Datatilsynet - 2019-441-1581
|Datatilsynet - 2019-441-1581|
|Relevant Law:||Article 34 GDPR|
|Type:||Data Breach Notification|
|National Case Number/Name:||2019-441-1581|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in DK)|
The Danish Data Protection Authority (Datatilsynet) decided on two similar cases regarding the notification requirements in the case of a personal data breach, 2019-441-1581 and 2019-441-1578.
Both cases regarded insufficient access controls on a web based reporting service. In both cases, the information regarding customers’ orders were freely available online. The Danish DPA emphasized that the decision to not inform data subjects about a personal data breach pursuant to Article 34 was based on an insufficient assessment. The controller was ordered to notify the affected data subjects.
By accessing the webpage, choosing “Find Box From Order” and filling out a valid order ID, the personal information regarding that order was made available. The format of the order ID was a ten-digit number. The information included the name of the customer, address, customer ID and the content of the order. The webpage was not linked to from the main pages of nemlig.com. No unauthorized access was found according to the server logs going back seven days. However, the system was online from 2016 until January 2019.
The question for the DPA to decide was whether the data breach constituted a high risk to the rights and freedoms of natural persons pursuant to Article 34(1) GDPR.
The Danish DPA found that Intervare did not go through with a proper assessment pursuant to Article 34(1), as it had not considered the risks that some of the addresses could be secret/protected. In the view of the DPA, those addresses entailed a high risk for the rights of the data subject. The DPA did not do an assessment in the concrete with regards to if any secret addresses had actually been exposed. However, the DPA found due to the high number of addresses being publicly available that the probability was high that such information was included.
The Danish DPA particularly highlighted the lacking server log, that the URL did not provide any security by obfuscation, and that the ten-digit number did not act as a protection when there were over 250 000 customers combined, and that several of them had more than one order.
Intervare’s privacy assessment instead relied on the fact that none of the data subjects had reported that their rights had been infringed. As assessed by the DPA, it would be unlikely that a data subject living on a protected address would be able to connect an infringement to their order in that particular web shop.
In addition, the DPA criticized Intervare for only evaluating the privacy risks going forward, rather than the security risk the exposed information had been for years. As noted, the purpose of the notification of a security risk is to give the data subject specific information about which steps they can take going forward to protect themselves against any potential consequences of the personal data breach.
With regards to Intervare specifically, the DPA noted that the services were targeted towards senior citizens who could not purchase goods by themselves. If it could be understood from the order information that it concerned a senior citizen and that the time of delivery was available, it could potentially be misused to gain access to their home. As such, it concerned a high risk for the data subject, something Intervare did not account for in the risk assessment.
See decision 2019-441-1578
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the ***LANGUAGE*** original. Please refer to the ***LANGUAGE*** original for more details.
Violation of the personal data security at Intervare A / S Published 18-12-2019 Decision Private companies The Danish Data Protection Agency gave orders to inform the data subjects after a breach of the personal data security. Journal number: 2019-441-1581 Summary The Data Inspectorate has dealt with a total of two related cases of breaches of personal data security ( see the decision in the second case here ). In both cases, the data controllers had considered that the data subjects should not be notified. The information was primarily name, contact and address information and purchase history. As there were a significant number of data subjects (more than 250,000) and since the data controllers had not assessed the risk separately for the subset of data subjects who may have a secret or omitted address, the Data Inspectorate conducted an assessment of the risk for this group of data subjects. . When the Authority assessed the risk of these data subjects to be high, the Data Protection Authority instructed the data controllers to notify the data subjects who may have a secret or omitted address. The decision states that even in otherwise homogeneous processing of information, which generally does not have a high risk profile, there may be conditions for the individual data subject which carries a high risk. The risk assessment carried out by the data controller - whether or not to be notified - must reflect such individual circumstances. Decision The Data Inspectorate hereby returns to the case where Intervare A / S (hereinafter "Intervare") has on 21 January 2019 reported a breach of the personal data security to the Danish Data Protection Agency. 1. Decision After reviewing the case, the Data Inspectorate finds a basis for notifying Intervare of notifying the data subjects who may have a secret or omitted address . The order is granted pursuant to Article 58 ( 1) of the Data Protection Regulation  . 2 (e) . However, all affected data subjects who are specifically Intervare's customers must be notified (whether they have a secret / omitted address or not) if they could be identified from the information for which there was unauthorized access. The content of the notification must meet the requirements of Article 34 of the Data Protection Regulation, and thus describe in a clear language the nature of the breach of the personal data security and at least contain the information and measures referred to in Article 33 (2). 3 (b), (c) and (d). The deadline for compliance is January 7, 2020 . The Danish Data Protection Agency must request confirmation by the same date that the order has been complied with, together with an anonymized version of the notification. According to section 41 (1) of the Data Protection Act. Paragraph 2 (5) shall be punishable by a fine or imprisonment for up to 6 months to a person who fails to comply with an order issued by the Data Inspectorate pursuant to Article 58 (2) of the Data Protection Regulation. 2 (e). The following is a detailed examination of the case and a justification for the Danish Data Protection Agency's decision. 