A fine of HUF 100 million (almost EUR 300.000,00) has been imposed in our neighboring country for violating the provisions of the General Data Protection Regulation (hereinafter: GDPR). The Hungarian Data Protection Authority fined the company named DIGI Távközlési és Szolgáltató Kft (hereinafter: DIGI) for personal data breach.
Recently, an ethical hacker (also referred to as a white hat hacker) found out that on DIGI’s website named www.digi.hu are avalaible databases which containe the personal data of the DIGI’s clients and subscribers to its newsletter.
Actually, the white hat hacker accessed personal data using a security loophole on DIGI’s webpage which represent a vulnerability in software, typically in the operating system, that enables an attacker to compromise the system.
Upon learning of this incident, DIGI immediately notified the The Data Protection Authority in Hungary, who started a thoroughgoing investigation.
RESULTS OF THE INVESTIGATION
Based on the conducted investigation, The Data Protection Authority in Hungary determined that DIGI indeed has violated the provisions of the GDPR. Violation of the provisions is reflected in the fact that DIGI did not anticipate appropriate security measures for the protection of personal data of its clients and subscribers.
Actually, DIGI did not used an encryption – a security measure prescribed as a necessary measure by the GDPR. Also, DIGI did not install a bug-fix (a correction to a bug in a computer program or system) although it was avalaible, because it was not a part of the official update package.
THE ESSENCE OF THE PROBLEM
The essence of the described problem is insufficient data security measurements, which consists in the fact that the mentioned databases should have been deleted much earlier. Namely, DIGI failed to delete personal data that no longer were necessary for the purpose of data processing.
Acting as described, DIGI violated two fundamental principles of the GDPR – principle of purpose limitation, as well as principle of storage limitation.
Hungarian data Protection Authority, with respect to all the circumstances of this case, imposed the highest fine ever in Hungary against DIGI – HUF 100 million which amounts to almost EUR 300.000,00.
As aggravating circumstances, The Data Protection Authority considered the fact that the absence of encryption increased the degree of risk of data breach, but also the fact that the infigement od the GDPR was a repercussion of the security loophole for wich a free bug-fix was accessible much earlier.
As the only mitigating circumstances The Data Protection Authority considered the fact that this was the first violation of the provisions od the GDPR by DIGI, but also that DIGI admited that the databases containing personal data should be deleteted long time ago.
OTHER INFRIGEMENTS OF THE GDPR
As a reminder, we point out that recently in May of 2020. Finnish Office of the Data Protection Ombudsman imposed an administrative fine in the amount of EUR 72.000,00. against the company Taksi Helsinki Oy that had not assessed the risks and effects of personal data processing before adopting a camera surveillance system which records audio and video in its taxis. In its Decision, Finnsih Office of the Data Protection Ombudsman states that this company has seriously violeted the provisions of the GDPR concerning processing of personal data.