Datatilsynet (Norway) - 21/00480

From GDPRhub
Datatilsynet (Norway) - DT-20/00480
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(f) GDPR
Article 24 GDPR
Article 32 GDPR
Personal Data Act § 26(1)
Type: Investigation
Outcome: Violation Found
Started:
Decided: 18.10.2021
Published: 19.10.2021
Fine: 4000000 NOK
Parties: Østre Toten municipality
National Case Number/Name: DT-20/00480
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA proposed a fine of €409,768 (NOK 4,000,000) against a municipality for breaches of Article 5(1)(f) GDPR, Article 24 GDPR and Article 32 GDPR after a serious ransomware attack led to highly sensitive personal data being irreparably lost and sold on the dark web.

English Summary[edit | edit source]

Facts[edit | edit source]

In early 2021, a Norwegian municipality (Østre Toten kommune) realized they had been exposed to a serious ransomware attack that locked employees out of key IT systems. Data had been encrypted and backups deleted.

About 30,000 documents were affected by the breach, including information about ethnic origin, political opinion, religious belief, trade union membership, sex life/sexual orientation, health, pedagogical diagnosis, birth number, electronic ID and bank account. About 2,000 documents were later discovered up for sale on the dark web. In total, about 160 GB of data was extracted and a large amount of data was irreparably lost.

The technical investigation revealed that the municipality had severe deficiencies in their IT systems and processes, including unsecured back-ups and the lack of two-factor authentication and proper log management. The criminals had likely gained access to the infrastructure through remote access solutions, combined with stolen login credentials which were likely obtained through phishing scams directed at the municipality's employees (about ten email addresses and passwords belonging to employees were discovered during the investigation).

The municipality notified the DPA about the breach and kept their inhabitants continuously informed. They also initiated a comprehensive work to establish routines for processing personal data and for data breach management.

Holding[edit | edit source]

The Norwegian DPA found that the municipality had neither protected personal data sufficiently, nor had proper internal controls in place, in breach of Articles 5(1)(f), 24 and 32, cf. the Personal Data Act § 26(1).

For this, the Norwegian DPA proposed a fine of €409,768 (NOK 4,000,000) against the municipality, awaiting for comments by the municipality. In addition, the DPA instructed the municipality to establish and implement an appropriate information security management system, and to conduct (and document) risk assessments for all key systems in their infrastructure with the aim of identifying the need for risk-reducing measures.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 ØSTRE TOTEN MUNICIPALITY
 PO Box 24

 2851 LENA








Their reference Our reference Date
                         21 / 00480-10 18.10.2021



Notification of decisions on infringement fines and orders


Reference is made to Østre Toten municipality's advance notice and notification of breaches
personal data security dated 22.01.2021 as well as subsequent additional messages.


The non-conformance report stated that Østre Toten had been exposed to extensive
data attack. The attack was discovered on 09.01.2021 when a number of professional systems were
unavailable.


In a letter dated 05.05.2021, we asked Østre Toten municipality for an account of the case. The municipality
responded to the inquiry in a letter dated 02.06.2021.


The Norwegian Data Protection Authority is aware that Østre Toten municipality has had close contact with relevant parties
security authorities in connection with the case. The matter has also been reported to the police.


The municipality has otherwise given us frequent status updates during the following and
ongoing investigation work.


 1. Notification of decisions on infringement fines and orders
The Data Inspectorate takes the matter very seriously. We have come to the conclusion that Østre Toten municipality must
be notified of the following decisions:


        Pursuant to the Privacy Ordinance, Article 58, paragraph 2, letter i, cf.
        the Personal Data Act § 26 and the Patient Records Act § 29, is imposed on Østre Toten
        municipality an infringement fee of 4,000,000 NOK - four million Norwegian kroner - to

        Treasury, for violation of the requirements for security and internal control during processing
        of personal data, cf. the Privacy Ordinance, Article 32 and Article 24, cf.
        the Personal Data Act § 26 first paragraph. The municipality has, among other things, been missing
        two-factor authentication at login, adequately secured backup systems and logging

        of important events in its network.




Postal address: Office address: Telephone: Org.nr: Homepage:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO Østre Toten municipality is ordered to establish and document that a suitable management system
        for information security and personal data security has been implemented, cf.
        Article 58 (2) (d) of the Privacy Regulation as part of this work
        the municipality is required to carry out risk and vulnerability analyzes for all key
        systems / solutions in the infrastructure, for the purpose of identifying the need for
        risk reducing measures. The analyzes must be documented in the management system.