2. Case making In the case, reference is made to information collected in the case with the Danish Data Protection Agency's ref. 2019-441-1578, where.com A / S (hereinafter "Namely") was consulted about the same security breach. Thus, two reviews have been made concerning the same incident, but where the incident has affected customers of both Namely and Intervare. Both reviews were made by the same person - CFO of Namely, X - who is also listed as the contact person for both reviews. In the response to the hearing in the case 2019-441-1578, Namely has included approx. 16,000 customers at Intervare. Namely, the internal registration of the breach and risk assessment carried out by Bech-Bruun Advokatpartnerselskab also included the approx. 16,000 customers at Intervare. The Data Inspectorate therefore assumes that the answers in the case with jnr. 2019-441-1578 is also given on behalf of Intervare. It appears from the case that insufficient access control has been established on a web-based reporting service, so customer order information has been available on the Internet. These are approximately. 16,000 customers at Intervare. Since the notification of the breach of the personal data security was made by Intervare and taking into account the other information in the case - in particular that Intervare determines the purpose and means of the treatment - Intervare is considered to be responsible for the data. In relation to Interware's customers, it appears from the case that these can to some extent be said to be exposed, since it requires visitation to be able to use Interware's purchasing service, but that no sensitive information has been available for the customers concerned. Intervare has stated that by going to http: //XXX.XXX.XXX.XX and selecting 'Find Box From Order', and entering a valid order number, access to the specific customer's name, address, customer number and the contents of the the order in question. The functionality was not available from main.com pages. When asked by the Data Inspectorate about a possible processing of secret addresses, Intervare stated that a delivery address is an absolute necessity for the delivery of goods to the customers. Thus, Intervare does not detect whether an address is secret, as it is irrelevant. Against this background, the risk assessment did not include an assessment of whether secret addresses were included. Intervare has stated that in order to get a valid order, you must know what a valid order number looks like, know the number of digits in the number, and know which number series are valid. Without this, no data will appear. There are no fields or anything from which to infer information about the format of order numbers. It was possible to try it until you hit a valid order number. In addition, Intervare stated that at the time of the incident, server logs were available 7 days back, and these were used to establish that during the period there was no unauthorized access to customer data on the web server. According to Intervare, the cleanup after the breach consisted of a tightening of the firewall rules so that the web server was no longer accessible from outside. It is apparent from Interware's notification of the breach that the data subjects concerned will not be notified, and the reasons for this are: The breach does not entail a high risk of the rights or freedoms of the persons concerned. Sufficient technical and organizational security measures have been implemented to remedy the incident. Measures taken by the data controller that justify failure to notify the persons concerned are: Ensuring that all external access to the service is no longer possible, and testing and validation of internal access. It appears from the case that on January 24, 2019, an assessment was made as to whether Intervare is obliged to notify the data subjects pursuant to Article 34. of the Data Protection Regulation. The assessment was carried out by Bech-Bruun Advokatpartnerselskab, which states: Fact Please refer to the documentation forms for the security breach Annexes 3 and 4 (sent to X on January 21, 2019), which are attached to this assessment, and which are the basis for the assessment, including that the internal access to the web-based reporting service has been closed at the latest. on Tuesday, January 22, 2019. Obligation to notify the registered (customers) pursuant to GDPR art. 34? It follows from GDPR art. 34 that Nemlig and Intervare as data controllers in case of security breach is obliged to notify the data subjects (customers) if the security breach is likely to involve a high risk for the data subjects (customers) rights and freedoms. Considering that: only ordinary personal information (and non-sensitive personal information) such as the name, address and purchase of the specific order - and only by entering a specific order number, which one must guess or otherwise possess - has been available, Namely, and Intervare have not found that there has been any unusual traffic on the web-based reporting service, Namely, and Interware has not established via log or otherwise that the access to the web service has been used unauthorized, None of the data subjects have informed Namely and / or Intervare that they have experienced that their rights or freedoms have not been infringed during the period during which unauthorized access has been possible, There is no indication that the breach of security has had consequences for the data subjects, Due to the above, it is not likely that the unauthorized access has been used and that there has not been a high risk of customer rights and freedoms, and Namely and Intervare immediately after finding the security breach has taken the necessary organizational and technical measures (closed to external firewall access and access control is established on each report service), cf. GDPR Art. 34, 3 (b), it is our opinion that Namely and Intervare are not required to notify the data subjects pursuant to the GDPR art. 34, 1. 3. Justification for the Danish Data Protection Agency's decision As a result of the notification from Intervare, the Data Inspectorate assumes that a personal data breach has been breached. The Data Inspectorate does not consider that an assessment has been carried out in accordance with Article 34 (2) of the Data Protection Regulation. 