Datatilsynet (Norway) - 21/00480
|Datatilsynet (Norway) - DT-20/00480|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 24 GDPR
Article 32 GDPR
Personal Data Act § 26(1)
|Parties:||Østre Toten municipality|
|National Case Number/Name:||DT-20/00480|
|European Case Law Identifier:||n/a|
|Original Language(s):||Norwegian |
|Original Source:||Datatilsynet (in NO) |
Datatilsynet (in NO)
|Initial Contributor:||Rie Aleksandra Walle|
The Norwegian DPA fined a municipality €409,768 (NOK 4,000,000) for breaches of Article 5(1)(f) GDPR, Article 24 GDPR and Article 32 GDPR after a serious ransomware attack led to highly sensitive personal data being irreparably lost and sold on the dark web.
English Summary[edit | edit source]
Facts[edit | edit source]
In early 2021, a Norwegian municipality (Østre Toten kommune) realized they had been exposed to a serious ransomware attack that locked employees out of key IT systems. Data had been encrypted and backups deleted.
About 30,000 documents were affected by the breach, including information about ethnic origin, political opinion, religious belief, trade union membership, sex life/sexual orientation, health, pedagogical diagnosis, birth number, electronic ID and bank account. About 2,000 documents were later discovered up for sale on the dark web. In total, about 160 GB of data was extracted and a large amount of data was irreparably lost.
The technical investigation revealed that the municipality had severe deficiencies in their IT systems and processes, including unsecured back-ups and the lack of two-factor authentication and proper log management. The criminals had likely gained access to the infrastructure through remote access solutions, combined with stolen login credentials which were likely obtained through phishing scams directed at the municipality's employees (about ten email addresses and passwords belonging to employees were discovered during the investigation).
The municipality notified the DPA about the breach and kept their inhabitants continuously informed. They also initiated a comprehensive work to establish routines for processing personal data and for data breach management.
Holding[edit | edit source]
The Norwegian DPA found that the municipality had neither protected personal data sufficiently, nor had proper internal controls in place, in breach of Articles 5(1)(f), 24 and 32, cf. the Personal Data Act § 26(1).
For this, the Norwegian DPA fined the municipality €409,768 (NOK 4,000,000). In addition, the DPA instructed the municipality to establish and implement an appropriate information security management system, and to conduct (and document) risk assessments for all key systems in their infrastructure with the aim of identifying the need for risk-reducing measures.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
ØSTRE TOTEN MUNICIPALITY PO Box 24 2851 LENA Their reference Our reference Date 21 / 00480-10 18.10.2021 Notification of decisions on infringement fines and orders Reference is made to Østre Toten municipality's advance notice and notification of breaches personal data security dated 22.01.2021 as well as subsequent additional messages. The non-conformance report stated that Østre Toten had been exposed to extensive data attack. The attack was discovered on 09.01.2021 when a number of professional systems were unavailable. In a letter dated 05.05.2021, we asked Østre Toten municipality for an account of the case. The municipality responded to the inquiry in a letter dated 02.06.2021. The Norwegian Data Protection Authority is aware that Østre Toten municipality has had close contact with relevant parties security authorities in connection with the case. The matter has also been reported to the police. The municipality has otherwise given us frequent status updates during the following and ongoing investigation work. 1. Notification of decisions on infringement fines and orders The Data Inspectorate takes the matter very seriously. We have come to the conclusion that Østre Toten municipality must be notified of the following decisions: Pursuant to the Privacy Ordinance, Article 58, paragraph 2, letter i, cf. the Personal Data Act § 26 and the Patient Records Act § 29, is imposed on Østre Toten municipality an infringement fee of 4,000,000 NOK - four million Norwegian kroner - to Treasury, for violation of the requirements for security and internal control during processing of personal data, cf. the Privacy Ordinance, Article 32 and Article 24, cf. the Personal Data Act § 26 first paragraph. The municipality has, among other things, been missing two-factor authentication at login, adequately secured backup systems and logging of important events in its network. Postal address: Office address: Telephone: Org.nr: Homepage: PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 0105 OSLO 0191 OSLO Østre Toten municipality is ordered to establish and document that a suitable management system for information security and personal data security has been implemented, cf. Article 58 (2) (d) of the Privacy Regulation as part of this work the municipality is required to carry out risk and vulnerability analyzes for all key systems / solutions in the infrastructure, for the purpose of identifying the need for risk reducing measures. The analyzes must be documented in the management system. 2. Detailed description of the security breach and subsequent measures On the night of 09.01.2021, Østre Toten municipality was exposed to a comprehensive ransomware virus attack. As a consequence, employees no longer had access to the municipality's IT systems, the municipality's data had been encrypted and backups deleted. A ransom note was found on a quantity locations. The municipality has estimated that approx. 