 2. Detailed description of the security breach and subsequent measures
On the night of 09.01.2021, Østre Toten municipality was exposed to a comprehensive ransomware virus attack.
As a consequence, employees no longer had access to the municipality's IT systems, the municipality's
data had been encrypted and backups deleted. A ransom note was found on a quantity
locations.

The municipality has estimated that approx. 30,000 documents are covered by the attack. The documents

contained information on, among other things, ethnic origin, political opinion, religious beliefs,
union membership, sexual relations, health conditions, educational diagnoses,
birth number, MinID and bank account.

In an additional report submitted on 31.03.2021, it appears that the investigation following the attack
has revealed that data extracted during the attack was published on the dark web.
There will be several types of documents that contain different types of personal information,

and it is reasonable to assume that these documents also contained special categories of
personal information, about the municipality's residents and / or employees. According to the municipality's estimates are
about. 2,000 documents published.

On 18.01.2021, KPMG was involved in the investigation to provide technical assistance. KPMG found
among other things, that data from Østre Toten municipality's Exchange server was probably filtered out

an IP address in the Netherlands. Review of network logs shows that it was transferred in total
31.5 GB data. Furthermore, the threatening actor had exported a large number of mailboxes from
Exchange server. In total, mailboxes and other files make up approx. 160 GB data. The threatening actor
has had administrator access to all computers, and all files from the servers that were examined
may in principle have been exfiltered.

On 30.03.2021, Østre Toten municipality and KPMG became aware of the threat actor

had published stolen data on the dark web.

Upon reviewing the leaked data material, KPMG found information indicating that
the threat actor had had access to the municipality's infrastructure earlier than first assumed. IT-
the department in the municipality quickly identified a server as most of the leaked
the information most likely originated from (1,456 of 1,879 published files). It is
not sure how much data was filtered out from this server. In the report from KPMG

it appears that this uncertainty was primarily due to the lack of a network log backwards in
time.

In collaboration with an external party, Atea IRT retrieved the available log from Østre Toten
municipal firewall. The log showed, among other things, that the traffic logs only covered




                                                                                               The 2 period from 06.01.2021 to 09.01.2021. There was uncertainty associated with the traffic logs
quality and coverage, and there was only limited logging of activity between internal zones in
the network. Lack of logging made it difficult to determine where the filtered data was located
origin.

The municipality's firewall was configured to send log (syslog) to a server, but
the storage part of this server was not running, probably due to a hardware failure.


Furthermore, the firewall was sparsely configured for logging and a lot of internal traffic
was never logged in. Servers were not configured to send log to central log reception and
also lacked logging of important events. There was no centralized collection of logs,
neither from servers, clients nor network equipment.

Backup systems were deleted, which was a significant negative factor in the work to

restore operation (availability) of the affected systems. The municipality was missing
protection of backups against intentional and unintentional deletion, tampering and reading,
which is crucial for good information and personal data security. Servers were
also encrypted, which meant that the technical investigations were initially only based
on the firewall logs from the period 06.01.2021 to 09.01.2021.

While the firewall logs provided a good overview of traffic to and from the internet, they provided limited

insight into internal traffic in the municipality's IT infrastructure. This was due to both the configuration of
the firewall (inadequate logging) and the network topography (inadequate segmentation of
network).

Initial attack vector is unknown. KPMG points out in its report that firewall logs for the whole
the period the threat actor has been active in the infrastructure would probably have contributed to

uncover the attack vector. It is also likely that system logs from multiple machines could
compensated for missing firewall logs.

The technical investigations revealed that it is very likely that the threatening actor has received
access to the infrastructure via remote access solutions such as RDP, Citrix, VPN or Teamviewer in
combination with the use of stolen login details.


Østre Toten municipality has not used two-factor authentication to log in to its systems before
the incident. Utilization of stolen login details would therefore be very easy, provided that
the municipality exposed remote access solutions where compromised login information would
given access. Alternatively, the threatening actor may have used methods of social manipulation, too
example via email, and tricked a user into installing malware that gave the threat actor
necessary foothold.


KPMG identified a dozen e-mail addresses and passwords of employees in Østre Toten
municipality which in various ways had leaked login details.

The municipality notified the inhabitants of the data attack. Information about the attack and the ongoing one
The process of investigations was also continuously posted on the municipality's website.




                                                                                               3The municipality started an extensive work to prepare good routines for treatment of
personal data and non-conformance handling.

 3. Legal basis
The Norwegian Data Protection Authority monitors compliance with the privacy regulations, cf.
Article 57 of the Regulation.


