Datatilsynet (Denmark) - 2021-441-9489

From GDPRhub
Datatilsynet - 2021-441-9489
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32(1) GDPR
Directive 2016/679
Type: Other
Outcome: n/a
Started:
Decided: 22.06.2022
Published: 22.06.2022
Fine: n/a
Parties: Designbysi
National Case Number/Name: 2021-441-9489
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: lou_schda

The Danish DPA reprimanded a fashion brand because its lack of sufficient technical and organisational measures allowed hackers to gain access to the customers' payment information.

English Summary

Facts

The controller is Designbysi, a Danish fashion brand. Due to a security issue, hackers were able to implement a JavaScript code on Designbysi's website. Subsequently, customers saw an error message during their purchase with a request to re-enter their card information before purchasing an item. This enabled the hackers to collect the customers' payment card information. The hackers' attack could have potentially affected anyone purchasing items on the website between 26 April 2021 and 22 June 2021. It was not possible to identify exactly how many and which cards had been affected. As soon as Designbysi noticed the problem, the JavaScript code was removed and the personal data breach was reported to the DPA. Designbysi also sent a mail to all customers informing them about the breach and recommending them to contact their bank. Designbysi has also fixed the technical issue that made the attack possible.

Holding

The Danish DPA issued a reprimand against Designbysi for violating Article 32(1) GDPR by not implementing sufficient technical and organisational measures to ensure an appropriate security level for the clients' accounts. In particular, Designbysi should have implemented two-factor authentication for persons who could change the website script.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

The Danish Data Protection Agency has expressed serious criticism that Designbysi has not complied with the requirement for necessary security measures in the GDPR

Date: 22-06-2022

Decision Private companies Serious criticism Reported breach of personal data security Process security Security Hacking o.l. Password Unauthorized access

Designbysi was the victim of a hacker attack, in which unauthorized persons collected customers' card information. Prior to the incident, multifactor login was not introduced for users who had access to change the payment script.

Journal number: 2021-441-9489

Summary

The Danish Data Protection Agency has made a decision in a case where Designbysi ApS has reported a breach of personal data security.

Designbysi was the victim of a hacker attack, in which unauthorized persons inserted a JavaScript on Designbysi's webshop to collect their customers' card information.

Designbysi had not before the incident introduced multifactor login for the users who had access to change in the payment script.

On that basis, the Danish Data Protection Agency found grounds for expressing serious criticism of Designbysi.

Decision

Following an examination of the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that Designby's processing of personal data has not taken place in accordance with the rules in Article 32 (1) of the Data Protection Regulation [1]. 1.

Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.

2. Case presentation

On 25 June 2021, Designbysi reported a breach of personal data security to the Danish Data Protection Agency.

It appears from the review that external had inserted an unauthorized JavaScript on Designby's webshop to collect their customers' card information. The JavaScript caused customers to receive an error message during their purchase, after which they were asked to enter their card information once more.

Designbysi has stated that on 22 June 2021, they received an email from Nets about the breach of personal data security, and Designbysi contacted the Data Processor shortly afterwards. The same day, the unauthorized JavaScript was interrupted on the webshop.

It appears from the statement from the Data Processor that on the basis of logs, the Data Processor could conclude that the attack was not seen actively until 23 April 2021.

It also appears from the statement from the Data Processor that the attack was probably carried out by utilizing a stolen / guessed login information for the specific webshop. The data processor based this conclusion on the fact that only Designby's webshop had the unauthorized JavaScript, which points to a specific reason for the attack.

The data processor has stated that it is not possible to state exactly how many and which cards have been affected. But the Data Processor suspects that the attack could potentially have affected everyone who shopped on designbysi.dk between 26 April 2021 and 22 June 2021, both days inclusive.

This will also include cardholders who gave up after the error message and thus there is no specific information about these.