30,000 documents are covered by the attack. The documents contained information on, among other things, ethnic origin, political opinion, religious beliefs, union membership, sexual relations, health conditions, educational diagnoses, birth number, MinID and bank account. In an additional report submitted on 31.03.2021, it appears that the investigation following the attack has revealed that data extracted during the attack was published on the dark web. There will be several types of documents that contain different types of personal information, and it is reasonable to assume that these documents also contained special categories of personal information, about the municipality's residents and / or employees. According to the municipality's estimates are about. 2,000 documents published. On 18.01.2021, KPMG was involved in the investigation to provide technical assistance. KPMG found among other things, that data from Østre Toten municipality's Exchange server was probably filtered out an IP address in the Netherlands. Review of network logs shows that it was transferred in total 31.5 GB data. Furthermore, the threatening actor had exported a large number of mailboxes from Exchange server. In total, mailboxes and other files make up approx. 160 GB data. The threatening actor has had administrator access to all computers, and all files from the servers that were examined may in principle have been exfiltered. On 30.03.2021, Østre Toten municipality and KPMG became aware of the threat actor had published stolen data on the dark web. Upon reviewing the leaked data material, KPMG found information indicating that the threat actor had had access to the municipality's infrastructure earlier than first assumed. IT- the department in the municipality quickly identified a server as most of the leaked the information most likely originated from (1,456 of 1,879 published files). It is not sure how much data was filtered out from this server. In the report from KPMG it appears that this uncertainty was primarily due to the lack of a network log backwards in time. In collaboration with an external party, Atea IRT retrieved the available log from Østre Toten municipal firewall. The log showed, among other things, that the traffic logs only covered The 2 period from 06.01.2021 to 09.01.2021. There was uncertainty associated with the traffic logs quality and coverage, and there was only limited logging of activity between internal zones in the network. Lack of logging made it difficult to determine where the filtered data was located origin. The municipality's firewall was configured to send log (syslog) to a server, but the storage part of this server was not running, probably due to a hardware failure. Furthermore, the firewall was sparsely configured for logging and a lot of internal traffic was never logged in. Servers were not configured to send log to central log reception and also lacked logging of important events. There was no centralized collection of logs, neither from servers, clients nor network equipment. Backup systems were deleted, which was a significant negative factor in the work to restore operation (availability) of the affected systems. The municipality was missing protection of backups against intentional and unintentional deletion, tampering and reading, which is crucial for good information and personal data security. Servers were also encrypted, which meant that the technical investigations were initially only based on the firewall logs from the period 06.01.2021 to 09.01.2021. While the firewall logs provided a good overview of traffic to and from the internet, they provided limited insight into internal traffic in the municipality's IT infrastructure. This was due to both the configuration of the firewall (inadequate logging) and the network topography (inadequate segmentation of network). Initial attack vector is unknown. KPMG points out in its report that firewall logs for the whole the period the threat actor has been active in the infrastructure would probably have contributed to uncover the attack vector. It is also likely that system logs from multiple machines could compensated for missing firewall logs. The technical investigations revealed that it is very likely that the threatening actor has received access to the infrastructure via remote access solutions such as RDP, Citrix, VPN or Teamviewer in combination with the use of stolen login details. Østre Toten municipality has not used two-factor authentication to log in to its systems before the incident. Utilization of stolen login details would therefore be very easy, provided that the municipality exposed remote access solutions where compromised login information would given access. Alternatively, the threatening actor may have used methods of social manipulation, too example via email, and tricked a user into installing malware that gave the threat actor necessary foothold. KPMG identified a dozen e-mail addresses and passwords of employees in Østre Toten municipality which in various ways had leaked login details. The municipality notified the inhabitants of the data attack. Information about the attack and the ongoing one The process of investigations was also continuously posted on the municipality's website. 3The municipality started an extensive work to prepare good routines for treatment of personal data and non-conformance handling. 3. Legal basis The Norwegian Data Protection Authority monitors compliance with the privacy regulations, cf. Article 57 of the Regulation. 