Persónuvernd (Iceland) - 2020010355: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Iceland |DPA-BG-Color= |DPAlogo=LogoIS.png |DPA_Abbrevation=Persónuvernd (Iceland) |DPA_With_Country=Persónuvernd (Iceland) |Case_Number_Nam...")
 
Line 56: Line 56:
=== Facts ===
=== Facts ===
On February 15, 2019, InfoMentor informed the DPA about a data breach within the Mentor web system. The system is intended for schools and other parties that work with children, but the main activity of the company involves the development and operation of the system.  
On February 15, 2019, InfoMentor informed the DPA about a data breach within the Mentor web system. The system is intended for schools and other parties that work with children, but the main activity of the company involves the development and operation of the system.  
The company cooperates with the network security company Syndis. Syndis had been notified that due to weaknesses in the Mentor system, an unauthorized party could have retrieved information about ID numbers and pictures (avatars) of many children. Once the company became aware of the security breach, it informed about that the principals of all schools in Iceland and affected students. .
The company cooperates with the network security company Syndis. Syndis had been notified that due to weaknesses in the Mentor system, an unauthorized party could have retrieved information about ID numbers and pictures (avatars) of many children. Once the company became aware of the security breach, it informed about that the principals of all schools in Iceland and affected students. .
Cross-border scope
 
The security breach affected 423 children in Iceland and one child in Sweden. The DPA notified the EEA data protection authorities through the Internal Market Information System (IMI). The DPA considered itself to be the leading supervisory authority in the case and the Swedish DPA to be the supervisory authority concerned. The DPA sent a draft of this decision to the Swedish DPA. The draft had been discussed at meetings of the EPDB on 28 January and 10 March, respectively. No comments were received within the four-week period provided for in [[Article 60 GDPR|Article 60 GDPR]].
==== Cross-border scope ====
The nature of the security breach
The security breach affected 423 children in Iceland and one child in Sweden. The DPA notified the EEA data protection authorities through the Internal Market Information System (IMI). The DPA considered itself to be the leading supervisory authority in the case and the Swedish DPA to be the supervisory authority concerned. The DPA sent a draft of this decision to the Swedish DPA. The draft had been discussed at meetings of the EPDB on 28 January and 10 March, respectively. No comments were received within the four-week period provided for in [[Article 60 GDPR]].
 
==== The nature of the databreach ====
The student system number was visible in the URL of a specific page in the Mentor system. By tailoring a script to send thousands of queries to the system with random six-digit numbers, an unauthorized party had obtained information on the ID numbers and pictures of 423 students in Icelandic preschools and primary schools.  
The student system number was visible in the URL of a specific page in the Mentor system. By tailoring a script to send thousands of queries to the system with random six-digit numbers, an unauthorized party had obtained information on the ID numbers and pictures of 423 students in Icelandic preschools and primary schools.  
As it turned out, these inquiries were sent to the system from the parent’s account. The parent in question had confirmed in writing that the purpose of the activity had been to demonstrate weaknesses in the system. At his request, the user of the system in Sweden had also performed the same operation, thus obtaining a picture and ID number of one child in that country. According to the parent's statement, no data other than pictures of the children concerned had been examined. He later deleted the pictures that had been downloaded and Syndis about the breach.
As it turned out, these inquiries were sent to the system from the parent’s account. The parent in question had confirmed in writing that the purpose of the activity had been to demonstrate weaknesses in the system. At his request, the user of the system in Sweden had also performed the same operation, thus obtaining a picture and ID number of one child in that country. According to the parent's statement, no data other than pictures of the children concerned had been examined. He later deleted the pictures that had been downloaded and Syndis about the breach.
InfoMentors repaired the weaknesses of the system about 24 hours after the company became aware of it. Tests were carried out that weekend and a new version of the web system was released on the morning of Monday 18 February 2019. The company reaffirmed that it was necessary to be a logged-in user of the Mentor system in order to access the information that became accessible to unauthorized persons due to the security breach. The company emphasizes that both internal and external tests of the system revealed that an outside party, who had not been a logged-in user of the system, could not have used the vulnerability in question to access the information
Mistake in notifying InfoMentors ehf. to pre-school and primary school
In addition to the initial security breach, it is clear that mistakes were made in certain cases in the communication of InfoMentor. to the relevant pre-schools and primary schools. For example, notifications were sent to wrong schools or unauthorized parties. 
Scope of the data breach
By letter dated March 23, 2020, the DPA requested written information and data on how InfoMentor had complied with the requirements set out in [[Article 32 GDPR|Article 32 GDPR]].  In the autumn of 2017, the company set up a special working group to systematically review the Mentor system with the aim of ensuring the security of personal information within it and compliance with the requirements for adequate technical and organizational measures before the entry into force of GDPR.  The working group reviewed all registrations and activities within the system in an orderly manner, and this work has led to various adjustments
InfoMentor was aware of the weakness that caused the security breach and instructed to develop a solution. By mistake, it the repair was registered as completed, even though it had not been implemented in the Mentor system.


=== Dispute ===
InfoMentors repaired the weaknesses of the system about 24 hours after the company became aware of it. Tests were carried out that weekend and a new version of the web system was released on the morning of Monday 18 February 2019. The company reaffirmed that it was necessary to be a logged-in user of the Mentor system in order to access the information that became accessible to unauthorized persons due to the security breach. The company emphasizes that both internal and external tests of the system revealed that an outside party, who had not been a logged-in user of the system, could not have used the vulnerability in question to access the information.
 
