Tag: Germany

Germany Update: Covid-19 Tracing App launched in mid June

18. June 2020

On June 16th, 2020 Germany has introduced their new COVID-19 tracing app called “Corona-Warn-App” and released it for download. Within the first day, over six million citizens downloaded the app, and the government hopes to see the number increase for better effectiveness of the method.

As an Open Source project from the start, giving unhindered access to the programming code, it was able to work on safety and data protection issues throughout the seven weeks of its development, as well as keep the entire process transparent to future users.

Overall, the first impressions on the side of data protection have been good, with the Federal Data Protection Officer (Bundesdatenschutzbeauftragter) Ulrich Kelber stating to the Saarbrückener Zeitung that the app “gives a solid impression”, but he would like to “have seen a Data Protection Impact Assessment before the launch”.

The data protection aspects

The German contact tracing app claims to put the highest importance on data protection, and the transparency for the users to know what happens with their data.

Upon the download, the app gives the chance to read through a thorough privacy policy, giving the user all the information necessary to be able to understand and consent to the use of their data. In effect, the personal data collected and stored remains minimal: the consent to the usage of the Exposure Notification Framework, TANs for testing verification, as well as consent for a daily upload of the diagnostics key, which is only stored for 14 days.

The app, developed by SAP and Telekom, uses Bluetooth technology to judge exposure based on two criteria: the distance between two smartphones and the duration of the encounter. If the threshold requirements of those two criteria are met, the phones exchange a random key code, which are stored for 14 days on the phone devices, and checked for positive test results there. It will then tell you if your exposure is low or high risk, and will give you suggestions on how to act based on the level of risk to exposure. Due to this procedure, there is no need for the collection of personal information regarding the identity of the person. Especially, the notification in case of exposure is not in real time, making it impossible to securely identify the coronavirus positive person that has been encountered.

Furthermore, the app not only puts an emphasis on anonymity, but also on voluntariness. Whether and how you want to use the app is entirely up to the user. The user may disable to Exposure Notification Framework, and decide for themselves if they want to share the results of a test with the app. This comes, of course, with limitations to the effectiveness of the app, but it gives the user more control over his own data shared.

One of the current deficits is that due to the lack of hardware systems, the testing laboratories cannot verify the test results through the users scanning a QR-code, as originally planned. However, in the meantime, a notification hotline has been set up, although this raises data protection concerns due to the fact that it could be taken advantage of or abused.

Lastly, one of the big data protection aspects, which has caused a big stir in the cases of the tracing apps, is the storage of the information. The Corona-Warn-App stores the data of the users in a decentralized manner, which means that there is no direct upload to a cloud, but instead the entire process happens on the users’ devices. This shields from potential misuse of the data by parties involved in the development as well as the government, and was recommended by the European Parliament and the European Data Protection Board as the safer storage option for these types of contact tracing apps.

Overview

While the app is only in its first few days of launch, it has received a lot of praise for the way it handles the different problems with data protection and IT security. It remains to be seen if the necessary 60% of citizens using the contact tracing app can be mobilized in order to ensure maximum effectiveness.

Future plans involve cross border cooperation with different countries and their own contact tracing apps in order to ensure the practicability and effectiveness of these apps, as the containment of the pandemic is an international venture.

Overall, the Corona-Warn-App seems to be a decent development despite its hurried creation period. However, at this point it is only the beginning of the contact tracing app, and it remains to be seen how the developers incorporate fixes for upcoming problems.

Germany: Large Data leak reveals Personal Data of more than 3 Million Customers

27. January 2020

The German car rental company Buchbinder is responsible for leaking Personal Data of more than 3 Million customers from all over Europe. The data leak exposed more than 10 Terabyte of sensitive customer data over several weeks without the company noticing it.

A German cybersecurity firm was executing routine network scans when it found the data leak. The firm reported it twice to Buchbinder via e-mail, but did not receive a reply. After that, the cybersecurity firm reported the leak to the Bavarian Data Protection Authority (DPA) and informed the German computer magazine c’t and newspaper DIE ZEIT.

According to c’t, a configuration error of a Backup-Server was the cause of the leak. The Personal Data exposed included customers’ names, private addresses, birth dates, telephone numbers, rental data, bank details, accident reports, legal documents, as well as Buchbinder employees’ e-mails and access data to internal networks.

