The Hungarian Data Protection Authority (NAIH) recently concluded investigations into two cases of data breaches, which resulted in nation-wide recommendations on encryption technology, password settings, risk assessment criteria and breach mitigation measures.
Encryption, passwords and risk assessment
The NAIH imposed a fine of HUF 11,000,000 (EUR 34,375) on an undisclosed Hungarian political party for failing to notify the NAIH and relevant individuals about a data breach, and failing to document the breach according to GDPR Article 33.5. As mandated by law, the fine was based on 4% of the party's annual turnover and 2.65 % of its anticipated turnover for the coming year.
The breach was the result of a cyber attack by an anonymous hacker who accessed and disclosed information on the vulnerability of the organisation’s system – a database of more than 6,000 individuals – and the command used for the attack. The system was vulnerable to attack because of a redirection problem with the organisation's webpage. After the attacker published the command, even people with low IT knowledge were able to retrieve information from the database.
Although this case concerned a political party, the NAIH's findings contain useful takeaways for all companies, such as:
- The encryption technology for a database and passwords should contain sufficient levels of protection against malicious decryption techniques. In this particular case, however, the NAIH found the MD5 algorithm to be inadequate.
- Companies should be aware that data breaches pose risks to individual rights and freedoms (even if the information compromised is not up-to-date or part of a test database), and the disclosure of the identification data of users (e.g. names, emails, user names, passwords) poses a high risk to them.
- Companies should use password complexity validation algorithms, which suggest password length and special characters. In this case, however, the NAIH found passwords that consisted of only lower-case characters.
How to avoid breaches
In another case, a journalist using an online vehicle information platform, accessing data such as the manufacturing year, mileage, and engine type of cars, discovered that users were also able to access the personal data of a vehicle's previous owners. The data included names, birth data, mothers names and in some cases home addresses. In addition, some technical-inspection photos uploaded to the platform contained images of third parties. These two types of breaches affected up to 11,000 people.
The governmental agency responsible for operating the platform argued that the affected data constituted only 0.0158% of the total information processed through its system, and that any risk to individuals was low. As a result, the agency notified only the NAIH of the breach, but did not alert individuals compromised by the breach.
After investigating the breach, the NAIH disagreed with this assessment, stating that unlawful access to this information could have resulted in damaging identity theft. As a result, NAIH ordered the agency to notify all affected individuals of the breach and advise other users to delete any personal information on the platform that was unlawfully accessed.
The NAIH, however, did not impose a fine because it found that the agency took the following measures to mitigate the breach:
- modified data access settings;
- prepared an internal guidance for employees taking photos of vehicles to avoid including third party images; and
- created an e-mail hotline for complaints.
Because these measures were judged to have adequately mitigated the breach, companies are advised to implement the same actions if faced with a similar problem. For more information on this eAlert, please contact one of the following local CMS experts.