By letter dated March 23, 2020, the DPA requested written information and data on how InfoMentor had complied with the requirements set out in [[Article 32 GDPR]].  In the autumn of 2017, the company set up a special working group to systematically review the Mentor system with the aim of ensuring the security of personal information within it and compliance with the requirements for adequate technical and organizational measures before the entry into force of GDPR.  The working group reviewed all registrations and activities within the system in an orderly manner, and this work has led to various adjustments.


InfoMentor was aware of the weakness that caused the security breach and instructed to develop a solution. By mistake, it the repair was registered as completed, even though it had not been implemented in the Mentor system.


==== Mistake in communication about the data breach ====
In addition to the initial security breach, it is clear that mistakes were made in certain cases in the communication of InfoMentor. to the relevant pre-schools and primary schools. For example, notifications were sent to wrong schools or unauthorized parties. 
=== Holding ===
=== Holding ===
In the opinion of the DPA, InfoMentor failed to protect personal data within the Mentor system in the manner required by the provisions of [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]], [[Article 32 GDPR#1d|Article 32(1)(d) GDPR]] and [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]].  
In the opinion of the DPA, InfoMentor failed to comply with the provisions of [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]], [[Article 32 GDPR#1d|Article 32(1)(d) GDPR]] and [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]].
Furthermore, InfoMentor did not ensure sufficient security of the personal data of the registered individuals who were affected by the security breach when the company sent ID numbers to the wrong school and DPO and therefore breached [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]].
 
The DPA ordered the company to implement procedures for responding to data breaches, including testing of such measures. Confirmation that these instructions have been complied with shall be received by the Data Protection Authority within one month from the date of this decision.
Furthermore, InfoMentor did not ensure sufficient security of the personal data of the registered individuals who were affected by the security breach when the company sent ID numbers to the wrong school and DPO and therefore breached [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]].  
A fine of ISK 3,500,000 has been imposed on InfoMentor.  


The DPA ordered the company to implement procedures for responding to data breaches, including testing of such measures. Confirmation that these instructions have been complied with shall be received by the Data Protection Authority within one month from the date of this decision.


A fine of ISK 3,500,000 has been imposed on InfoMentor.
== Comment ==
== Comment ==
''Share your comments here!''
According to Article 4(23)(b) GDPR, 'cross-border processing' occurs when the processing 'substantially affects or is likely to substantially affect data subjects in more than one Member State'. In this case, the controller was based in Iceland and operating only there. 423 Icelandic children were affected and only one from Sweden. It is not clear why the Icelandic DPA decided to trigger the IMI system, as it does not seem that the scope of the data breach substantially affected data subjects outside of Iceland.


== Further Resources ==
== Further Resources ==

Revision as of 09:53, 12 May 2021

Persónuvernd (Iceland) - 2020010355
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 04.05.2021
Published: 07.05.2021
Fine: 23585 EUR
Parties: n/a
National Case Number/Name: 2020010355
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Personuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA fined a company running the electronic school management system €23,585 for not implementing appropriate technical and organizational measures which resulted in a data breach that affected 424 children.

English Summary

Facts

On February 15, 2019, InfoMentor informed the DPA about a data breach within the Mentor web system. The system is intended for schools and other parties that work with children, but the main activity of the company involves the development and operation of the system.

The company cooperates with the network security company Syndis. Syndis had been notified that due to weaknesses in the Mentor system, an unauthorized party could have retrieved information about ID numbers and pictures (avatars) of many children. Once the company became aware of the security breach, it informed about that the principals of all schools in Iceland and affected students. .

Cross-border scope

The security breach affected 423 children in Iceland and one child in Sweden. The DPA notified the EEA data protection authorities through the Internal Market Information System (IMI). The DPA considered itself to be the leading supervisory authority in the case and the Swedish DPA to be the supervisory authority concerned. The DPA sent a draft of this decision to the Swedish DPA. The draft had been discussed at meetings of the EPDB on 28 January and 10 March, respectively. No comments were received within the four-week period provided for in Article 60 GDPR.

The nature of the databreach

The student system number was visible in the URL of a specific page in the Mentor system. By tailoring a script to send thousands of queries to the system with random six-digit numbers, an unauthorized party had obtained information on the ID numbers and pictures of 423 students in Icelandic preschools and primary schools.

As it turned out, these inquiries were sent to the system from the parent’s account. The parent in question had confirmed in writing that the purpose of the activity had been to demonstrate weaknesses in the system. At his request, the user of the system in Sweden had also performed the same operation, thus obtaining a picture and ID number of one child in that country. According to the parent's statement, no data other than pictures of the children concerned had been examined. He later deleted the pictures that had been downloaded and Syndis about the breach.

InfoMentors repaired the weaknesses of the system about 24 hours after the company became aware of it. Tests were carried out that weekend and a new version of the web system was released on the morning of Monday 18 February 2019. The company reaffirmed that it was necessary to be a logged-in user of the Mentor system in order to access the information that became accessible to unauthorized persons due to the security breach. The company emphasizes that both internal and external tests of the system revealed that an outside party, who had not been a logged-in user of the system, could not have used the vulnerability in question to access the information.