The data leak is particularly serious because of the vast amount of leaked Personal Data that could easily be abused through Spam e-mails, Fraud, Phishing, or Identity theft. It is therefore likely that the German DPA will impose a GDPR fine on the company in the future.

Buchbinder released a press statement apologising for the data leak and promising to enhance the level of their defense and cybersecurity system.

Germany: Telecommunications provider receives a 9.5 Million Euro GDPR fine

16. December 2019

The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has imposed a fine of 9.55 Million Euro on the major telecommunication services provider 1&1 Telecom GmbH (1&1). This is the second multimillion Euro fine that the Data Protection Authorities in Germany have imposed. The first fine of this magnitude (14.5 Million Euro) was imposed last month on a real estate company.

According to the BfDI, the reason for the fine for 1&1 was an inadequate authentication procedure within the company’s customer service department, because any caller to 1&1’s customer service could obtain extensive information on personal customer data, only by providing a customer’s name and date of birth. The particular case that was brought to the Data Protection Authority’s attention was based on a caller’s request of the new mobile phone number of an ex-partner.

The BfDI found that this authentication procedure stands in violation of Art. 32 GDPR, which sets out a company’s obligation to take appropriate technical and organisational measures to systematically protect the processing of personal data.

After the BfDI had pointed 1&1 to the their deficient procedure, the company cooperated with the authorities. In a first step, the company changed their two-factor authentication procedure to a three step authentication procedure in their customer service department. Furthermore, they are working on a new enhanced authentication system in which each customer will receive a personal service PIN.

In his statement, the BfDI explained that the fine was necessary because the violation posed a risk to the personal data of all customers of 1&1. But because of the company’s cooperation with the authorities, the BfDI set the fine at the lower end of the scale.

1&1 has deemed the fine “absolutely disproportionate” and has announced to file a suit against the penalty notice by the BfDI.

Berlin commissioner for data protection imposes fine on real estate company

6. November 2019

On October 30th, 2019, the Berlin Commissioner for Data Protection and Freedom of Information issued a fine of around 14.5 million euros against the real estate company Deutsche Wohnen SE for violations of the General Data Protection Regulation (GDPR).

During on-site inspections in June 2017 and March 2019, the supervisory authority determined that the company used an archive system for the storage of personal data of tenants that did not provide for the possibility of removing data that was no longer required. Personal data of tenants were stored without checking whether storage was permissible or even necessary. In individual cases, private data of the tenants concerned could therefore be viewed, even though some of them were years old and no longer served the purpose of their original survey. This involved data on the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data and bank statements.

After the commissioner had made the urgent recommendation to change the archive system in the first test date of 2017, the company was unable to demonstrate either a cleansing of its database nor legal reasons for the continued storage in March 2019, more than one and a half years after the first test date and nine months after the GDPR came into force. Although the enterprise had made preparations for the removal of the found grievances, nevertheless these measures did not lead to a legal state with the storage of personal data. Therefore the imposition of a fine was compelling because of a violation of article 25 Abs. 1 GDPR as well as article 5 GDPR for the period between May 2018 and March 2019.

The starting point for the calculation of fines is, among other things, the previous year’s worldwide sales of the affected companies. According to its annual report for 2018, the annual turnover of Deutsche Wohnen SE exceeded one billion euros. For this reason, the legally prescribed framework for the assessment of fines for the established data protection violation amounted to approximately 28 million euros.

For the concrete determination of the amount of the fine, the commissioner used the legal criteria, taking into account all burdening and relieving aspects. The fact that Deutsche Wohnen SE had deliberately set up the archive structure in question and that the data concerned had been processed in an inadmissible manner over a long period of time had a particularly negative effect. However, the fact that the company had taken initial measures to remedy the illegal situation and had cooperated well with the supervisory authority in formal terms was taken into account as a mitigating factor. Also with regard to the fact that the company was not able to prove any abusive access to the data stored, a fine in the middle range of the prescribed fine framework was appropriate.

In addition to sanctioning this violation, the commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases.

The decision on the fine has not yet become final. Deutsche Wohnen SE can lodge an appeal against this decision.

Data Incident at H&M in Germany

28. October 2019

According to a report of the ‘Frankfurter Allgemeine Zeitung‘ (FAZ), personal data of H&M employees working in the customer center of H&M in Nuremberg, were leaked to other H&M employees who should not have access to this kind of data.