3.1 The basic principles The basic principles for the processing of personal data are set out in Article 5 of the Privacy Regulation. We refer in particular to Article 5 (1) (f), where it appears: «1. Personal information shall (…) f) processed in a manner that ensures sufficient security for the personal data, including protection against unauthorized or unlawful processing (…), using appropriate means technical or organizational measures ("integrity and confidentiality") ". It is the responsibility of the data controller to ensure that the principles are complied with, and that persons responsible for processing must be able to demonstrate this, cf. Article 5 (2). 3.2 The requirements for personal data security and management systems Article 32 of the Privacy Regulation regulates the security requirements when processing personal information. The following is an excerpt from the relevant sections of Article 32: «1. Taking into account the technical development, implementation costs and the nature, scope, purpose and context of the treatment, as well as the risks of varying degrees of probability and severity for the rights of natural persons and freedoms, the data controller and the data processor shall implement appropriate technical and organizational measures to achieve a level of security that is appropriate with consideration of the risk, including, inter alia, as appropriate, (…) b) ability to ensure lasting confidentiality, integrity, availability and robustness in treatment systems and services (…). 2. In assessing the appropriate level of safety, special consideration shall be given to the risks associated with the processing, in particular as a result of (…) unauthorized disclosure of or access to personal information that has been transferred, stored or otherwise treated". The obligation to implement appropriate technical and organizational measures is correspondingly stated in Article 24 of the Privacy Regulation, which regulates the liability of the controller separately. 3.3 In particular on the imposition of infringement fines Article 58 no. 2 letter i of the Privacy Ordinance, cf. the Personal Data Act § 26 other paragraph, it appears that the Data Inspectorate may impose on public authorities and bodies 4 infringement fine under the rules of the Privacy Ordinance Article 83 in case of violation the regulations. Violation fees are a tool to ensure effective compliance and enforcement of the privacy regulations. In accordance with the Supreme Court's practice, cf. Rt. 2012 page 1556, we assume that infringement fines are to be regarded as penalties under the European Convention on Human Rights Article 6. A clear preponderance of probabilities for offenses is therefore required in order to be able to impose fee. Article 83 of the Privacy Ordinance sets out the conditions for the imposition of a fee. The provision contains, among other things, an overview of which aspects are to be taken into account, both in the assessment of whether an infringement fee is to be imposed and in determining the amount of the fee. The relevant parts of Article 83 (1) and (2) are reproduced below: «1. Each supervisory authority shall ensure that the imposition of infringement fines in accordance with this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 of each case is effective, stands in a reasonable relation to the violation and works deterrent. 2. (…) When a decision is made on whether to impose an infringement fee and on the amount of the infringement fee, it must be duly taken into account in each individual case following: a) the nature, severity and duration of the infringement, taking into account to the nature, scope or purpose of the treatment concerned as well as the number of registered as are affected, and the extent of the damage they have suffered, b) whether the infringement was committed intentionally or negligently, c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects, d) the degree of responsibility of the data controller or data processor, as taken with regard to the technical and organizational measures they have implemented in accordance with Articles 25 and 32, e) any relevant previous violations committed by the data controller or the data processor, (f) the degree of cooperation with the supervisory authority to remedy the infringement; and reduce the possible negative effects of it, g) the categories of personal data affected by the infringement, (h) the manner in which the supervisory authority became aware of the infringement, in particular: and possibly to what extent the data controller or data processor has notified of the infringement, (…) k) any other aggravating or mitigating factor in the case, e.g. economic benefits gained, or losses avoided, directly or indirectly, such as consequence of the infringement ». Article 83 also sets out the framework for the magnitude of the infringement fine. We show in this in connection with Article 83, paragraphs 4 and 5. The relevant parts of the provisions are: 5 «4. In the event of violations of the following provisions, it shall be imposed in accordance with paragraph 2 infringement fine of up to EUR 10,000,000 (…): (a) the obligations of the controller and the processor in accordance with Articles 8, 11, 25-39 and 42 and 43 (…) '. 5. In the event of violations of the following provisions, it shall be imposed in accordance with paragraph 2 infringement fine of up to EUR 20,000,000 (…): (a) the basic principles of treatment, including conditions for consent; i pursuant to Articles 5, 6, 7 and 9 (…) '. Section 26, first paragraph, of the Personal Data Act states that Article 83 of the Privacy Ordinance Paragraph 4 shall apply mutatis mutandis to infringements of Article 24 of the Regulation. 