Datatilsynet - 2019-441-1578

From GDPRhub
Datatilsynet - 2019-441-1581
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 34 GDPR
Type: Data Breach Notification
Outcome: Order
Decided:
Published: 18.12.2019
Fine: n/a
Parties: nemlig.com A/S
National Case Number/Name: 2019-441-1581
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DK)
Initial Contributor: {{{Initial_Contributor}}}

The Danish Data Protection Authority (Datatilsynet) decided on two similar cases regarding the notification requirements in the case of a personal data breach, 2019-441-1581 and 2019-441-1578.

Both cases regarded insufficient access controls on a web based reporting service. In both cases, the information regarding customers’ orders were freely available online. Datatilsynet emphasized that the decision to not inform data subjects about a personal data breach pursuant to Article 34 was based on an insufficient assessment.

English Summary[edit | edit source]

Facts[edit | edit source]

By accessing the webpage, choosing “Find Box From Order” and filling out a valid order ID, the personal information regarding that order was made available. The format of the order ID was a ten-digit number. The information included the name of the customer, address, customer ID and the content of the order. The webpage was not linked to from the main pages of nemlig.com. No unauthorized access was found according to the server logs going back seven days. However, the system was online from 2016 until January 2019.

Dispute[edit | edit source]

The question for the DPA to decide was whether the data breach constituted a high risk to the rights and freedoms of natural persons pursuant to Article 34(1) GDPR.

Holding[edit | edit source]

The Danish DPA found that Nemlig did not go through with a proper assessment pursuant to Article 34(1), as it had not considered the risks that some of the addresses could be secret/protected. In the view of the DPA, those addresses entailed a high risk for the rights of the data subject. The DPA did not do an assessment in the concrete with regards to if any secret addresses had actually been exposed. However, the DPA found due to the high number of addresses being publicly available that the probability was high that such information was included.

The Danish DPA particularly highlighted the lacking server log, that the URL did not provide any security by obfuscation, and that the ten-digit number did not act as a protection when there were over 250 000 customers combined, and that several of them had more than one order.

Nemlig’s privacy assessment instead relied on the fact that none of the data subjects had reported that their rights had been infringed. As assessed by the DPA, it would be unlikely that a data subject living on a protected address would be able to connect an infringement to their order in that particular web shop.

In addition, the DPA criticized Nemlig for only evaluating the privacy risks going forward, rather than the security risk the exposed information had been for years. As noted, the purpose of the notification of a security risk is to give the data subject specific information about which steps they can take going forward to protect themselves against any potential consequences of the personal data breach.

Comment[edit | edit source]

See also decision 2019-441-1578

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Violations of the personal data security at nemlig.com A / S
Published 18-12-2019
Decision Private companies

The Danish Data Protection Agency gave orders to inform the data subjects after a breach of the personal data security.

Journal number: 2019-441-1578
Summary

The Data Inspectorate has dealt with a total of two related cases of breaches of personal data security ( see the decision in the second case here ). In both cases, the data controllers had considered that the data subjects should not be notified. The information was primarily name, contact and address information and purchase history.

As there were a significant number of data subjects (more than 250,000) and since the data controllers had not assessed the risk separately for the subset of data subjects who may have a secret or omitted address, the Data Inspectorate conducted an assessment of the risk for this group of data subjects. . When the Authority assessed the risk of these data subjects to be high, the Data Protection Authority instructed the data controllers to notify the data subjects who may have a secret or omitted address.

The decision states that even in otherwise homogeneous processing of information, which generally does not have a high risk profile, there may be conditions for the individual data subject which carries a high risk. The risk assessment carried out by the data controller - whether or not to be notified - must reflect such individual circumstances.
Decision

The Data Inspectorate hereby returns to the case where Nemlig.com A / S (hereafter "Nemlig") has on 21 January 2019 reported a breach of the personal data security to the Danish Data Protection Agency.
1. Decision

After a review of the case, the Data Inspectorate finds a basis for notifying Nemlig the order to notify the data subjects who may have a secret or omitted address. The order is granted pursuant to Article 58 ( 1) of the Data Protection Regulation [1] . 2 (e).

The content of the notification must comply with the requirements of Article 34 of the Data Protection Regulation, and thus describe in a clear language the nature of the breach of personal data security and at least contain the information and measures referred to in Article 33 (2). 3 (b), (c) and (d).

