The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) imposed a data protection fine of HUF 100 million (EUR 287,000) on a Hungarian telco company for an IT security breach and allowing unauthorised access to the personal data of customers.
In addition to the fine, the NAIH ordered the company to review its databases containing personal data, determine whether applying encryption is justified to ensure security and to inform the NAIH of the results of the review.
Background
The company created a large test database of customer and subscriber data for troubleshooting purposes, but failed to delete it once the underlying errors were corrected and the database was no longer needed.
A white-hat hacker accessed the test database through the company website, hacking into the personal data of customers that included the following information: name, birth name, mother’s name, place and date of birth, address, ID card number, personal ID number, e-mail address, mobile phone number, landline number, bank account number, telecom contract data, and data relating to the services used. By exploiting the discovered vulnerability, the hacker was also able to access another database used for direct-marketing purposes, which contained subscriber newsletter and system administrator data that in turn provided access to the website interface.
The hacker informed the company of the breach and the vulnerability of its systems.
The NAIH found after an investigation that the company did not apply appropriate technical and organisational measures proportionate to the risks because:
- The vulnerability of the company's open-source content management system had been known for more than nine years and was listed on the official website of the software developer together with the method for repairing that error.
- Although an official patch for the error was not created, an unofficial repair was publicly available for anyone, free of charge.
- The storing of plain-text data of a sensitive nature in the database constitutes a high-level security issue, which can be eliminated by using appropriate encryption.
The NAIH also established that the test database contained sufficient personal data to make customers vulnerable to identity theft or misuse of identity. In addition, the information accessible via the system administrator also left customers open to both identity theft and illegal access to even more personal data.
Takeaways
As a result of this telco's experience, the following conclusions can be drawn:
- Companies must carry out preliminary risk assessments, provide for regular inspections in connection with the systems used, and identify security vulnerabilities and available repairs. Encryption is highly recommended.
- Companies with websites publicly available on the internet and visited by large numbers of customers should exercise preparedness to potential vulnerabilities.
For more information on data protection issues in Hungary, contact your regular CMS advisor or local CMS experts.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.