4. The Danish Data Protection Agency's assessment As stated above, there were major shortcomings in Østre Toten's personal data security. The shortcomings are related to logging, backup and lack of two-factor authentication. This shows a weakness both in the municipality's ability to identify hacker attacks and deficient information security in the system. This in itself constitutes a breach of the requirements personal data security in Article 32 of the Privacy Ordinance, cf. Article 24. The attack on Østre Toten municipality is particularly serious because it has affected everyone municipal data. We take very seriously the control over personal information about the municipality's residents and employees are completely lost through the current data attack. Information is shared on the dark web to an unknown extent. The fact that backup systems were deleted was a significant negative factor in the work of restoring operation (availability) of the affected systems. That Østre Toten municipality is not protected backups against intentional and unintentional deletion, manipulation and reading were significant lack of the municipality's management system for information and personal data security. KPMG and Østre Toten municipality have pointed out that the firewall was poorly configured with thought in mind on logging. A lot of internal traffic was never logged, and the servers were not configured to send log to central log reception. It is pointed out that the reason is both the configuration of the firewall (inadequate logging) and the network topography (inadequate segmentation of the network). We considers this as a fundamental weakness in the municipality's information security as such itself constitutes a breach of the Privacy Regulation Article 32, cf. Article 24. As a result of inadequate information security measures, compared with management's and employees' lack of awareness of possible security threats and computer attacks, Østre Toten has municipality violated the basic principle of the duty to safeguard information confidentiality and integrity, cf. the Privacy Ordinance Article 5 No. 1 letter f. 4.1 Assessment of whether an infringement fee is to be imposed The Norwegian Data Protection Authority has concluded that the municipality has violated the Privacy Ordinance 32, cf. Article 24 and Article 5 No. 1 letter f. 6Under we review the factors that we consider relevant for the assessment of whether infringement fines must be imposed. (a) the nature, gravity and duration of the infringement, taking into account it; the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and the extent of the damage they have suffered All the municipality's data is affected by the attack, including special categories of personal information and information on children, both of whom are entitled to special protection. The data is lost too municipality and shared to an unknown extent on the dark web. It is thus impossible to prevent further sharing or compromise of personal information, which makes the case special serious. b) whether the infringement was committed intentionally or negligently The Data Inspectorate assumes that Østre Toten municipality, through the councilor as chief executive, has acted negligently by failing to ensure adequate personal data security and internal control in the municipality. c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects The municipality quickly reported to relevant actors, such as the police and supervisory authority, after that the discrepancy was discovered. With external assistance, the municipality has done its utmost to follow up the case and prevent further adverse effects. Furthermore, the municipality quickly took measures to notify the inhabitants of the data breach. The municipality has also continuously posted information on the municipality's website. The municipality has begun work on preparing good routines for treatment of personal data and non-conformance handling. d) the degree of responsibility of the data controller or data processor, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32 Østre Toten municipality has had fundamental shortcomings in personal data and information security and internal control work. Due to these shortcomings have the integrity and confidentiality of all personal information about the municipality's inhabitants and employees have been compromised. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it possible negative effects of it The municipality quickly reported to the supervisory authority and has subsequently fully cooperated this spring case processing process, including through ongoing updates. g) the categories of personal data affected by the infringement Special categories of personal information and personal information about children are affected by the data attack. It is also likely that such information is shared on the dark web. 7h) in what way the supervisory authority became aware of the infringement, in particular if and if so the extent to which the data controller or data processor has notified the infringement The municipality itself reported the deviation, in line with the reporting obligation under the Privacy Ordinance Article 33. The discrepancy was first reported orally, but additional information was provided in writing within a reasonable time. Conclusion As mentioned, the Data Inspectorate takes the discrepancy very seriously as the control over all data in the municipality is lost. This includes special categories of personal information and information about children, who according to the privacy regulations have a special protection. Personal information is shared the dark web, making it impossible to foresee the consequences of the discrepancy. We assume that the municipality has had fundamental shortcomings in personal data and information security and internal control work. We have come to the conclusion that the municipality has broken Article 32, cf. 24 of the Privacy Regulation, and also the basic principle of integrity and confidentiality in Article 5 (1) (f). On this basis, we have come to the conclusion that Østre Toten municipality should be imposed a infringement fee, cf. Article 83 nos. 4 and 5, cf. also the Personal Data Act § 26. 