The deadline for compliance is January 7, 2020 . The Danish Data Protection Agency must request confirmation by the same date that the order has been complied with, together with an anonymized version of the notification. According to section 41 (1) of the Data Protection Act. Paragraph 2 (5) shall be punishable by a fine or imprisonment for up to 6 months to a person who fails to comply with an order issued by the Data Inspectorate pursuant to Article 58 (2) of the Data Protection Regulation. 2 (e).

The following is a detailed examination of the case and a justification for the Danish Data Protection Agency's decision.
2. Case making

It appears from the case that insufficient access control has been established on a web-based reporting service, so customer order information has been available on the Internet. These are approximately. 250,000 customers at Nemlig. As the notification of the breach of the personal data security has been made by Nemlig and with regard to the other information in the case - in particular that Nemlig determines the purpose and means of the processing - Nemig is considered to be the data controller.

Nemlig stated that by going to http://xxx.xxx.xxx.xxx and selecting 'Find Box From Order' and entering valid order number, access to the specific customer's name, address, customer number and the contents of the the order in question. The functionality was not available from main.com pages.

On the Danish Data Protection Agency's request regarding the possible processing of secret addresses, Nemlig stated that a delivery address is an absolute necessity for the delivery of goods to the customers. Nemlig, does not detect if an address is secret, as it is irrelevant. Against this background, the risk assessment did not include an assessment of whether secret addresses were included.

Nemlig, stated that in order to get a valid order, one must have knowledge of what a valid order number looks like, know the number of digits in the number, and know which number series are valid. Without this, no data will appear. There are no fields or anything from which to infer information about the format of order numbers. It was possible to try it until you hit a valid order number.

In addition, Nemlig stated that at the time of the incident, server logs were available 7 days back, and these were used to establish that during the period there was no unauthorized access to customer data on the web server.

According to Nemlig, the cleanup after the breach consisted of a tightening of the firewall rules so that the web server was no longer accessible from outside.

It follows from Nemlig's notification of the breach that the data subjects concerned will not be notified and the reasons for this are:

    The breach does not entail a high risk of the rights or freedoms of the persons concerned.
    Sufficient technical and organizational security measures have been implemented to remedy the incident.
    Measures taken by the data controller that justify failure to notify the persons concerned are: Ensuring that all external access to the service is no longer possible, and testing and validation of internal access. 

It is apparent from the case that on January 24, 2019, an assessment was made as to whether Nemlig is obliged to notify the data subjects pursuant to Article 34 of the Data Protection Regulation.

Fact

Please refer to the documentation forms for the security breach Annexes 3 and 4 (sent to X on January 21, 2019), which are attached to this assessment, and which are the basis of the assessment, including that the internal access to the web-based reporting service has been closed at the latest. on Tuesday, January 22, 2019.

Obligation to notify the registered (customers) pursuant to GDPR art. 34?

It follows from GDPR art. 34 that Nemlig and Intervare as data controllers in case of security breach is obliged to notify the data subjects (customers) if the security breach is likely to involve a high risk for the data subjects (customers) rights and freedoms. Considering that:

    only ordinary personal information (and non-sensitive personal information) such as the name, address and purchase of the specific order - and only by entering a specific order number, which one must guess or otherwise possess - has been available,
    Nemlig, and Intervare have not found that there has been any unusual traffic on the web-based reporting service, 

    Nemlig, and Interware has not established via log or otherwise that the access to the web service has been used unauthorized, 

    None of the data subjects have informed Nemlig and / or Intervare that they have experienced that their rights or freedoms have not been infringed during the period during which unauthorized access has been possible, 

    There is no indication that the breach of security has had consequences for the data subjects, 

    Due to the above, it is not likely that unauthorized access has been used and that there has not been a high risk of customer rights and freedoms, and 

    Nemlig and Intervare immediately after finding the security breach has taken the necessary organizational and technical measures (closed to external firewall access and access control is established on each report service), cf. GDPR Art. 34, 3 (b), 

it is our opinion that Nemlig and Intervare are not required to notify the data subjects pursuant to the GDPR art. 34, 1.
3. Justification for the Danish Data Protection Agency's decision

As a result of the notification from Nemlig, the Data Inspectorate assumes that a personal data breach has been breached.

The Data Inspectorate does not consider that an assessment has been carried out in accordance with Article 34 (2) of the Data Protection Regulation. 1 of the risk to the rights of the data subjects. The Data Inspectorate has hereby emphasized in particular the following.