3.1 The basic principles
The basic principles for the processing of personal data are set out in
Article 5 of the Privacy Regulation. We refer in particular to Article 5 (1) (f), where it
appears:

        «1. Personal information shall (…)

           f) processed in a manner that ensures sufficient security for the personal data,
              including protection against unauthorized or unlawful processing (…), using appropriate means
              technical or organizational measures ("integrity and confidentiality") ".

It is the responsibility of the data controller to ensure that the principles are complied with, and that
persons responsible for processing must be able to demonstrate this, cf. Article 5 (2).


3.2 The requirements for personal data security and management systems
Article 32 of the Privacy Regulation regulates the security requirements when processing
personal information. The following is an excerpt from the relevant sections of Article 32:

        «1. Taking into account the technical development, implementation costs and
        the nature, scope, purpose and context of the treatment, as well as the risks of

        varying degrees of probability and severity for the rights of natural persons and
        freedoms, the data controller and the data processor shall implement appropriate
        technical and organizational measures to achieve a level of security that is appropriate with
        consideration of the risk, including, inter alia, as appropriate, (…)
           b) ability to ensure lasting confidentiality, integrity, availability and
              robustness in treatment systems and services (…).


        2. In assessing the appropriate level of safety, special consideration shall be given to the risks
        associated with the processing, in particular as a result of (…) unauthorized disclosure of
        or access to personal information that has been transferred, stored or otherwise
        treated".

The obligation to implement appropriate technical and organizational measures is correspondingly stated in
Article 24 of the Privacy Regulation, which regulates the liability of the controller

separately.

3.3 In particular on the imposition of infringement fines
Article 58 no. 2 letter i of the Privacy Ordinance, cf. the Personal Data Act § 26 other
paragraph, it appears that the Data Inspectorate may impose on public authorities and bodies




                                                                                               4 infringement fine under the rules of the Privacy Ordinance Article 83 in case of violation
the regulations. Violation fees are a tool to ensure effective compliance and
enforcement of the privacy regulations.

In accordance with the Supreme Court's practice, cf. Rt. 2012 page 1556, we assume that
infringement fines are to be regarded as penalties under the European Convention on Human Rights
Article 6. A clear preponderance of probabilities for offenses is therefore required in order to be able to impose

fee.

Article 83 of the Privacy Ordinance sets out the conditions for the imposition of a fee. The provision
contains, among other things, an overview of which aspects are to be taken into account, both in
the assessment of whether an infringement fee is to be imposed and in determining the amount of the fee.

The relevant parts of Article 83 (1) and (2) are reproduced below:


        «1. Each supervisory authority shall ensure that the imposition of infringement fines in accordance with
        this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 of each
        case is effective, stands in a reasonable relation to the violation and works
        deterrent.

        2. (…) When a decision is made on whether to impose an infringement fee and

        on the amount of the infringement fee, it must be duly taken into account in each individual case
        following:
           a) the nature, severity and duration of the infringement, taking into account
              to the nature, scope or purpose of the treatment concerned as well as the number of registered as
              are affected, and the extent of the damage they have suffered,
           b) whether the infringement was committed intentionally or negligently,

           c) any measures taken by the data controller or data processor to
              limit the damage suffered by the data subjects,
           d) the degree of responsibility of the data controller or data processor, as taken
              with regard to the technical and organizational measures they have implemented in accordance with
              Articles 25 and 32,
           e) any relevant previous violations committed by the data controller
              or the data processor,

           (f) the degree of cooperation with the supervisory authority to remedy the infringement; and
              reduce the possible negative effects of it,
           g) the categories of personal data affected by the infringement,
           (h) the manner in which the supervisory authority became aware of the infringement, in particular:
              and possibly to what extent the data controller or data processor has
              notified of the infringement, (…)
           k) any other aggravating or mitigating factor in the case, e.g. economic

              benefits gained, or losses avoided, directly or indirectly, such as
              consequence of the infringement ».

Article 83 also sets out the framework for the magnitude of the infringement fine. We show in this
in connection with Article 83, paragraphs 4 and 5. The relevant parts of the provisions are:




                                                                                                 5 «4. In the event of violations of the following provisions, it shall be imposed in accordance with paragraph 2
        infringement fine of up to EUR 10,000,000 (…):
           (a) the obligations of the controller and the processor in accordance with
              Articles 8, 11, 25-39 and 42 and 43 (…) '.