By letter dated March 23, 2020, the DPA requested written information and data on how InfoMentor had complied with the requirements set out in Article 32 GDPR. In the autumn of 2017, the company set up a special working group to systematically review the Mentor system with the aim of ensuring the security of personal information within it and compliance with the requirements for adequate technical and organizational measures before the entry into force of GDPR. The working group reviewed all registrations and activities within the system in an orderly manner, and this work has led to various adjustments.

InfoMentor was aware of the weakness that caused the security breach and instructed to develop a solution. By mistake, it the repair was registered as completed, even though it had not been implemented in the Mentor system.

Mistake in communication about the data breach

In addition to the initial security breach, it is clear that mistakes were made in certain cases in the communication of InfoMentor. to the relevant pre-schools and primary schools. For example, notifications were sent to wrong schools or unauthorized parties.

Holding

In the opinion of the DPA, InfoMentor failed to comply with the provisions of Article 32(1)(b) GDPR, Article 32(1)(d) GDPR and Article 5(1)(f) GDPR.

Furthermore, InfoMentor did not ensure sufficient security of the personal data of the registered individuals who were affected by the security breach when the company sent ID numbers to the wrong school and DPO and therefore breached Article 5(1)(f) GDPR.

The DPA ordered the company to implement procedures for responding to data breaches, including testing of such measures. Confirmation that these instructions have been complied with shall be received by the Data Protection Authority within one month from the date of this decision.

A fine of ISK 3,500,000 has been imposed on InfoMentor.

Comment

According to Article 4(23)(b) GDPR, 'cross-border processing' occurs when the processing 'substantially affects or is likely to substantially affect data subjects in more than one Member State'. In this case, the controller was based in Iceland and operating only there. 423 Icelandic children were affected and only one from Sweden. It is not clear why the Icelandic DPA decided to trigger the IMI system, as it does not seem that the scope of the data breach substantially affected data subjects outside of Iceland.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.


