant further stated that she could ask for combinations of membership number and password as many times as she wanted.
 
 
Sport Solution responded that Joga is one of their customers and that it is the customer's decision what security standards are set up. Sport Solution stated that they would contact Joga and advised the complainant to do the same.
 
 
The complainant then contacted Crossfit Copenhagen (now Arca), which stated that Arca was in dialogue with the provider of the system.
 
 
In August 2020, the complainant informed Sport Solution that Arca had informed her that they were jointly making improvements to the set-up, but that the complainant could not see that they had made any security improvements since her January 2020 approach.
 
2.1. Joga's observations
 
 
On 19 January 2021, Joga made a statement in the case. Joga argued that some time ago it had introduced a limit on the number of login attempts.
 
 
Joga has stated that it is possible to change the password by writing to the company. Joga is also in the process of implementing the possibility to change one's password directly in the app.
 
 
In addition, Joga has stated that when logging into the booking app, there is no personal data. There is only first name and training history.
 
 
On 4 May 2021, Joga provided additional information that Joga has implemented the ability to change one's password. In addition, Joga will implement a security measure whereby after five failed login attempts, you will be locked out for one hour and after 10 times you will have to write to Joga to be unlocked again.
 
2.2. The complainant's observations
 
 
The complainant states that the password is systematically the date of birth of all Joga customers and that it is not possible to change one's password via Joga.dk. On the other hand, one can change one's password via booking.sport-solutions.dk/login, but the complainant had to figure that out himself. Neither Joga nor Sport Solution had provided any information about this possibility.
 
 
The complainant also stated that the problem with the described system of login details is that Joga does not have any limits on the number of incorrect login attempts. The complainant has therefore been able to write a very simple script which finds valid login details of other private customers by trying to log in with membership numbers and passwords following the described system. In this context, the complainant has stated that the system does not reset passwords or detect that she is using a script. The complainant has stated that the script is slow and that it only finds the login details of one private customer. That customer was initially the complainant herself, but the complainant has also tried using the login details of an acquaintance, who has consented to the complainant using the information as evidence to the Data Protection Authority.
 
 
Following Joga's initial statement, the complainant stated that she was unsure whether the restriction on the number of login attempts had actually been imposed and, if so, whether the restriction was sufficient, as a minor modification of the complainant's script managed to make over 300 login attempts before the code guessed the complainant's known date of birth, which is 23 December.
 
 
3. Reasons for the decision of the Data Protection Authority
 
 
It follows from Article 32(1) of the Data Protection Regulation that the controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing of personal data by the controller.
 
 
Thus, the controller has a duty to identify the risks that the controller's processing poses to data subjects and to ensure that appropriate safeguards are put in place to protect data subjects from those risks.
 
 
The EDPS is of the opinion that the requirement under Article 32 for adequate safeguards will normally imply that the controller must ensure that information on data subjects does not come to the knowledge of unauthorised persons.
 
 
The EDPS considers that Joga - by not having implemented restrictions on unsuccessful login attempts, and by using members' date of birth as a permanent password - has not taken adequate organisational and technical measures to ensure a level of security appropriate to the risks represented by Joga's processing of personal data, as required by Article 32(1) of the GDPR.
 
 
In this respect, the EDPS has emphasised that known or easily accessible information should only be used as an initial one-time password and that the insufficient security measures allow unauthorised persons to gain access to members' personal data, for example through a so-called brute force attack, or by obtaining information about a member.
 
 
Having examined the case, the EDPS considers that there are grounds for criticising Joga's failure to process personal data in accordance with the rules laid down in Article 32(1) of the GDPR.
 
 
The EDPS also finds grounds to order Joga to bring the processing of personal data into line with Article 32(1) of the GDPR by forcing Joga's current and new members to change their passwords to a required secure password at the first login, with requirements for the entropy of the code. The injunction is issued pursuant to Article 58(2)(d) of the Data Protection Regulation.
 
 
For guidance on strong passwords, the EDPS refers to the Center for Cybersecurity's Password Guide[3] or NIST 800-63B.
 
 
The DPA has noted that, following this case, Joga has implemented that after five unsuccessful login attempts, the user is locked for one hour and that after 10 attempts, the user must write to Joga to be unlocked again.
 
 
 
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
 
 
[2] Act No 502 of 23 May 2018 on additional provisions to the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Act).
 
  
[3] https://cfcs.dk/globalassets/cfcs/dokumenter/vejledninger/-vejledning-passwordsikkerhed-2020.pdf
 
 
</pre>
 
</pre>

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: