Datatilsynet (Denmark) - 2021-31-4596

From GDPRhub
Datatilsynet (Denmark) - 2021-31-4596
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32(1) GDPR
Article 33(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 15.11.2021
Fine: None
Parties: T. Hansen Gruppen A/S
National Case Number/Name: 2021-31-4596
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Tetyana Porokhonko

The Danish DPA found that a controller failed to implement appropriate security measures to prevent unauthorised access to its customers' data, failed to report a data breach. It therefore ordered the company to encrypt all customers' passwords with a recognised algorithm so that they are not stored in clear text.

English Summary

Facts

The data subject, who is the customer of T. Hansen Gruppen A/S (the controller) filed a complaint against the company. The data subject's personal information had been accessed by an unauthorised person because the controller had failed to implement appropriate security measures.

The data subject stated that they had a customer profile on the controller's website, where their mobile number was used as a customer number. In 2020 they discovered that another person's data appeared in their profile, namely, this other person's email address, their purchase history, but also data subject's previous phone number. The data subject argued that the issue occurred because this other person had received their previous mobile number, and when this person made a purchase on the controller's website, both customers' data were put into the same profile. Thus, the unauthorised person had gotten access to the data subject's personal information.

The controller confirmed that the unauthorised person's information was available in data subject's profile for an unknown period. It explained that if the unauthorised person would have decided to use "resend password" function, the password would have been sent in clear text to their email. However, the controller also stated that the unauthorised person had neither accessed the website login, nor used the function "resend password".

Furthermore, the controller argued that the incident was unlikely to result in a risk to the data subject's rights or freedoms, as no personal information had been compromised, and therefore, decided not to notify the data breach to the DPA.

Holding

The Danish DPA held that T. Hansen Gruppen A/ had not implemented appropriate security measures pursuant to Article 32(1) GDPR to prevent unauthorised access to its customers personal data, and ordered the company to use a recognised algorithm (e.g. hashing) to encrypt all passwords so that they are not stored or can be reset in clear text.

Furthermore, the DPA found that the company had not complied with its obligation under Article 33(1) GDPR to notify a personal data breach to the DPA without undue delay.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.



Inadequate safety measures at T. Hansen
Date: 15-11-2021
Decision

The Danish Data Protection Agency has criticized the fact that customer profiles at T. Hansen have not had appropriate security measures - and have given the company an order to encrypt customers' passwords.