                  
    Decision
On April 29, 2021, the Data Protection Authority announced the following decision in case no.
2020010355 (formerly 2019020361): I. Procedure1.Origin
On February 15, 2019, InfoMentor ehf.
Telephone privacy protection for security breaches that had occurred within the web system
Mentor. The system is intended for schools and other parties that work with children, e.g. á m.
preschools and primary schools, but the main activity of InfoMentors ehf. involves development and
operation of the system. Among the possibilities that the system offers are communication
and information sharing between schools and parents. In the call, InfoMentor ehf. on communication
of the company with the network security company Syndis on 14 February 2019. On that day
Syndis had been notified that due to weaknesses in the Mentor system
an unauthorized party could have obtained information on ID numbers and photos (e.
avatars) number of children through the system. Syndis announced InfoMentor ehf. um
the weakness as a result. The extent of the security breach was not fully understood
beginning, but this will be discussed in more detail below. On behalf of InfoMentors ehf. has stated that
when the company became aware of the security breach at 16:55 on Thursday
February 14, 2019, the action plan has been activated. At the end of further
analysis, between 16:45 and 16:55 on Friday 15 February, sea
InfoMentor ehf. sent notifications to the principals of all schools in Iceland
to the effect that a security breach had occurred. Late the same day, between 17:41 and 19:33,
has InfoMentor ehf. sent notifications to the schools of those students who
the security breach was covered and the ID numbers of the students in question were specified. Then
has InfoMentor ehf. sent a detailed notice to the schools in question on Monday
February 18, 2019. During the period February 16 to March 4, 2019 were received
Privacy A total of 84 reports of security breaches, from 75 primary schools and 9
kindergartens. These announcements or other issues will not be discussed further
concerning the primary and nursery schools in question in this decision. The handling of this case has been delayed due to its scope
its procedures for the processing of personal data across borders and for
work at the Data Protection Authority. 2. Summary of communication regarding the case Following
telephone calls from employees of the Data Protection Authority and InfoMentors ehf. on the 15th and 20th.
February 2019, the agency requested further information from the company
letters, dated. February 25, March 27 and May 10, respectively. Answers InfoMentors ehf.
received by letters dated. March 3, April 4 and June 4, 2019. At the end
analysis of the security breach on the basis of available data requested
Privacy further information from InfoMentor ehf. by email January 13th
and 10 February 2020 and a letter dated March 23, repeated April 24 s.á. Answers
InfoMentors ehf. received by e-mail on 7 and 11 February 2020 and by letter,
day. June 1, i.e. By letter,
day. November 20, 2020, the Data Protection Authority InfoMentor ehf. that the agency
considered that there may be grounds for the application of Article 46. laga n. 90/2018, um
privacy and the processing of personal information, where Privacy is provided
authority to impose administrative fines in accordance with Article 83. Regulation (EU)
2016/679. The position of the Data Protection Authority was based on the fact that the case documents indicated
that InfoMentor ehf. had not ensured the security of personal information
adequate technical and organizational measures. Was InfoMentor ehf.
provided an opportunity to comment on this, as well as on the case
in whole. Answer InfoMentors ehf. received by letter dated. December 11, 2020. Perspectives
and the explanations of InfoMentors ehf, as they appear in the above data, will be
discussed as appropriate in the relevant subsections of the Decision. We
the resolution of the case has taken into account all of the above data, however
not all of them are specifically listed below. 3. Processing for processing
cross-border personal informationLike
stated in a letter from InfoMentors ehf., dated March 3, 2019, the security breach had an effect
has one child in Sweden in addition to those who live in Iceland and who suffered
his influence. On that occasion, the Data Protection Authority made the data protection agencies inside
The European Economic Area (EEA) notified the matter in a statement on 12 August
2019 through a common information system of the area's internal market (e. Internal
Market Information System, IMI). The announcement stated that the Data Protection Authority
considered itself to be the leading supervisory authority in the case as the term is defined
in point 124 of the preamble to the regulation. It was also stated that the Data Protection Authority
considered the Swedish Data Protection Authority, Integritetsskyddsmyndigheten (formerly Datainspektionen),
be the relevant supervisory authority within the meaning of point 22 of the first paragraph. Article 4
of the Regulation. The deadline for responding was 13 November
2019. Within that deadline, the Swedish Data Protection Authority's response was received that
it considered itself the relevant supervisory authority in the case. On March 12, 2021, the Data Protection Authority sent
draft of this decision to the Swedish Data Protection Authority through the aforementioned
information system in accordance with para. Article 60 of the Regulation, than before had
The draft was discussed at meetings of the Board of the Data Protection Authority on 28 January and 10 March
s.á. No comments were received within the four-week deadline
about in the 4th paragraph. Article 60 of the Regulation.II.The nature and extent of the security breach1.The nature of the security breachIt is stated in a letter from InfoMentors ehf., dated March 3, 2019, that in URL (e.
URL) of a specific page in the Mentor system if the student system number was visible.
This is a six-digit number assigned by the system and not the student ID number. By tailoring a script to send
thousands of queries on the system with random six-digit numbers had a party, which had not
authorized to do so, retrieved information on ID numbers and photos of 423 students
Icelandic preschools and primary schools. The person in question had to be a user in Iceland
and be logged in to the system to send the queries in question. Is this an issue
reaffirmed in a letter from InfoMentors ehf., dated December 11, 2020. The letter was accompanied by various
documents, incl. á m. statement of the company's technical director in the years 2017-2019 where
confirms that it would have been sufficient to change the URL of the relevant page within
The Mentor system to access information from there and thus take advantage of weaknesses in the system. The first-mentioned letter also states that the analysis of InfoMentors ehf. á
action files have revealed that the queries have been sent to the system
from the access of the parent of a primary school child in the capital area to the Mentor system.
The parent in question had confirmed in writing that the purpose of the activity had been
to demonstrate weaknesses in the system. At the request of the person had a user
of the system in Sweden also performed the same operation and thus approached the image and
ID number of one child in that country. According to the parent's statement had none
data outside the images of the children concerned have been viewed. Then the person would have deleted
the downloaded images. The parent has announced