The concerned personal data result of personnel interviews between employees and mangers. The managers stored the personal information, inter alia health data and information on the private life of employees, in files which should have been only accessible for managers, but according to the report, also other H&M employees besides the managers could access the files and thus the confidential employee data.

At the customer center in Nuremberg work several hundreds employees. These were informed by the board of H&M on Wednesday last week, October 23rd 2019, about the data incident. On the following day the board announced, that all stored in the files, was deleted and that measures were taken to ensure data security. Additionally, the data protection officer of H&M in Nuremberg as well as the competent data protection authority were notified about the data incident.

Category: Data breach · GDPR
Tags: , ,

Germany: Data of smart home devices as evidence in court?!

11. June 2019

According to a draft resolution for the upcoming conference of interior ministers of the 16 German federal states, data from smart home devices are to be admitted as evidence in court. The ministers of the federal states believe that the digital traces could help to solve crimes in the future, especially capital crimes and terrorist threats.

The interior ministers want to remove constitutional concerns, because the mentioned data is of great interest for the security authorities. According to the draft resolution, judicial approval will be sufficient in the future. However, domestic politicians expect criticism and resistance from the data protection commissioners of both the federal states and the federal government.

Smart home devices are technical devices such as televisions, refrigerators or voice assistants that are connected to the Internet. They are also summarized under the term Internet of the Things (IoT), can be controlled via the smartphone and make daily life easier for the user. Many data are stored and processed.

We have already reported several times about smart home devices, including the fact that in the USA data from smart home devices have already helped to solve crimes (in German).

It cannot be denied that data from smart home devices can (under certain circumstances) help to solve crimes, but it must be neglected that due to the technical design a 100% reliable statement cannot be made. A simple example is this: whether the landlord was actually at home at the time in question or still on his way home, or just wanted to give the impression that he was at home while in fact on the other side of the world, cannot be determined on the basis of data from smart home devices. For example, the ability to use the smartphone to control the light/heat management allows the user to control it from anywhere at any time.

In addition, it should be taken into consideration that such interventions, or the mere possibility of intervention, may violate a person’s right to informational self-determination, and it is precisely the protection of this constitutionally protected right that data protection is committed to.

Update: The 210th Conference of the interior ministers has come to an end in the meantime and the approval of smart home data as evidence in court has been rejected. The resolutions of the conference can be found here (in German).

Massive data attack targeting hundreds of German politicians and celebrities

8. January 2019

Following the hacker attack on hundreds of politicians and celebrities, investigators have arrested a 20-year-old suspect today. The apartment of the suspect had been searched and he has been taken into custody. This was reported by the central agency of the attorney general in Frankfurt am Main (Zentralstelle zur Bekämpfung der Internetkriminalität der Generalstaatsanwaltschaft Frankfurt am Main) and the Federal Criminal Police Office (BKA).

On January 7, prior to the arrest, the household of a 19-year-old IT worker, who is being treated as a witness, was searched and technical equipment was confiscated. He claimed that he knows the hacker.

On Friday, January 4, Germany’s Federal Office for IT Safety (BSI) revealed that it was investigating a data leak concerning hundreds of German politicians, journalists and celebrities published on the platform Twitter. The authorities were working together with the Irish Data Protection Commissioner to stop the spreading of the affected data. The hack targeted all of Germany’s political parties represented in the federal parliament at the moment, except for the far-right Alternative for Germany (AfD).

The data was published via a Twitter account, followed by more than 17,000 people at the time, in the style of an advent calendar over the course of December 2018. It included mobile phone numbers, contact info and private chats. Furthermore, ID cards as well as banking and financial details, for example credit card details, were leaked.

Persumed hacker attack on German politicians

22. September 2016

This week, heise-online reported that after last years attack on the German Parliament, this year on the 15th and 24th August the offices of several members of Parliament as well as their employees were targeted again in a new attack.

Emails containing malware were sent to the respective politicians. The Emails were supposedly sent by Heinrich Krammer working for the NATO-Headquarter.

The German Federal Office for Information Security (BSI) stated that the attacks probably originated from Russia. The BSI believes that the attacks might be linked to the hacking of private emails from Hillary Clinton’s campaign team in the US earlier this year.

The BSI assumes that the hackers might have been looking for potentially damaging information which could be released a few weeks before elections next year in an attempt to influence the result.

 

Category: Data breach · USA
Tags: , ,