Tag: Data breach

Patients blackmailed after data breach at Finnish private psychotherapy center

9. November 2020

An unknown party breached Vastaamo, a Finnish private psychotherapy center. They accessed the electronic patient record, gathering thousands of confidential patient records.  According to a message left on a Finnish web-forum, they accessed up to 40 000 confidential records of psychotherapy patients. These include not only confidential information regarding therapy sessions but also personal information, such as the social security number. In Finland, this number allows the user to take on credits or found companies. On September 29th Vastaamo notified the Finnish authorities, while they notified the affected via E-Mail and letter after October 21st.

Though the attack prompted an emergency meeting of the Finnish Cabinet, up until now neither Finnish authorities nor Vastaamo released information regarding the nature of the breach.

The initial breach likely occurred in November 2018, while it is believed, there was a second attack that occurred before March 2019. In September 2020, the hackers contacted Vastaamo, demanding a payment of 40 Bitcoin (€ 450 000,00). Vastaamo refused to pay and instead contacted the police and other Finnish authorities. On instruction by the Finnish National Police, Vastaamo published information regarding the data breach, only after some of the data was published on the Tor Network on October 21st. Furthermore, the Board dismissed former CEO Ville Tapio, claiming he concealed the breach.

Further, in late October, the hackers sent messages to patients and employees of Vastaamo, threatening to post their patient files on the internet and demanding payments in Bitcoin. The national police advised victims not to pay the hacker, and instead asked them to save extortion emails or other evidence and file a police report. Until October 30th, Finland’s national police received up to 15 000 reports of offenses regarding this data-breach.

The National Supervisory Authority for Welfare and Health started an investigation of Vastaamo, while the Social Insurance Institution of Finland stopped referrals to Vastaamo.

Ever since the beginning of the Covid-19 pandemic the healthcare and the public health sectors are attacked more frequently, especially in the form of ransomware. The FBI’s Cyber Security Unit (CISA) and the US Department of Health and Human Services have issued a joint advisory regarding the matter. Adding onto that, according to IBM’s annual Cost of a Data Breach Report, the healthcare sector has the highest average breach cost, at 7.13 million per breach.

Appeal against record fine for GDPR violation in Poland dismissed

22. October 2020

On 10th September 2019 the Polish Data Protection Commissioner imposed a record fine in the amount of more than PLN 2,8 million or the equivalent of € 660.000 on the company Morele.net for violating the implementation of appropriate technical and organisational measures as well as the lack of verifiability of the prior consents to data processing. The Krakow-based company runs various online shops and stores customer data on a central database. According to the Personal Data Protection Office (UODO), there has been 2,2 million customers affected.

Starting point were especially two incidents at the end of 2018, when unauthorised persons got access to the customer database of the company and the contained personal data. The company notified the data breach to the UODO, which accused it particularly of violation of the confidentiality principle (Articles 5 (1) lit. f, 24 (1), 25 (1), 32 (1) lit. b, d, (2) GDPR) by failing to use sufficient technical and organisational measures to safeguard the data of its customers, such as a two-factor authentication. As claimed by the UODO, the selection of the authentication mechanism should always be preceded by an adequate risk analysis with a corresponding determination of protection requirements. The company did not adequately comply with this. However, it should have been sufficiently aware of the phishing risks as the Computer Emergency Response Team (CERT Polska) had already pointed it out.

In addition, the UODO accused the company of violation of the lawfulness, fairness, transparency and accountability principles (Articles 5 (1) lit. a, (2), 6 (1), 7 (1) GDPR) by not being able to prove that (where necessary) the personal data from installment applications had been processed on the basis of consents of data subjects. Furthermore, after a risk analysis, the company deleted the corresponding data from the database in December 2018, but according to the UODO, the deletion was not sufficiently documented.

When assessing the fine, there were many aspects which played a decisive role. Most of all, the extent of the violation (2,2 million customers) and the fact that the company processes personal data professionally in the course of its business activities and therefore has to apply a higher level of security. However, mitigating circumstances were also taken into account, such as the good cooperation with the supervisory authority, no previous ascertainable violations of the GDPR and no identifiable financial advantages for the company.

On 3rd September 2020, the Provincial Administrative Court (WSA) in Warsaw issued a judgment on Morele.net’s appeal against the decision. The WSA dismissed the appeal and considered that the decision on the fine imposed on the company was justified. Furthermore, the WSA stated that the UODO had correctly assessed the facts in the case concerned and considered that the fine imposed was high but within the limits of the law and justified by circumstances. It is expected that the company will lodge a complaint with the Supreme Administrative Court of Poland.

Consequences of the 2017 Equifax Data Breach

16. April 2020

It has been almost two years since the consumer credit reporting agency Equifax suffered a massive Data Breach.

Back in May 2017 Equifax has been hacked, but the operators first noticed the breach much later, at the end of July 2017 and informed the public on the beginning of September 2017.