the network security company Syndis about the incident, which informed InfoMentor ehf. um
it as above. The notification was accompanied by a technical analysis and
information on the ID numbers of the children in question but no other personal information. The letter states that the correction of the weakness has been completed
on the evening of Friday 15 February, or about 24 hours after the company
became his. Tests took place that weekend and a new version of the web system
issued on the morning of Monday, February 18, 2019. Furthermore, it states that the analysis
InfoMentors ehf. on all data is in accordance with the aforementioned statement
the parent who pointed out the weakness and that the company accepts the person's description
the purpose of the act religiously. In a letter from InfoMentors ehf., Dated December 11, 2020, is reaffirmed that
it was necessary to be a logged in user in the Mentor system to
access the information that became available to unauthorized persons
the security breach. The company focuses on both internal and external testing
of the system had revealed to an outside party, which had not been
logged-in user of the system, could not have exploited the vulnerability in question
to access the information. It also says that a solution to the weakness already had
have been developed when the security breach occurred but due to human error
had it not been activated in the system. As a result, it was possible to
respond immediately to the security breach that was actually witnessed. There will be more
discusses the response of InfoMentors ehf. with the security breach and those security measures
which the company has resorted to below. 2. Extent of the security breach As stated above and in a letter from InfoMentors ehf., Dated 3.
March 2019, the security breach affected 423 children in Iceland. The letter states that
initially, the company believed that there were 96 schools and names
the students' ID numbers and pictures have become accessible. We further
a review, however, revealed that there were 90 schools and that there were others
information but ID numbers and photos would not have been accessible. Then have
the security breach reached one child in Sweden. Is this information also
reaffirmed in a letter from InfoMentors ehf. to the Data Protection Authority, dated June 1, 2020. On February 20, 2019, the Data Protection Authority received an e-mail from a parent
a primary school child in Reykjavík to the effect that the child's picture contained raw data (e.
metadata) where the personal information of the child and his parents could be seen,
þ. á m. their full names and ID numbers. Privacy requested further information
from the parent in question and were received by e-mail on 9 and 10 April 2019, 29.
May and June 3 s.á. Was InfoMentor ehf. invited to comment on the above issues
in order to verify the true extent of the security breach. In a letter
of the company to the Data Protection Authority, dated June 4, 2019, states that
the security breach did not reach the child of the parent in question. InfoMentor ehf. have explored more
images in the system than those that had been downloaded and verified as such
information follow some of them. However, include raw materials
personal information of children and parents not found in their photos
students covered by the security breach. InfoMentor ehf. this item in
the company's letters to the Data Protection Authority, dated June 1 and December 11, 2020.3.Mistakes in InfoMentors announcements
ehf. to pre-school and primary schoolIn addition
of the initial security breach, it is clear that mistakes were made in certain cases
announcements of InfoMentors ehf. to the relevant pre-school and primary school. Thus
is stated in the company's letter to the Data Protection Authority, dated March 3, 2019, at
failed to notify the schools of two students about the security breach until 1.
March, or just over two weeks after it took place. Furthermore,
ID numbers in some cases have been sent to the wrong school. There have in most
In some cases, these were students who had dropped out of the schools in question. Then
if the ID number of a student at Háaleitisskóli in Reykjavík has been sent to Háaleitsskóli
Reykjanesbær. The reason for the last-mentioned mistakes could be traced to that
the schools have not been sufficiently separated in the system despite bearing
same name. InfoMentor ehf. has informed the parties who have been sent
personal information by mistake, but has not been reported
security breach to the Data Protection Authority due to these incidents
the aforementioned letter from InfoMentors ehf. also states that by mistake has
The City of Reykjavík's privacy representative has been sent ID numbers of four
students of Flataskóli in Garðabær that the security breach covered, but they have
should rightly be received by Garðabær's privacy representative. The incident did not
have been reported to the Data Protection Authority as a security breach than the person in question
privacy representatives informed about it.
In a letter from InfoMentors ehf., Dated December 11, 2020, says that human
a mistake has resulted in the company not formally announcing
security breaches due to the aforementioned incidents. However, the schools concerned and
privacy representatives have been notified of them as described above. 4.Safety measures and responses
InfoMentors ehf. with the security breach By letter dated March 23, 2020, the Data Protection Authority requested in writing
information and data on how InfoMentor ehf. had complied with those requirements
contained in Article 32. Regulation (EU) 2016/679 on the security of personal data.
The requested information was received by letter from InfoMentors ehf., Dated June 1, 2020, en
The letter was accompanied by risk assessments carried out in 2018 and 2019, memorandum, dated 29.
March 2019, confirming KPMG's audit of key information security aspects
The Mentor system for the same years as well as information on burglary tests (e.
penetration test) conducted by the company Bulletproof in April 2019. In the letter
says that Bulletproof and relevant suggestions have been responded to
repairs carried out. It also says that in late 2018 there are various
organizational changes have been made at InfoMentor ehf. with the aim of
increase the safety and effectiveness of measures. Thus, changes have been made to it
technology and security staff and management. In a letter
of the company, dated December 11, 2020, further states that work processes have
have been restructured and stricter testing procedures have been implemented
to reduce the likelihood of human error. Furthermore
has had a privacy officer working for the company since 2017. In a letter from InfoMentors ehf., dated December 11, 2020, is action
of the company since 2017 with the aim of increasing security
The Mentor system was described in more detail, in addition to which further data were submitted, e.g. á m.
list of 370 technical components. The letter states that in the fall of 2017 the company has
set up a special working group to systematically review the Mentor system
with the aim of ensuring the security of personal information within it and compliance
with requirements for adequate technical and organizational measures for
entry into force of Regulation (EU) 2016/679. The working group has reviewed all of them
registration and activity within the Mentor system in an orderly manner and that work
has led to various adjustments. As stated above, the then confirmed
technical director of InfoMentors ehf. this information in a written statement that