Journal number: 2021-31-4596.
Summary
A customer at T. Hansen Gruppen A / S has complained to the Danish Data Protection Agency that the company has not had appropriate security measures.
The complainant in the case has had a customer profile where the customer number has been identical to the complainant's telephone number. Complainant at one point changed his telephone number, while an unauthorized person for Complainant took over Complainant's previous telephone number. When the unauthorized person subsequently made a purchase from T. Hansen, the complainant's and the person's information was combined on the complainant's customer profile. The unauthorized person has for a period had access to the complainant's information and access to receive the complainant's password in clear text.
The Danish Data Protection Agency criticized the fact that T. Hansen had not complied with the requirements of the Data Protection Regulation on appropriate security measures and notification of breaches of personal data security.
This was justified by the Danish Data Protection Agency on the grounds that T. Hansen had not taken into account when developing his system that customers' information may risk being combined, for example as a result of a telephone number being transferred from one person to another.
The Danish Data Protection Agency is of the opinion that the reuse of telephone numbers is a normally occurring and expected scenario, which is why it should have been included in the determination of the relevant security measures.
The Danish Data Protection Agency has also emphasized that T. Hansen in his system has stored the users' self-selected passwords in clear text without a recognized algorithm for an irreversible encryption thereof, and that T. Hansen has had a function where users have been able to receive passwords in clear text to the user's specified e-mail address upon request, notwithstanding that T. Hansen has not made a risk assessment.
Against this background, the Danish Data Protection Agency has given T. Hansen an order to use a recognized algorithm for encryption (eg hashing) of all passwords, so that these are not stored or can be restored in clear text. On November 4, 2021, T. Hansen stated that they have complied with the order.
Decision
After a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing criticism that T. Hansen Gruppen A / S ’processing of personal data has not taken place in accordance with the rules in the Data Protection Ordinance [1], Article 32 (1). 1, and Article 33, para. 1.
The Danish Data Protection Agency also finds grounds for issuing an order to T. Hansen Gruppen A / S - to the extent that T. Hansen Gruppen A / S still stores passwords in plain text - to use a recognized algorithm for encryption (eg hashing) of all passwords , so that these are not stored or can be restored in clear text.
The order is issued pursuant to Article 58 (1) of the Data Protection Regulation. 2, letter d. It is noted in this connection that non-compliance with an order from the Danish Data Protection Agency can be punished with a fine, cf. the Data Protection Act [2] section 41, subsection. 2, no. 5, cf. 6.
The order must be complied with no later than 5 November 2021. The Danish Data Protection Agency must request no later than the same date to receive a confirmation that the order has been complied with.
Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.
2. Case presentation
It appears from the case that complaints since 2013 have been created in T. Hansen Gruppen A / S 'customer system with three different customer numbers. Telephone numbers usually constitute the customer number at T. Hansen Gruppen A / S.
During 2020, complainants discovered that an unauthorized person's email address and purchase appeared on complainant's oldest customer profile. The customer number on the profile is the complainant's previous mobile number. The problem was due to an unauthorized person taking over the complainant's previous mobile number, making a purchase from T. Hansen Gruppen A / S, providing the mobile number and the person's e-mail address at the time of purchase, and on this basis the person's purchase and information were entered on the complainant's customer profile.
2.1. Complainant's remarks
Complainants have generally stated that information about complaints about the complainant's customer profile could have been accessed by an unauthorized person, as the person has taken over the complainant's previous mobile number, which T. Hansen Gruppen A / S has used as the customer number. The complainant's customer profile thus contains information about both the complainant and the unauthorized person's name, address, telephone number and purchase from T. Hansen Gruppen A / S.
In addition, complainants have stated that forgotten passwords are stored and sent in clear text at a customer's request. Complainants have verified T. Hansen Gruppen A / S ’solution, and complainants were thus sent their self-chosen password in clear text via email on 25 January 2021. On this basis, the complainant has stated that the unauthorized person who has taken over the complainant's previous mobile number has been able to have the complainant's password sent to his or her e-mail address.
Complainants have also stated that the unauthorized person's e-mail address in the customer profile at T. Hansen Gruppen A / S has been stated by T. Hansen Gruppen A / S as the profile's primary e-mail address.
2.2. T. Hansen Gruppen A / S ’comments
Kromann Reumert has, on behalf of T. Hansen Gruppen A / S, made statements in the case.
On behalf of T. Hansen Gruppen A / S, Kromann Reumert has stated that information about the unauthorized person has appeared in the complainant's customer profile for an unknown period, but probably from 29 January to 2 February 2021, and at least until no later than on February 9, 2021.