The disclosure of sensitive data from approximately 143 million, not only US based consumers, was to be feared (we reported).

After the breach Equifax invested $ 200 million on the data security infrastructure and found itself in the middle of class action suits.

Now, two years after the hack, Reuters reports the settlement of a lawsuit in connection with which Equifax pays $ 19.5 million to Indiana and also the Chicago Daily Law Bulletin reports a $ 1.5 million settlement between the city of Chicago and Equifax.

Besides Indiana also Massachusetts filed a lawsuit against Equifax, which is reported to be settled as well – the amount of the settlement is not yet known.

UK: Betting companies had access to millions of data of children

28. January 2020

In the UK, betting companies have gained access to data from 28 million children under 14 and adolescents. The data was stored in a government database and could be used for learning purposes. Access to the platform is granted by the government. A company that was given access is said to have illegally given it to another company, which in turn allowed access for the betting companies. The betting providers used the access, among other things, to check age information online. The company accused of passing on the access denies the allegations, but has not yet made any more specific statements.

The British Department for Education speaks of an unacceptable situation. All access points have been closed and the cooperation has been terminated.

Category: Data Breach · General · UK
Tags: , ,

Germany: Large Data leak reveals Personal Data of more than 3 Million Customers

27. January 2020

The German car rental company Buchbinder is responsible for leaking Personal Data of more than 3 Million customers from all over Europe. The data leak exposed more than 10 Terabyte of sensitive customer data over several weeks without the company noticing it.

A German cybersecurity firm was executing routine network scans when it found the data leak. The firm reported it twice to Buchbinder via e-mail, but did not receive a reply. After that, the cybersecurity firm reported the leak to the Bavarian Data Protection Authority (DPA) and informed the German computer magazine c’t and newspaper DIE ZEIT.

According to c’t, a configuration error of a Backup-Server was the cause of the leak. The Personal Data exposed included customers’ names, private addresses, birth dates, telephone numbers, rental data, bank details, accident reports, legal documents, as well as Buchbinder employees’ e-mails and access data to internal networks.

The data leak is particularly serious because of the vast amount of leaked Personal Data that could easily be abused through Spam e-mails, Fraud, Phishing, or Identity theft. It is therefore likely that the German DPA will impose a GDPR fine on the company in the future.

Buchbinder released a press statement apologising for the data leak and promising to enhance the level of their defense and cybersecurity system.

Fine imposed on the City of Oslo

2. January 2020

The Norwegian data protection authority (datatilsynet) recently imposed a fine of €49,300 on the city of Oslo. The reason for the fine was that the city has kept patient data outside the electronic health record system at the city’s nursing homes/health centres from 2007 to November 2018.

The case became known because the City of Oslo reported a data breach to the Data Protection Authority in November 2018. This report included information that various governmental and private nursing homes/health centres were using work sheets. These contained information about the residents, such as their daily needs and care routines, but also full names and room numbers. The work sheets were stored on the respective intranet of the institution and all employees, including for example cleaning staff, had access to this data.

After the procedure came to the surface, the Nursing Home Agency instructed all nursing homes/health centres to delete the work sheets immediately. Due to the way the data was stored, it is not possible to determine who exactly accessed the data and when, and whether unauthorised persons were among them.

In calculating the amount of the fine, the Data Protection Agency has taken into account that the City of Oslo reported the incident itself and has taken quick steps to delete the data. It was also taken into account that the incident occurred for the most part in the period before the new Data Protection Act (in force since July 2018) came into force and that under the old Data Protection Act the maximum amount of a fine was €100,000.

Berlin commissioner for data protection imposes fine on real estate company

6. November 2019

On October 30th, 2019, the Berlin Commissioner for Data Protection and Freedom of Information issued a fine of around 14.5 million euros against the real estate company Deutsche Wohnen SE for violations of the General Data Protection Regulation (GDPR).

During on-site inspections in June 2017 and March 2019, the supervisory authority determined that the company used an archive system for the storage of personal data of tenants that did not provide for the possibility of removing data that was no longer required. Personal data of tenants were stored without checking whether storage was permissible or even necessary. In individual cases, private data of the tenants concerned could therefore be viewed, even though some of them were years old and no longer served the purpose of their original survey. This involved data on the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data and bank statements.

After the commissioner had made the urgent recommendation to change the archive system in the first test date of 2017, the company was unable to demonstrate either a cleansing of its database nor legal reasons for the continued storage in March 2019, more than one and a half years after the first test date and nine months after the GDPR came into force. Although the enterprise had made preparations for the removal of the found grievances, nevertheless these measures did not lead to a legal state with the storage of personal data. Therefore the imposition of a fine was compelling because of a violation of article 25 Abs. 1 GDPR as well as article 5 GDPR for the period between May 2018 and March 2019.