followed the letter. The letter states that InfoMentor ehf. had knowledge of the weakness
which caused the security breach and that instructions had been given for repairs.
A solution had been developed but by mistake registration had resulted
the repair had been completed, even though it had not been implemented in
The Mentor System. This is confirmed in the statement of the then technical director
of the company as well as in the aforementioned list of technical work components. It is stated in
the letter that the correction of the weakness had taken as short a time as was actually witnessed
because a solution to it had already been developed. On the basis of the information and data that InfoMentor ehf. has proposed
It is the opinion of the Data Protection Authority that satisfactory testing of the solutions that were developed
to increase the security of personal information within the Mentor system, such as solutions
with the vulnerability that caused the security breach on February 14, 2019, could have occurred
prevent security breaches. The above data implies that InfoMentor ehf.
did not become aware of an error in the implementation of the solution until after
the security breach had occurred. III. Decision of the Data Protection Authority1. Scope Scope
Act no. 90/2018, on personal protection and processing of personal information, and a regulation
(ESB) 2016/679, sbr. Paragraph 1 Article 4 of the Act and the first paragraph. Article 2 of the Regulation,
and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers
processing of personal information that is partially or fully automated and processing with
methods other than automating personal information that is or should be
part of a file
personal information is information about the person identified or
personally identifiable individual and an individual is considered personally identifiable if
it can be identified, directly or indirectly, by reference to its identifier
or one or more factors that are characteristic of him, cf. 2. tölul. Article 3
of the Act and point 1. Article 4 of the Regulation.With processing
refers to an action or sequence of actions in which personal information is processed, whether
whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and 2.
tölul. Article 4 of the Regulation.This case
relates to a security breach which resulted in ID numbers and figures 423
children in Icelandic pre-schools and primary schools became accessible to unauthorized parties and
that the same information of one child in Sweden became accessible to unauthorized persons
in that country. In view of the above, and in view of the fact that
the headquarters of InfoMentors ehf. are in Iceland matters concerning this processing
personal information falling within the competence of the Data Protection Authority.2. Responsible party
and processorShe who bears
responsibility for the processing of personal information in accordance with Act no. 90/2018 is mentioned
responsible party. According to point 6. Article 3 of the Act refers to an individual,
a legal entity, government authority or other party that decides alone or in cooperation with others
purpose and methods of processing personal information, cf. 7. tölul. Article 4
of the Regulation. The processor is an individual, legal entity, government authority or other
a party that processes personal information on behalf of the responsible party, cf. 7. tölul.
Article 3 of the Act and point 8. Article 4 of the Regulation. The Data Protection Authority has previously discussed the relationship between InfoMentors ehf. with schools and others
users of the Mentor system with respect to their status and the above
definitions of the terms responsible party and processor. In the opinion of the Data Protection Authority,
day. 22 September 2015 in case no. 2015/1203, the agency found out
conclusion that every school that uses the Mentor system is considered responsible
the processing of personal information carried out by the relevant school within
of the system. Each school makes an independent decision about whether and then what
personal information shall be registered in the system. InfoMentor ehf. proposes the web system
Mentor and is therefore considered a party to the processing of personal information as stated
deals with the use of the system in the work of the school. This interpretation is also consistent
Guidelines of the European Privacy Council no. 7/2020 on the concepts
responsible party and processor. [1] The Data Protection Authority reaffirms that this decision is subject to
only to security breaches within the Mentor system on 14 February 2019, correlation
the security measures taken by InfoMentor ehf. has resorted to the provisions of law
no. 90/2018 and the regulation as well as the company's response to
the security breach. As stated above, announcements will therefore not be discussed
individual pre-schools and compulsory schools on security breaches to the Data Protection Authority in a decision
this one. 3.Security
personal information3.1.Requirements of Act no. 90/2018 and Regulation (EU) 2016 / 679According to point 6. Paragraph 1 Article 8 Act no. 90/2018
and paragraph 1 (f). Article 5 of Regulation (EU) 2016/679 shall be personal information
processed in such a way as to ensure their appropriate safety. That includes
otherwise, cf. Paragraph 2 Article 32 of the Regulation, that in assessing adequate safety
shall in particular take into account the risks involved in the processing,
in particular with regard to the unintentional or illegal processing of personal data or that
they are lost, altered, published or accessed without permission.
The security of personal information is discussed in more detail in 2.
Section IV. chapter of the regulation. According to the first paragraph. Article 32 of the Regulation,
sbr. Paragraph 1 Article 27 Act no. 90/2018, the processing party shall take into account
latest technology, implementation costs and nature, scope, context and purpose
processing and risk, less likely and of varying severity, for rights and freedoms
individuals take appropriate technical and organizational measures to
ensure adequate security for the risks as appropriate, inter alia
can ensure lasting confidentiality, continuity, availability and load-bearing capacity of processing systems
and services (point (b)) and establish a process for testing and evaluation on a regular basis
the effectiveness of technical and organizational measures to ensure safety
of the processing (item d). 3.2. Conclusion on the safety of the person concerned
personal information in the Mentor For network
lies that a weakness within the Mentor system led to two irrelevant
parties were able to access the personal information of a total of 424 children in Iceland and Sweden
February 14, 2019. As mentioned above, human error led to
the security breach as a solution to the vulnerabilities in question had already been developed but
not implemented in the Mentor system. Then there was insufficient follow-up and testing
security measures to ensure that InfoMentor ehf. did not become aware of the mistake
until after the security breach on 14 February 2019 had taken place. According to
The Data Protection Authority secured InfoMentor ehf. therefore not the security of personal information within
Of the Mentor Scheme in the manner required by paragraph 1 (b) and (d).
Article 32 of the Regulation, cf. Paragraph 1 Article 27 Act no. 90/2018, Coll. also 6.
tölul. Paragraph 1 Article 8 the same Act as item f of the first paragraph. Article 5 of the Regulation. Furthermore
secured InfoMentor ehf. not adequate security of their personal information