It does not appear that Nemlig has assessed the risk of the individual addresses being secret / protected. Secret / protected addresses, in the opinion of the Data Inspectorate, constitute confidential personal data and an unintended exposure of such information could potentially have serious consequences for the rights of the data subjects. Given the high number of data subjects, the Data Inspectorate is of the opinion that the breach of security is very likely to affect someone where exposure of their address could have a high consequence, and thus the Data Protection Authority considers that the breach poses a high risk to these data subjects.

Nemlig, the risk assessment emphasizes that no unusual traffic or unauthorized use of the access has been identified. In this connection, a log is referred to. The Danish Data Protection Agency understands the circumstances so that the log shows only uses of the access for the last 7 days. The Data Inspectorate does not find that 7 days of logging - beyond one week - can in any way substantiate whether unauthorized access to the information has been made available through the Internet from 2016 to January 2019.

The Data Inspectorate does not find that the format of the Internet address (URL) is so unique that this in itself provides some protection against unauthorized use. Furthermore, the Authority does not find that a lack of knowledge of the format of a valid order number provides any protection, as it was possible to try without limiting the number of attempts. Furthermore, more orders per customer and over a quarter of a million customers (Nemlig and Interware's customers in total) offer many opportunities to hit correctly on a 10-digit order number.

The Internet address (URL) that could be used from the Internet (http://xxx.xxx.xxx.xxx) does not in itself indicate whether the transmission of personal data occurred with or without the use of encryption. The Data Inspectorate finds that such an aspect should have been included in the risk assessment when the breach includes the possible transmission of confidential personal data over the Internet - including by employees' authorized use of the web-based reporting service.

Nemlig, the risk assessment emphasizes that none of the data subjects have notified Nemlig and / or Intervare that they have experienced that their rights or freedoms have not been violated during the period when unauthorized access has been possible. The Data Inspectorate assumes that this is a typo, and it is believed that none of the data subjects has stated that their rights have been violated during the period of the breach.

However, Nemlig cannot expect that a data subject who experiences misuse of a secret address information will necessarily be able to associate this with specifically Nemlig's processing of the address. The address can be registered with several private companies and public authorities. Furthermore, the customer may not necessarily remember that Nemlig is in possession of the address, e.g. if the customer has not shopped at Nemlig since 2016. Finally, address information may have been retrieved by unauthorized persons for abuse at a much later date.

Nemlig, it stated that the data subjects will not be notified and this is justified by measures relating to the closure of the unauthorized access. This is repeated in the risk assessment, which also refers to Article 34 (1) of the Data Protection Regulation. 3 (b).

The Data Inspectorate should note that Article 34 (2) does. 3, points to the data subjects referred to in subsection (3). 1 and it addresses the data subjects for whom the breach involves a risk. The primary purpose of notifying people of security breaches is to provide them with specific information on what precautions they should take to protect themselves from potential consequences of the breach. [2]

The risk assessment should concern those affected by the breach. The described measures implemented by Nemlig are only forward-looking and therefore will not change the risk that the breach has already posed for a number of years and may still pose for the data subjects affected by the breach. Thus, if some of the registered personal data has come to the attention of unauthorized persons, the risk remains unchanged from the measures described and the measures do not mean that the high risk to the data subjects' rights and freedoms is no longer real.

The Data Inspectorate does not consider that Nemlig can not notify the data subjects with reference to Article 34 (2). 3 (b), as the conditions are not considered to be fulfilled.

In view of the above, the Data Inspectorate considers that Nemlig must have performed a new assessment of the risks that the breach of personal data security poses for the rights and freedoms of the data subjects.

Not having already informed the data subjects of the breach of the personal data security, the Data Inspectorate has, in the circumstances described in the case, considered the likelihood that the breach of the personal data security poses a high risk, cf. Article 34 (2) of the Data Protection Regulation. 4. On this basis, the Authority has decided to give the data controller nemlig.com A / S an order, cf. Article 58 (2). 2 (e) to notify the data subject concerned who may have a secret or omitted address. If registrants with secret / omitted addresses cannot be identified, all concerned (approximately 250,000) will be notified.

The notification shall comply with the requirements of Article 34 of the Data Protection Regulation and thus describe in a clear language the nature of the breach of the personal data security and at least contain the information and measures referred to in Article 33 (2). This means, inter alia, that if confidential personal data has been transmitted over the Internet without the use of encryption, this must be included as part of the description of the nature of the breach.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such information and repealing Directive 95/46 / EC (general data protection regulation).

[2] See Pre-Template Recital 86 of the Data Protection Regulation and Article 29 of the "Guidelines on notification of personal data breach pursuant to Regulation 2016/679" (WP250 rev.01).