4.2 Measurement of the fee In assessing the size of the fee, we have taken into account that the data attack could occur as a result of very basic shortcomings in the municipality's personal data and information security system. The municipality has not established or carried out internal control in a way that has been suitable for capturing these security holes. This in itself is very serious. The data attack has also meant that all of the municipality's data has been compromised and lost the future. We assume that the attack has led to the spread of some very personal data worthy of protection on the dark web. This could be serious too the individual registered, but also has extensive consequences for the municipality's ongoing operations. This is also an aggravating factor in the case. This case illustrates how serious the consequences of a computer attack can be and how important it is it is therefore necessary to have a robust infrastructure and adequate protection against security attacks from the outside. As a result of the data attack, Østre Toten municipality has had to spend large sums on restore a functioning IT system and ensure satisfactory information security. 1 This work has not been completed. According to information in the media, the data attack has so far cost money the municipality over kr. 32,000,000. This is necessarily a huge financial burden for one municipality with almost 15,000 inhabitants. The municipality's financial situation is a factor 1 https://aktuellsikkerhet.no/cybersikkerhet-datainnbrudd-it-sikkerhet/ostre-toten-kommune-dataangrepet-har- Cost-us-more-than-32-million / 700321 https://www.ssb.no/kommunefakta/ostre-toten 8 which will be important for our measurement of the fee, cf. the Privacy Ordinance Article 83 no. 2 letter k. It speaks in the municipality's favor that they themselves reported the deviation to the Data Inspectorate and have been very cooperative afterwards. The municipality has also done its utmost to provide good information to the inhabitants. In the event of a breach of basic principles regarding the processing of personal data and requirements for personal data security, the starting point is that an infringement fee will be high. We have nevertheless emphasized that the municipality has already spent significant sums on restoring and improve IT systems and personal data security, which has set Østre Toten municipality in a difficult financial situation. The municipality's extensive work towards supervisory authorities, police and residents / employees after the discrepancy was discovered shall also have some bearing on the size of the infringement charge. The Danish Data Protection Agency has come to the conclusion that an infringement fee of NOK 4,000,000 is reasonable in this the case. In our assessment, the amount reflects both the seriousness of the offense, the municipality's financial situation after the attack and the municipality's extensive work afterwards. Without these conditions, the fee would be set significantly higher. 4.3 Assessment of whether an order should be issued Security in the processing of personal data, including information security, is in place overall a management responsibility. The performance of tasks can be delegated, but not the responsibility. As tools to achieve effective technical and organizational measures, management must ensure that there are management systems for personal data security as part of the internal control system and the business control. The current case shows major shortcomings in Østre Toten municipality's work information security. The shortcomings have had very serious consequences in the form of the loss of everyone the municipality's data through a data attack. Based on this, we have found a basis for giving Østre Toten municipality the following order: Østre Toten municipality is required to establish and document that a suitable management system for information security and personal data security has been implemented, cf. Article 58 (2) (d) of the Privacy Ordinance the municipality to carry out risk and vulnerability analyzes for all key systems / solutions in the infrastructure, for the purpose of identifying the need for risk reducing measures. The analyzes must be documented in the management system. 5. Further proceedings This is a prior notice of a decision on an infringement fee and order, cf. the Public Administration Act § 16. 9If you have any comments on the notification letter, please send it to us within three weeks upon receipt of this letter. If you have any questions, you can contact caseworker Susanne Lie (tel. 22 39 69 57) or Kristine Stenbro (tel. 22 39 69 55). With best regards Bjørn Erik Thon director Susanne Lie senior legal adviser The document is electronically approved and therefore has no handwritten signatures COPY TO: ØSTRE TOTEN MUNICIPALITY, Sigve Hassel 10