If the unauthorized person during this period had accessed the complainant's customer profile with T. Hansen Gruppen A / S, the person would receive information about the complainant's name, address, telephone number, e-mail address and invoice from previous purchases.
If the unauthorized person had clicked on "resubmit password", this person would have the complainant's password sent in clear text to his e-mail address. The actual shipment would be encrypted at the transport warehouse with TLS 1.2. In this connection, Kromann Reumert has noted that the transmitted password is most likely an auto-generated password.
However, T. Hansen Gruppen A / S has been able to establish that the unauthorized person has neither accessed the web login nor used the function "resend password".
T. Hansen Gruppen A / S has stated that the company saves or has stored a copy of the complainant's password in plain text or in a form that can be traced back to plain text. By using the "forgotten password" function, complainants could have their password sent in clear text to their provided e-mail address if the customer number and e-mail on the customer profile matched what the complainant had stated. The transmission would then be encrypted.
T. Hansen Gruppen A / S has - in agreement with the complainant - transferred all the complainant's information, including purchase history, to the complainant's customer profile with the complainant's current telephone number, and deleted the complainant's one customer profile and blocked the other customer profile.
Kromann Reumert has stated that the error occurred because the staff at T. Hansen Gruppen A / S had not verified data on the customer profile in question in connection with the unauthorized person's purchase. The staff should have ensured separation of the two customers' purchase history; either by creating a new customer profile for the unauthorized person, or by ensuring the transition of the complainant's data to a new customer number.
To prevent similar cases from happening again, T. Hansen Gruppen A / S closed down the possibility for private customers to access the web log-in on 9 February 2021 and removed the possibility of resubmitting passwords on 14 April 2021. T. Hansen Gruppen A / S is working on a new log-in solution with a different password policy, where forgotten passwords must be reset instead of being sent via email to the user. Until then, T. Hansen Gruppen A / S has blocked the existing solution. In addition, T. Hansen Gruppen A / S has initiated changes in the company's ERP system so that data on customer profiles cannot be aggregated unless a verification of data has been made in advance. This means that all customers who are not completely identifiable will have a new account created with T. Hansen Gruppen A / S when ordering goods.
T. Hansen Gruppen A / S has not carried out a risk assessment for sending passwords in clear text via e-mail, but is preparing a risk assessment based on the new web-log solution.
T. Hansen Gruppen A / S has not made a notification, as the company has assessed that it is unlikely that the incidents involve a risk to the complainant's rights or freedoms, as no personal information about complaints has been compromised. It has also been assessed that the fact that complainants have gained access to general information about the person does not entail a risk to the rights or freedoms of the unauthorized person. For the same reason, T. Hansen Gruppen A / S has not notified the person of the incident.
Justification for the Danish Data Protection Agency's decision
3.1 Article 32 of the Data Protection Regulation
On the basis of the information provided in the case, the Danish Data Protection Agency assumes that information was added to the complainant's customer profile at T. Hansen Gruppen A / S about an unauthorized person's name, address, telephone number and purchase at T. Hansen Gruppen A / S, and that the unauthorized person for an unknown period but presumably from January 29 to February 2, 2021, had access to access information about complainants and access to have the complainant's password sent to them.
On this basis, the Danish Data Protection Agency assumes that there has been unauthorized access to personal data, which is why the Authority finds that there has been a breach of personal data security, cf. Article 4, no. 12 of the Data Protection Regulation.
It follows from Article 32 (1) of the Data Protection Regulation 1, that the data controller must take appropriate technical and organizational measures to ensure a level of security appropriate to the risks involved in the data controller's processing of personal data.
Thus, the data controller has a duty to identify the risks that the data controller's processing poses to the data subjects and to ensure that appropriate security measures are put in place to protect the data subjects against these risks.
The Danish Data Protection Agency is of the opinion that the requirement in Article 32 for appropriate security will normally mean that in systems with a large number of information about a large number of users, higher requirements must be placed on the data controller's care in ensuring that unauthorized access does not occur. to personal data and that all probable error scenarios should be tested in connection with the development of new software where personal data is processed.
Furthermore, the Danish Data Protection Agency is of the opinion that in connection with processes where users' passwords are stored in IT solutions that are exposed to networks over which the data controller has no control, it will normally be an appropriate security measure to use a recognized algorithm for encryption (f .exercise hashing) of passwords so that they are not stored in clear text at any time.
This applies regardless of which and how much personal information the processing includes. The reason for this is that many registered users reuse passwords across services, etc., which is why there is an imminent risk that the password combined with e.g. an email address will be able to provide access to further information on other websites, etc.