        5. In the event of violations of the following provisions, it shall be imposed in accordance with paragraph 2
        infringement fine of up to EUR 20,000,000 (…):

           (a) the basic principles of treatment, including conditions for consent; i
              pursuant to Articles 5, 6, 7 and 9 (…) '.

Section 26, first paragraph, of the Personal Data Act states that Article 83 of the Privacy Ordinance
Paragraph 4 shall apply mutatis mutandis to infringements of Article 24 of the Regulation.

 4. The Danish Data Protection Agency's assessment

As stated above, there were major shortcomings in Østre Toten's personal data security.
The shortcomings are related to logging, backup and lack of two-factor authentication. This
shows a weakness both in the municipality's ability to identify hacker attacks and deficient
information security in the system. This in itself constitutes a breach of the requirements
personal data security in Article 32 of the Privacy Ordinance, cf. Article 24.

The attack on Østre Toten municipality is particularly serious because it has affected everyone

municipal data. We take very seriously the control over personal information about
the municipality's residents and employees are completely lost through the current data attack.
Information is shared on the dark web to an unknown extent.

The fact that backup systems were deleted was a significant negative factor in the work of restoring
operation (availability) of the affected systems. That Østre Toten municipality is not protected

backups against intentional and unintentional deletion, manipulation and reading were significant
lack of the municipality's management system for information and personal data security.

KPMG and Østre Toten municipality have pointed out that the firewall was poorly configured with thought in mind
on logging. A lot of internal traffic was never logged, and the servers were not configured to send
log to central log reception. It is pointed out that the reason is both the configuration of the firewall
(inadequate logging) and the network topography (inadequate segmentation of the network). We

considers this as a fundamental weakness in the municipality's information security as such
itself constitutes a breach of the Privacy Regulation Article 32, cf. Article 24.

As a result of inadequate information security measures, compared with management's and
employees' lack of awareness of possible security threats and computer attacks, Østre Toten has
municipality violated the basic principle of the duty to safeguard information
confidentiality and integrity, cf. the Privacy Ordinance Article 5 No. 1 letter f.


4.1 Assessment of whether an infringement fee is to be imposed
The Norwegian Data Protection Authority has concluded that the municipality has violated the Privacy Ordinance 32, cf. Article 24
and Article 5 No. 1 letter f.





                                                                                               6Under we review the factors that we consider relevant for the assessment of whether
infringement fines must be imposed.

(a) the nature, gravity and duration of the infringement, taking into account it;
the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and
the extent of the damage they have suffered
All the municipality's data is affected by the attack, including special categories of personal information

and information on children, both of whom are entitled to special protection. The data is lost too
municipality and shared to an unknown extent on the dark web. It is thus impossible to prevent
further sharing or compromise of personal information, which makes the case special
serious.

b) whether the infringement was committed intentionally or negligently
The Data Inspectorate assumes that Østre Toten municipality, through the councilor as chief executive, has

acted negligently by failing to ensure adequate personal data security and
internal control in the municipality.

c) any measures taken by the data controller or data processor to limit
the damage suffered by the data subjects
The municipality quickly reported to relevant actors, such as the police and supervisory authority, after that
the discrepancy was discovered. With external assistance, the municipality has done its utmost to follow up

the case and prevent further adverse effects.

Furthermore, the municipality quickly took measures to notify the inhabitants of the data breach. The municipality
has also continuously posted information on the municipality's website.

The municipality has begun work on preparing good routines for treatment of

personal data and non-conformance handling.

d) the degree of responsibility of the data controller or data processor, taking into account
the technical and organizational measures they have implemented in accordance with Articles 25 and 32
Østre Toten municipality has had fundamental shortcomings in personal data and
information security and internal control work. Due to these shortcomings have
the integrity and confidentiality of all personal information about the municipality's inhabitants

and employees have been compromised.

f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
possible negative effects of it
The municipality quickly reported to the supervisory authority and has subsequently fully cooperated this spring
case processing process, including through ongoing updates.


g) the categories of personal data affected by the infringement
Special categories of personal information and personal information about children are affected by
the data attack. It is also likely that such information is shared on the dark web.






                                                                                               7h) in what way the supervisory authority became aware of the infringement, in particular if and if so
the extent to which the data controller or data processor has notified
the infringement

The municipality itself reported the deviation, in line with the reporting obligation under the Privacy Ordinance
Article 33. The discrepancy was first reported orally, but additional information was provided in writing
within a reasonable time.

Conclusion

As mentioned, the Data Inspectorate takes the discrepancy very seriously as the control over all data in
the municipality is lost. This includes special categories of personal information and information
about children, who according to the privacy regulations have a special protection. Personal information is shared
the dark web, making it impossible to foresee the consequences of the discrepancy.