The starting point for the calculation of fines is, among other things, the previous year’s worldwide sales of the affected companies. According to its annual report for 2018, the annual turnover of Deutsche Wohnen SE exceeded one billion euros. For this reason, the legally prescribed framework for the assessment of fines for the established data protection violation amounted to approximately 28 million euros.

For the concrete determination of the amount of the fine, the commissioner used the legal criteria, taking into account all burdening and relieving aspects. The fact that Deutsche Wohnen SE had deliberately set up the archive structure in question and that the data concerned had been processed in an inadmissible manner over a long period of time had a particularly negative effect. However, the fact that the company had taken initial measures to remedy the illegal situation and had cooperated well with the supervisory authority in formal terms was taken into account as a mitigating factor. Also with regard to the fact that the company was not able to prove any abusive access to the data stored, a fine in the middle range of the prescribed fine framework was appropriate.

In addition to sanctioning this violation, the commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases.

The decision on the fine has not yet become final. Deutsche Wohnen SE can lodge an appeal against this decision.

German data protection authorities develop fining concept under GDPR

24. October 2019

In a press release, the German Conference of Data Protection Authorities (Datenschutzkonferenz, “DSK”) announced that it is currently developing a concept for the setting of fines in the event of breaches of the GDPR by companies. The goal is to guarantee a systematic, transparent and comprehensible fine calculation.

The DSK clarifies that this concept has not yet been adopted, but is still in draft stage and will be further worked on. At present it is practiced accompanying with current fine proceedings in order to test it for its practical suitability and aiming accuracy. However, the concrete decisions are nevertheless based on Art. 83 GDPR.

Art. 70 Para. 1 lit. k of the GDPR demands a harmonization of the fine setting within Europe. Therefore guidelines shall be elaborated. For this reason, the DSK draft will be brought into line with the concepts of other EU member states.

Also, at European level a European concept is currently being negotiated. This concept should then be laid down in a guideline, at least in principle. The DSK has also contributed its considerations on the assessment.

The fine concept will be discussed further on 6th and 7th November. After prior examination, a decision will be taken on whether the concept on the setting of fines shall be published.

Category: Data Breach · EU · GDPR
Tags: , , ,

Belgian DPA announces GDPR fine

7. October 2019

The Belgian data protection authority (Gegevensbeschermingsautoriteit) has recently imposed a fine of €10,000 for violating the General Data Protection Regulation (GDPR). The case concerns a Belgian shop that provided the data subject with only one opportunity to get a customer card, namely the  electronic identity card (eID). The eID is a national identification card, which contains several information about the cardholder, so the authority considers that the use of this information without the valid consent of the customer is disproportionate to the service offered.

The Authority had learnt of the case following a complaint from a customer. He was denied a customer card because he did not want to provide his electronic identity card. Instead, he had offered the shop to send his data in writing.

According to the Belgian data protection authority, this action violates the GDPR in several respects. On the one hand, the principle of data minimisation is not respected. This requires that the duration and the quantity of the processed data are limited by the controller to the extent absolutely necessary for the pursued purpose.

In order to create the customer card, the controller has access to all the data stored on the eID, including name, address, a photograph and the barcode associated with the national registration number. The Authority therefore believes that the use of all eID data is disproportionate to the creation of a customer card.

The DPA also considers that there is no valid consent as a legal basis. According to the GDPR, the consent must be freely given, specific and informed. However, there is no voluntary consent in this case, since no other alternative is offered to the customer. If a customer refuses to use his electronic ID card, he will not receive a customer card and will therefore not be able to benefit from the shops’ discounts and advantages.

In view of these violations, the authority has imposed a fine of €10,000.

Category: Belgian DPA · Belgium · GDPR · General
Tags: ,

Data Breach: Millions of patient data available on the Internet

20. September 2019

As reported by the US investment platform ProPublica and the German broadcaster Bayerischer Rundfunk, millions of highly sensitive patient data were discovered freely accessible on the Internet.

Among the data sets are high-resolution X-ray images, breast cancer screenings, CT scans and other medical images. Most of them are provided with personal data such as birth dates, names and information about their doctor and their medical treatment. The data could be found for years on unprotected servers.

In Germany, around 13,000 data records are affected, and more than 16 million worldwide, including more than 5 million patients in the USA.

When X-ray or MRI images of patients are taken, they are stored on “Picture Archiving Communication System” (PACS) servers. If these servers are not sufficiently secured, it is easy to access the data. In 2016, Oleg Pianykh, Professor of Radiology at Harvard Medical School, published a study on unsecured PACS servers. He was able to locate more than 2700 open systems, but the study did not prompt anyone in the industry to act.

The German Federal Ministry for Information Security has now informed authorities in 46 countries. Now it remains to be seen how they will react to the incident.

Pages: Prev 1 2 3 4 5 6 Next
1 2 3 4 5 6