listed individuals who were affected by the security breach when the company sent
ID numbers for wrong schools and privacy officers. Compliant processing
InfoMentors ehf. on the personal information of the persons concerned in this respect
not point 6. Paragraph 1 Article 8 Act no. 90/2018 and item f of the first paragraph. Article 5
of the Regulation. 4. Perspectives when deciding on a levy
administrative fines In light
the conclusion of the Data Protection Authority on the security of personal information within the Mentor system and
number of registered persons affected by the security breach 14.
February 2019, it will be examined whether InfoMentor ehf.
administrative fines for this, cf. Article 46 Act no. 90/2018, Coll. also 83.
gr. Regulation (EU) 2016/679. As before
says InfoMentor ehf. granted the right to object to this issue and came
the company expressed its views by letter dated. December 11, 2020. Í
The letter requests InfoMentor ehf. after being given the opportunity to comment on the amount
forthcoming administrative fine, the Data Protection Authority came to the conclusion that
the company shall impose administrative fines. In this context, it should be emphasized that 46.
gr. Act no. 90/2018 specifies the amount of administrative fines that may be imposed
shall be imposed in accordance with the provision, as well as the maximum percentage of the company's turnover when applicable
á. Consequently, and taking into account the right to object that InfoMentor ehf.
has already been granted during the investigation of this case, according to the Data Protection Authority
obviously need not comply with a request for further right of objection, cf. Article 13
of the Administrative Procedure Act no. 37/1993. We
a decision on whether to impose a government fine and what its amount should be
the factors listed in the first paragraph shall be taken into account. Article 47 fix
no. 90/2018, Coll. Paragraph 2 Article 83 Regulation (EU) 2016/679. Below
each of these factors will be discussed as appropriate.4.1.The nature, extent and duration of the offenseAccording to 1.
tölul. Paragraph 1 Article 47 Act no. 90/2018, Coll. paragraph 2 (a) Article 83 of the Regulation
(EU) 2016/679, the nature, severity and severity should be taken into account
was a long-term violation, in terms of the nature, scope and purpose of processing, as well
the number of registered individuals who were affected and how serious the damage was
The security breach
On February 14, 2019, a case was defined where two logged in users
Mentor system involved. The weakness that enabled the parties involved
access to personal information was corrected 24 hours after InfoMentor ehf.
became aware of the incident. The security breach affected 424 registered individuals but
there is no indication that they were harmed by him. Then has
InfoMentor ehf. stated that all personal information downloaded into
in connection with the incident in question has been deleted. On the other hand, not only
look at the registered individuals who were actually affected by
the security breach but also those who could have been affected by
to him. Available data suggest that the vulnerability could have been identified
affected the personal information of all Mentor users.
The lack of security had a direct effect on the students of 90 schools in Iceland and one school
in Sweden. Even though there were only a few students in each of them
In this case, 424 of their personal information became accessible to unauthorized parties. Because
resulting in those individuals who could potentially have been affected
security breaches are much more than 424.Sú
the fact that only logged-in users of the Mentor system could have taken advantage of it
the vulnerability in question also affects the severity of the security breach. In that
context, however, it should be pointed out that the users of the system in Iceland number in the thousands. Nothing
nevertheless, it would have increased the severity of the security breach if the vulnerability had
enable anyone, regardless of login, to access personal information
users. However, it is clear that no special technical knowledge was required to do so
take advantage of the weakness, as can be deduced from the description of the security breach here
in front of. The Data Protection Authority therefore rejects the claims of InfoMentors ehf. in this regard
which appear in most of the company's letters. Despite a few
technical knowledge may be required to tailor a script of the type that
in this case it is clear that it was not necessary to use such technology to
access the personal information that became available due to the vulnerability, where
it would have been sufficient to change the URL of the page in question. 4.2. Subjective attitudes According to 2.
tölul. Paragraph 1 Article 47 Act no. 90/2018, Coll. paragraph 2 (b) Article 83 of the Regulation
(EU) 2016/679, it must be considered whether the violation was committed intentionally
or negligence. Privacy
considers it clear that there was no intent on the part of InfoMentors
ehf. as the company has made the mistakes that led to it
the security breach. He will therefore be traced to the negligence of InfoMentors ehf. 4.3. Measures to reduce damage to registered persons
personsAccording to 3.
tölul. Paragraph 1 Article 47 Act no. 90/2018, Coll. paragraph 2 (c) Article 83 of the Regulation
(EU) 2016/679, should take into account the measures taken
in order to reduce the loss of registered persons.Like
above, it will not be seen that the registered persons suffered any damage as a result
the security breach. It is also clear that InfoMentor ehf. took action as soon as
the company realized that the security breach had taken place. However, there were
those actions are not satisfactory in view of the mistakes made in the shipment
notifications to schools and privacy officers. 4.4.Scope of liability with regard to technical and
organizational measuresAccording to 4.
tölul. Paragraph 1 Article 47 Act no. 90/2018, Coll. paragraph 2 (d) Article 83 of the Regulation
(EU) 2016/679, should be taken into account how much responsibility the guarantor or
the processor shall, with regard to technical and organizational measures.Sem
the processor is InfoMentor ehf. full responsibility for the weakness that led to it
the security breach. As mentioned before, the solution to the weakness had already been found
developed but not implemented in the Mentor system. Adequate testing could have taken place
prevent security breaches. In this respect, the follow-up of InfoMentor ehf. with
the technical measures taken by the company were unsatisfactory. in light
that children's personal information is guaranteed special protection in Act no. 90/2018 and
Regulation (EU) 2016/679, in the opinion of the Data Protection Authority, must make greater demands than
otherwise to companies such as InfoMentor ehf., whose core business is development
and the operation of an information system intended for parties working with children. 4.5 Scope of co-operation with the Data Protection AuthorityAccording to 6.
tölul. Paragraph 1 Article 47 Act no. 90/2018, Coll. paragraph 2 (f) Article 83 of the Regulation
(EU) 2016/679, should consider the scope of cooperation with the Data Protection Authority in order to
improve the fracture and reduce its harmful effects. InfoMentor
ehf. has responded readily to the Data Protection Authority's requests for data and information
and seeks to provide the information requested by the Agency.
In one case, the Data Protection Authority repeated letters to the company, but on its part