We assume that the municipality has had fundamental shortcomings in personal data and
information security and internal control work. We have come to the conclusion that the municipality has broken
Article 32, cf. 24 of the Privacy Regulation, and also the basic principle of integrity
and confidentiality in Article 5 (1) (f).


On this basis, we have come to the conclusion that Østre Toten municipality should be imposed a
infringement fee, cf. Article 83 nos. 4 and 5, cf. also the Personal Data Act § 26.

4.2 Measurement of the fee
In assessing the size of the fee, we have taken into account that the data attack could occur as a result of

very basic shortcomings in the municipality's personal data and information security
system. The municipality has not established or carried out internal control in a way that has been
suitable for capturing these security holes. This in itself is very serious.

The data attack has also meant that all of the municipality's data has been compromised and lost

the future. We assume that the attack has led to the spread of some very
personal data worthy of protection on the dark web. This could be serious too
the individual registered, but also has extensive consequences for the municipality's ongoing operations.
This is also an aggravating factor in the case.


This case illustrates how serious the consequences of a computer attack can be and how important it is
it is therefore necessary to have a robust infrastructure and adequate protection against security attacks
from the outside.

As a result of the data attack, Østre Toten municipality has had to spend large sums on
restore a functioning IT system and ensure satisfactory information security.
                                                              1
This work has not been completed. According to information in the media, the data attack has so far cost money
the municipality over kr. 32,000,000. This is necessarily a huge financial burden for one
municipality with almost 15,000 inhabitants. The municipality's financial situation is a factor


1
 https://aktuellsikkerhet.no/cybersikkerhet-datainnbrudd-it-sikkerhet/ostre-toten-kommune-dataangrepet-har-
Cost-us-more-than-32-million / 700321
 https://www.ssb.no/kommunefakta/ostre-toten



                                                                                                  8 which will be important for our measurement of the fee, cf. the Privacy Ordinance Article 83 no. 2
letter k.

It speaks in the municipality's favor that they themselves reported the deviation to the Data Inspectorate and have been very
cooperative afterwards. The municipality has also done its utmost to provide good information
to the inhabitants.


In the event of a breach of basic principles regarding the processing of personal data and requirements for
personal data security, the starting point is that an infringement fee will be high. We have
nevertheless emphasized that the municipality has already spent significant sums on restoring and
improve IT systems and personal data security, which has set Østre Toten
municipality in a difficult financial situation. The municipality's extensive work towards
supervisory authorities, police and residents / employees after the discrepancy was discovered shall
also have some bearing on the size of the infringement charge.


The Danish Data Protection Agency has come to the conclusion that an infringement fee of NOK 4,000,000 is reasonable in this
the case.

In our assessment, the amount reflects both the seriousness of the offense, the municipality's financial
situation after the attack and the municipality's extensive work afterwards. Without these conditions,
the fee would be set significantly higher.


4.3 Assessment of whether an order should be issued
Security in the processing of personal data, including information security, is in place
overall a management responsibility. The performance of tasks can be delegated, but not the responsibility. As
tools to achieve effective technical and organizational measures, management must ensure that
there are management systems for personal data security as part of

the internal control system and the business control.

The current case shows major shortcomings in Østre Toten municipality's work
information security. The shortcomings have had very serious consequences in the form of the loss of everyone
the municipality's data through a data attack.

Based on this, we have found a basis for giving Østre Toten municipality the following order:


        Østre Toten municipality is required to establish and document that a suitable management system
        for information security and personal data security has been implemented, cf.
        Article 58 (2) (d) of the Privacy Ordinance
        the municipality to carry out risk and vulnerability analyzes for all key
        systems / solutions in the infrastructure, for the purpose of identifying the need for
        risk reducing measures. The analyzes must be documented in the management system.


 5. Further proceedings
This is a prior notice of a decision on an infringement fee and order, cf. the Public Administration Act
§ 16.





                                                                                               9If you have any comments on the notification letter, please send it to us within three weeks
upon receipt of this letter.

If you have any questions, you can contact caseworker Susanne Lie (tel. 22 39 69 57)
or Kristine Stenbro (tel. 22 39 69 55).



With best regards


Bjørn Erik Thon
director
                                                               Susanne Lie

                                                               senior legal adviser

The document is electronically approved and therefore has no handwritten signatures


COPY TO: ØSTRE TOTEN MUNICIPALITY, Sigve Hassel


































                                                                                         10