On this basis, the Danish Data Protection Agency finds that T. Hansen Gruppen A / S has not complied with the requirement for necessary security measures in Article 32 (1) of the Data Protection Ordinance. 1.
The Danish Data Protection Agency has hereby emphasized that T. Hansen Gruppen A / S has not taken into account when developing its system that customers' information may risk being aggregated, for example as a result of a telephone number being transferred from one person to another. . The Danish Data Protection Agency is of the opinion that re-use of telephone numbers is a foreseeable and normally occurring scenario, which is why this should have been included in the determination of the relevant security measures. In addition, the Danish Data Protection Agency has emphasized that T. Hansen Gruppen A / S in its system has stored the users' self-selected passwords in clear text without a recognized algorithm for an irreversible encryption thereof, and that T. Hansen Gruppen A / S has had a function where users have been able to receive passwords in clear text to the user's specified e-mail address upon request, despite the fact that T. Hansen Gruppen A / S has not made a risk assessment in accordance with this.
The Danish Data Protection Agency also finds grounds for issuing an order to T. Hansen Gruppen A / S - to the extent that T. Hansen Gruppen A / S still stores passwords in plain text - to use a recognized algorithm for encryption (eg hashing) of all passwords , so that these are not stored or can be restored in clear text.
The order is issued pursuant to Article 58 (1) of the Data Protection Regulation. 2, letter d. It is noted in this connection that failure to comply with an order from the Danish Data Protection Agency can be punished with a fine, cf. the Data Protection Act, section 41, subsection. 2, no. 5, cf. 6.
The order must be complied with no later than 5 November 2021. The Danish Data Protection Agency must request no later than the same date to receive a confirmation that the order has been complied with.
The Danish Data Protection Agency has noted that T. Hansen Gruppen A / S has closed down the possibility for private customers to access web log-in, removed the possibility of resubmitting passwords and is working on a new log-in solution with a different password policy, where forgotten passwords must be reset instead of being sent by mail to the user. The Danish Data Protection Agency has also noted that T. Hansen Gruppen A / S has initiated changes in the company's ERP system so that data on customer profiles cannot be aggregated unless a verification of data has been made in advance.
3.2. Article 33 of the Data Protection Regulation
It follows from Article 33 (1) of the Regulation 1, that the data controller in the event of a breach of personal data security without undue delay, and if possible within 72 hours, must report the breach to the Danish Data Protection Agency, unless it is unlikely that the breach of personal data security entails a risk to natural persons' rights or freedoms.
The Danish Data Protection Agency finds that T. Hansen Gruppen A / S - by not reporting the breach to the Danish Data Protection Agency - has not complied with the requirements of Article 33 (1) of the Data Protection Ordinance. 1.
It is the Data Inspectorate's assessment that the unauthorized access to personal data for complaints about the unauthorized person constitutes a breach of personal data security, which must be reported to the Authority. In this connection, the Danish Data Protection Agency has emphasized that all breaches of personal data security must be reported to the Danish Data Protection Agency, unless it is unlikely that the breach of personal data security entails a risk to the rights or freedoms of natural persons. A risk to the rights and freedoms of natural persons includes i.a. discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of data subject to professional secrecy or any other significant economic or social inconvenience to the data subject. In this connection, the Danish Data Protection Agency is of the opinion that T. Hansen Gruppen A / S has not proved that it is unlikely that the breach of personal data security entails a risk to the unauthorized person's rights or freedoms.
On that occasion, the Danish Data Protection Agency must emphasize that T. Hansen Gruppen A / S will in future report similar security breaches to the Danish Data Protection Agency in accordance with Article 33 (1) of the Data Protection Ordinance. 1.
3.3. Summary
On the basis of the above, the Danish Data Protection Agency finds that there is a basis for expressing criticism that T. Hansen Gruppen A / S ’processing of personal data has not taken place in accordance with the rules in Article 32 (1) of the Data Protection Regulation. 1, and Article 33, para. 1.
The Danish Data Protection Agency also finds grounds for issuing an order to T. Hansen Gruppen A / S - to the extent that T. Hansen Gruppen A / S still stores passwords in plain text - to use a recognized algorithm for encryption (eg hashing) of all passwords , so that these are not stored or can be restored in clear text.
The order is issued pursuant to Article 58 (1) of the Data Protection Regulation. 2, letter d. It is noted in this connection that failure to comply with an order from the Danish Data Protection Agency can be punished with a fine, cf. the Data Protection Act, section 41, subsection. 2, no. 5, cf. 6.
The order must be complied with no later than 5 November 2021. The Danish Data Protection Agency must request no later than the same date to receive a confirmation that the order has been complied with.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).
[2] Act No. 502 of 23 May 2018 on supplementary provisions to the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Data Protection Act).