CNIL sanctions DARTY (100,000 Euro)

Interesting case – data breach due to ticket ID enumeration in a standard software URL (developed by a service provider) – CNIL sanctions data controller.

https://www.cnil.fr/fr/darty-sanction-pecuniaire-pour-une-atteinte-la-securite-des-donnees-clients

  • CNIL was informed in February 2017 of a security vulnerability in the URL  http://darty.epticahosting.com/selfdarty/register.do, which would have allowed access to several thousand customer data of the company DARTY.
  • Online check by CNIL in March 2017 reveals security vulnerability in http://darty.epticahosting.com/selfdarty/register.do ,  a form allowing the company’s customers to submit a service request after-sale. Once the form has been filled in with an e-mail address and a password, a hypertext link corresponding to the registration number of the request allowed access to its follow-up. The identifier (ticket number) was contained in the URL as follows: http://darty.epticahosting.com/selfdarty/requests.do?id= XXX.
    By changing the ID number in this URL, an attacker would be able to access customer service request forms completed by other customers.
  • 912,938 files were potentially accessible. During the inspection,  7,417 of them  were downloaded for sampling. It was found that personal data of customers were accessible on cards, such as their surname, first name, postal address, e-mail address and their orders.At the end of the audit, the delegation contacted the company to inform it of the existence of this personal data breach.
  • On premise inspection by CNIL revealed that support form was developed by a service provider.
  • Controller should have checked access controls and tested for vulnerabilities.

 

 

 

 

[UK/India] – Health Company Fined by UK’s ICO

  • Subcontractor based in India to process sensitive personal data without adequate data processing / data transfer grounds
  • Lack of contractual definition of adequate technical and organisational measures in India
  • Sensitive personal data (with high severity) sent via unencrypted email
  • Sensitive personal data on  FTP server without restricted access controls
  • Patient found his/her data via Internet search

https://www.hldataprotection.com/2017/03/articles/international-eu-privacy/health-company-fined-by-uks-information-commissioner-office/

(from 2015) Rethinking Personal Data Breaches (EU)

So as the world stands still – and waits for GDPR to pass the European Parliament vote in a few days, and just before we are all hit by a wave of audit/certification/consulting firms selling their services – here’s a quick look at Personal Data Breaches.

According to Opinion 03/2014 of the Article 29 Working Party – which back in the days was just an opinion, but now gets quite a bit more muscle: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp213_en.pdf

Most people think of a data breach as an event in which data is accessed by an authorized person, resold on the darknet, made public by some creant, etc..

The Article 29 Working Party took a much more holistic view – and includes loss of integrity and timely accessibility along with the loss of confidentiality.

Opinion 03/2014 gives examples of data breaches, and walks the reader through accessing the impact.  While the GDPR will provide us with more details and requirements (e.g. to notify within 72 hours), the Opinion does a good job illustrating the underlying thinking.

So quoting from the Opinion:

Case 1: Four laptop computers were stolen from a “Children’s Healthcare Institute”; they stored sensitive health and social welfare data as well as other personal data concerning 2050 children.

  • Potential consequences and adverse effects of the confidentiality breach:
    The first impact is a breach of medical secrecy: the database contains intimate medical information on the children which are available to unauthorized people. [..]
  • Potential consequences and adverse effects of the availability breach: 
    It may disturb the continuity of children’s treatment leading to aggravation of the disease or a relapse. [..]
  • Potential consequences and adverse effects of the integrity breach:
    The lost data may affect the integrity of the medical records and disrupt the treatments of the children. For example, if only an old back-up of the medical records exists, all changes to the data that were made on the stolen computers will be lost, leading to corruption of the integrity of the data. The use of medical records that are not up-to-date may disrupt the continuity of children’s treatments leading to aggravation of the disease or a relapse. [..]

So the overall paradigm is a bit different than elsewhere. – It will be interesting to see how many changes were made last minute to the GDPR, but assessments like the one above should be common place in 2018 and beyond.

(from 2016) – Lessons from living with high privacy fines (Spain)

The GDPR introduces some very high fines for violations, and for many countries in Europe this will be a major change. – In this context, it’s interesting to have a look at Spain, where the Data Protection Authority can already enforce  fines of up to 600,000 EUR since several years.

Ricard Martinez of the Spanish Data Protection Association APEP wrote a very interesting article on the challenges that come with high privacy fines.

My key take-aways from his post are:

  • The total annual amount of fines in Spain is between 15 to 20 mio EUR in the last decade.
  • The majority of the sanctioned companies are in the telecommunications, video surveillance, and financial industries. Their relative share stays about the same year by year. – So the high fines do not appear to be a crucial deterrent.
  • The legislator had to modulate the sanctions to balance the impact on small and medium enterprises. – It’s important that the DPAs harmonize around this before the GDPR becomes effective, as the overall effect might be unfair.
  • The volume of complaints is steadily increasing from year to year. This has an impact on the ability of the DPA to take actions:  The number of actual infringement statements is staying  constant.  – Any news on DPA actions seem to increase the volume of complaints further.

There’s much more information in Ricard Martinez’ post, and I encourage you to read more at http://www.phaedra-project.eu/the-challenge-of-the-enforcement-in-the-proposal-for-a-general-data-protection-regulation-2/

GDPR – a headache for Data Protection Authorities

With the General Data Protection Regulation only some days away, it’s not just companies upgrading their privacy management systems – also the Data Protection Authorities are preparing to meet their increased obligations under the new law.

More than a year ago, Prof. Dr. Alexander Roßnagel prepared an expert opinion on the additional workload caused by the GDPR for the German state DPAs (in German): http://suche.transparenz.hamburg.de/dataset/gutachten-zum-zusaetzlichen-arbeitsaufwand-fuer-die-aufsichtsbehoerden-der-laender-durch-d-2017. (in German)

He estimated that each DPA would need in addition to its current staff 12-19 lawyers, 4-5 IT experts, 2 educational and 6 administrative roles. – At the beginning fo 2017, the planned staff increase fell far short of this (49 for the federal DPA, 8 and below for the different states were planned as new positions for 2017). It’s also interesting that he didn’t list separate categories for “privacy managers” or “auditors”. http://www.heise.de/newsticker/meldung/Datenschutzgrundverordnung-bringt-Datenschutzaufsicht-an-Belastungsgrenze-3633498.html

The mechanisms for mutual cooperation between the European DPAs are new and quite complex (Art. 60 – 62), especially as communcations might take place in a variety of languages. Also the consistency mechanism (Art. 63 – 66) might turn out to be quite demanding. – In situations in which the One-Stop-Shop (OSS) approach cannot be applied, the DPAs will first have to jointly determine their respective responsibilities. It will be very interesting to see how these mechanisms will work out.