Designbysi has stated that it could potentially be all X number of customers who have shopped on the Danish side during the period that are affected. On 28 June 2021, Designbysi sent an email to all affected customers about the breach of personal data security and recommended that customers contact their bank.

Designbysi has further stated that on June 22, 2021, they have introduced two-factor authentication on all of their six users, as well as scripting passwords. All six people, three of whom are owners, have been informed to be careful with any. malicious links in emails. All Designby's computers have been cleaned and checked for possible uninvited guests, but nothing has been found.

In addition, Designbysi has asked the Data Processor to remove Designbys' option to change the payment script. In this connection, Designbysi has stated that this - at the time of the answer on 29 July 2021 - was not possible, but something Designbysi wanted to push for.

Designbysi has stated that the Data Processor has responded: “The incident occurred when a third party gained access to the webshop's control panel by knowing the username and password. The webshop system itself has not had security holes. ”

Subsequently, the Data Processor has made Designbysi aware of two-factor authentication, which the Data Processor has given Designbysi access to, and which Designbysi has archived on all logins.

The Data Processor has informed Designbysi that the Data Processor does not verify code or changes that the customer himself installs on the webshop. It is the responsibility of the webshop owner to verify and check the code and the changes that he makes to his webshop.

In this connection, Designbysi has stated that they do not agree as a customer. Designbysi can not see how they should be able to detect the problem themselves, or be able to decipher different JavaScripts in a setup.

Justification for the Danish Data Protection Agency's decision

On the basis of what has been stated in the case, the Danish Data Protection Agency cannot ascertain what weakness at Designbysi the unauthorized persons have exploited.

Based on the information provided by Designbysi and Databehandleren, the Danish Data Protection Agency assumes that Designbysi has only introduced two-factor authentication for administrative rights to the webshop and the domain after the incident.

On the basis of the information provided, the Danish Data Protection Agency also assumes that six employees' login information gave access to change in the payment script.

It follows from Article 32 (1) of the Data Protection Regulation 1, that the data controller must take appropriate technical and organizational measures to ensure a level of security appropriate to the risks involved in the data controller's processing of personal data.

Thus, the data controller has a duty to identify the risks that the data controller's processing poses to the data subjects and to ensure that appropriate security measures are put in place to protect the data subjects against these risks.

The Danish Data Protection Agency is of the opinion that the requirement pursuant to Article 32 for appropriate security will normally mean that login information that provides access to payment information or the possibility to change payment scripts must be secured against hackers being able to access the information only with a deceived username and password. , eg. from a phishing attack. It is thus the Data Inspectorate's assessment that it is an appropriate security measure to implement multifactor authentication on such login information. In addition, the Authority is of the opinion that access to payment modules and change rights to the domain should generally be limited to a specially named account used solely for this purpose and an appropriately complex password with simultaneous multifactor login, in order to reduce the possibility of those accounts employees use on a daily basis in the event of an attack on their daily communications, compromising the payment service and the root security of the root domain.

On the basis of the above, the Danish Data Protection Agency finds that Designbysi - by failing to carry out such double verification - has not taken appropriate organizational and technical measures to ensure a level of security appropriate to the risks involved in Designbysi's processing of personal data, cf. 32, para. 1.

After a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that Designby's processing of personal data has not taken place in accordance with the rules in Article 32 (1) of the Data Protection Regulation. 1.

When choosing a response in an aggravating direction, the Danish Data Protection Agency has emphasized that the lack of security measures made it possible for the hackers to gain access to payment information about Designby's customers, which could potentially cause financial damage to the affected customers.

The Danish Data Protection Agency has noted that, following the case, Designbysi has introduced two-factor authentication on all their six users, as well as the script passwords.

For guidance on strong passwords, the Danish Data Protection Agency also refers to the Center for Cyber Security's password guidance [2] or NIST 800-63-3.



[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).

[2] https://www.cfcs.dk/globalassets/cfcs/dokumenter/vejledninger/-vejledning-passwordsikkerhed-2020.pdf