1 of the risk to the rights of the data subjects. The Data Inspectorate has hereby emphasized in particular the following. It does not appear that Intervare has assessed the risk that the individual addresses could be secret / protected. Secret / protected addresses, in the opinion of the Data Inspectorate, constitute confidential personal data and an unintended exposure of such information could potentially have serious consequences for the rights of the data subjects. Given the high number of data subjects, the Data Inspectorate is of the opinion that the breach of security is very likely to affect someone where exposure of their address could have a high consequence, and thus the Data Protection Authority considers that the breach poses a high risk to these data subjects. Intevares' risk assessment emphasizes that no unusual traffic or unauthorized use of the access has been identified. In this connection, a log is referred to. The Danish Data Protection Agency understands the circumstances so that the log shows only uses of the access for the last 7 days. The Data Inspectorate does not find that 7 days of logging - beyond one week - can in any way substantiate whether unauthorized access to the information has been made available through the Internet from 2016 to January 2019. The Data Inspectorate does not find that the format of the Internet address (URL) is so unique that this in itself provides some protection against unauthorized use. Furthermore, the Authority does not find that knowledge of the format of a valid order number provides any protection, since it was possible to test without limitation in the number of attempts. Furthermore, more orders per customer and over a quarter of a million customers (Namely and Interware's customers in total) offer many opportunities to hit correctly on a 10-digit order number. The Internet address (URL) that could be used from the Internet (http://XXX.XXX.XXX.XXX) does not in itself indicate whether the transmission of personal data occurred with or without the use of encryption. The Data Inspectorate finds that such an aspect should have been included in the risk assessment when the breach includes the possible transmission of confidential personal data over the Internet - including by employees' authorized use of the web-based reporting service. The services at Intervare A / S appear to be aimed at weak, elderly citizens who cannot handle purchases themselves. If it can be read from the customer's order that the customer is probably a weak elderly citizen and the time of delivery also appears, this information can potentially be misused to access their home. In the opinion of the Data Inspectorate, this poses a potential high risk for these data subjects. This aspect is not considered in the risk assessment, but if the risk is present, it requires special attention to the measures taken by the data controller to deal with the breach. Intervare's risk assessment emphasizes that none of the data subjects have reported namely and / or Intervare that they have experienced that their rights or freedoms have not been violated during the period when unauthorized access has been possible. The Data Inspectorate assumes that this is a typo, and it is believed that none of the data subjects has stated that their rights have been violated during the period of the breach. However, Intervare cannot expect that a data subject who experiences misuse of a secret address information will necessarily be able to associate this with specific Interware's processing of the address. The address can be registered with several private companies and public authorities. Furthermore, the customer may not necessarily remember that Intervare holds the address, e.g. if the customer has not shopped at Intervare since 2016. Finally, address information may have been retrieved by unauthorized persons for abuse at a much later date. Intervare has stated that the data subjects will not be notified, and this is justified by measures concerning the closure of the unauthorized access. This is repeated in the risk assessment, which also refers to Article 34 (1) of the Data Protection Regulation. 3 (b). The Data Inspectorate should note that Article 34 (2) does. 3, points to the data subjects referred to in subsection (3). 1 and it addresses the data subjects for whom the breach involves a risk. The primary purpose of notifying people of security breaches is to provide them with specific information on what precautions they should take to protect themselves from potential consequences of the breach.  The risk assessment should concern those affected by the breach. The described measures implemented by Intervare only work in the future, and will therefore not change the risk that the breach has already posed for a number of years and may still pose for the data subjects affected by the breach. Thus, if some of the recorded personal data has come to the attention of unauthorized persons, the risk thus remains unchanged from the measures described, and the measures do not mean that the high risk of the data subjects' rights and freedoms is no longer real . The Data Inspectorate does not consider that Intervare can not notify the data subjects with reference to Article 34 (2). 3 (b), as the conditions are not considered to be fulfilled. In view of the above, the Data Inspectorate considers that Intervare must have performed a new assessment of the risks that the breach of personal data security poses for the rights and freedoms of the data subjects. Since Intervare has not already informed the data subjects of the breach of the personal data security, the Data Inspectorate has, based on the circumstances described in the case, considered the likelihood that the breach of the personal data security poses a high risk, cf. Article 34 (2) of the Data Protection Regulation. 4. In the light of the above, the Authority has decided to issue an injunction to the data controller Intervare A / S, cf. 2 (e) to notify the data subject concerned who may have a secret or omitted address. If registrants with secret / omitted addresses cannot be identified, all concerned (about 16,000) will be notified. However, all data subjects who are specifically Interware customers must be notified (whether they have a secret / omitted address or not) if they could be identified from the information for which there was unauthorized access. The notification shall comply with the requirements of Article 34 of the Data Protection Regulation and thus describe in a clear language the nature of the breach of the personal data security and at least contain the information and measures referred to in Article 33 (2). 3, b, c and d. This means, inter alia, that if confidential personal data has been transmitted over the Internet without the use of encryption, this must be included as part of the description of the nature of the breach.  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such information and repealing Directive 95/46 / EC (general data protection regulation).  See also the Data Protection Regulation's preamble recital 86 and the Article 29 Working Party on "Guidelines for reporting personal data breaches under Regulation 2016/679" (WP250rev.01).