InfoMentors ehf. has stated that a mistake at the post office has led to
the letter has not reached the right hands. Privacy agrees with this explanation.
On the other hand, the agency considers the announcement of InfoMentors ehf. to the guarantor of
the security breach has not been satisfactory, as has already been traced. Like
previously stated, it cannot be deduced from the case file that registered individuals have
suffered damage due to the security breach. 4.6. Categories of personal informationAccording to 7.
tölul. Paragraph 1 Article 47 Act no. 90/2018, Coll. point g of the second paragraph. Article 83 of the Regulation
(EU) 2016/679, the categories of personal data breaches should be taken into account
influence. The security breach discussed here included ID numbers and
form (e. avatars). As a result, he did not reach the vulnerable
personal information within the meaning of point 3. Paragraph 1 Article 3 Act no. 90/2018, Coll.
Paragraph 1 Article 9 of the Regulation. In view of insufficient follow-up and tests
and the scope of the personal information processed in the Mentor system appears
it, on the other hand, have been attacked by chance rather than anything else
subpage vulnerability affected.4.7.How was Privacy Policy made known
brotInfoMentor
ehf. notified the Data Protection Authority of the security breach when the company became aware of it
about him. In accordance with point 8. Paragraph 1 Article 47 Act no. 90/2018, Coll. point h
Paragraph 2 Article 83 of the Regulation, this will be taken into account when deciding on
application of administrative fines. 4.8.Other burdensome and mitigating factorsAccording to
11. tölul. Paragraph 1 Article 47 Act no. 90/2018, Coll. point k of the second paragraph. Article 83
of Regulation (EU) 2016/679, should be considered burdensome or mitigating
factors than those listed earlier in the provision, e.g. profit or loss as
was avoided directly or indirectly due to a violation
seen that InfoMentor ehf. could have benefited from some profit
the security breach and, as stated above, did not cause direct damage
the company or the registered. The data and information that InfoMentor ehf.
has provided an indication that internal procedures were already deficient
the security breach occurred. However, the company has provided data that
demonstrate measures taken to prevent them
for a similar security breach to occur. InfoMentor ehf. added
provided data demonstrating the company's significant work to ensure safety
personal information within the Mentor system, e.g. á m. the aforesaid list 370
technical work components. However, it is clear that mistakes in work on the basis
of the list led to the recording of the correction of the weakness that led to
the security breach had been completed. 4.9.Factors not applicableSpecies 5.,
Points 9 and 10 Paragraph 1 Article 47 Act no. 90/2018, Coll. point e, point i and point j
Paragraph 2 Article 83 Regulation (EU) 2016/679 on previous relevant offenses,
compliance with the Data Protection Authority's instructions on corrective measures and compliance
recognized rules of conduct do not apply in this case. Previous decisions and
the opinion of the Data Protection Authority on the processing of personal data within the Mentor system, in particular
opinion of the Agency, dated 22 September 2015 in case no. 2015/1203, rather
to the use of responsible persons and the processing of personal information on their behalf within
of the system but to the security of the system itself, which is discussed here.5.Resolution on administrative finesDecision on whether to impose administrative fines on
InfoMentor ehf. in this case depends on the overall assessment of the factors discussed
has been about above. InfoMentor ehf. did not fulfill the obligations of Act no.
90/2018 and Regulation (EU) 2016/679 which led to a security breach which had
directly affects 424 registered persons, in almost all cases children under 18 years of age
never. The response of InfoMentors ehf. with the security breach were inadequate to
part, especially in light of the company's failure to report the security breach
to the responsible party and to the privacy representative of one municipality. Furthermore, greater demands must be made than would otherwise be the case
InfoMentors ehf. given that the main activity of the company is development and
operation of an information system specifically designed for parties working with children. This is especially true
follow-up and testing of technical measures, but adequate testing of such
measures by InfoMentors ehf. could have prevented
the security breach discussed here. On the other hand, there is no evidence that registered
individuals have suffered damage as a result of the security breach. Limited
information became available because of him, i.e. ID numbers and photos (e.
avatars). The security breach was not due to an attack by an outside party
The Mentor system retains the behavior of logged in users. As a result
the personal information in question could not have been made available to third parties
who is not a user of the system or abused by such a person, which reduces
the severity of the security breach. InfoMentor ehf. has submitted evidence
on various measures that the company has taken with the aim of
ensure the security of personal information in the Mentor system, even before the security breach
which after him. In view of all the above, the Data Protection Authority considers
more burdensome than mitigating factors are relevant in this case, especially the number
registered persons who were directly affected by the security breach and
of those who could have been affected by it, the fact that it was
personal information of children who enjoy special protection under Act no. 90/2018 and
of Regulation (EU) 2016/679 and to the great responsibility that InfoMentor ehf.
in this context as a processor due to the nature of the company's operations. Í
in view of these factors and the fact that administrative fines must be effective, in law
proportion to violations and have a deterrent effect, administrative fines are considered appropriate
certain ISK 3,500,000. On the spot
u n a r o r ð: InfoMentor
ehf. did not ensure the security of personal information within the Mentor system with it
the manner required by paragraph 1 (b) and (d). Article 32 Regulation (EU)
2016/679, Coll. Paragraph 1 Article 27 Act no. 90/2018, Coll. also point 6. Paragraph 1
Article 8 the same Act as item f of the first paragraph. Article 5 of the Regulation. InfoMentor ehf. on personal information
registered individuals who were affected by the security breach on 14 February 2019
did not comply with point 6. Paragraph 1 Article 8 Act no. 90/2018 and item f of the first paragraph. 5.
gr. of Regulation (EU) 2016 / 679.In accordance
to this conclusion, and with reference to point 4. Article 42 Act no. 90/2018, er
hereby submitted to InfoMentor ehf. to implement procedures for responding to
security breaches and the implementation of security measures for the processing of personal data,
incl. on testing of such measures. Confirmation that it has taken place
In accordance with these instructions, the Data Protection Authority will receive them within one month from the date
of this decision.Er
ISK 3,500,000 administrative fine imposed on InfoMentor ehf. The fine shall be paid in
the Treasury within one month from the date of this decision, cf. Paragraph 6 46.
gr. Act no. 90/2018, on personal protection and processing of personal information. In Privacy,
April 29, 2021 Ólafur Garðarsson, acting chairman
Björn Geirsson Vilhelmína
Haraldsdóttir Þorvarður Kári
Ólafsson