Editing Datatilsynet (Denmark) - 2020-441-6990

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 55: Line 55:
  
 
=== Facts ===
 
=== Facts ===
Personal data about a company's employees was spread on the dark web following a ransomware attack. The attackers had most likely gained access through an administrator account that was no longer in use. However, it was difficult to exactly determine the dynamic of the attack since the attackers had deleted relevant log files. The controller reported the breach to the Danish DPA.
+
Personal data about a company's employees was spread on the dark web following a ransomware attack. The attackers had most likely gained access through an administrator account that was no longer in use. However, it was difficult determine exactly how the attackers had gained access to the IT systems since the attackers had deleted relevant log files.
 +
 
 +
The controller reported the breach to the Danish DPA.
  
 
=== Holding ===
 
=== Holding ===
The Danish DPA found that the controller had failed to implement appropriate technical and organisational security measures in light of the risks for the rights and freedoms of natural persons per [[Article 32 GDPR|Article 32(1) GDPR]].  
+
The Danish DPA found that the controller had neglected to implement appropriate technical and organisational security measures in light of the risks for the rights and freedoms of natural persons per [[Article 32 GDPR|Article 32(1) GDPR]]. The DPA highlighted that administrator rights should only be given to employees in need of such rights. The rights should be given on a temporary basis and should be revoked when the need is no longer present. Furthermore, log files should be hidden from all accounts, including those with administrator rights. Users with administrator rights should not be able to delete or alternate the log files.
 
 
The DPA highlighted that administrator rights should only be given to employees in need of such rights. The rights should be given on a temporary basis and should be revoked when the need is no longer present. Furthermore, log files should be hidden from all accounts, including those with administrator rights. Users with administrator rights should not be able to delete or alternate the log files.
 
  
The DPA also held that the controller had breached [[Article 24 GDPR|Article 24(1) GDPR]] by not being able to demonstrate the implementation of appropriate measures. Because the log files had been deleted, the controller could not demonstrate how the attackers had gained access or when the suspected administrator account had been active.  
+
The DPA also held that the controller had breached [[Article 24 GDPR|Article 24(1) GDPR]] by not being able to demonstrate the implementation of appropriate measures. Because the log files had been deleted, the controller could not demonstrate how the attackers had gained access or when the suspected administrators account had been active.  
  
 
As a consequence, the Danish DPA decided to issue criticism of the controllers processing of personal data.
 
As a consequence, the Danish DPA decided to issue criticism of the controllers processing of personal data.

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: