The data protection authority has imposed a sanction for the amount of 3.500.000 ISK to InfoMentor ehf. Due to a security breach in the web system Mentor in February 2019. Due to deficiencies of the system, both parts, on in Ireland and the other one in Sweden, were able to accede to identification numbers and images (avatar) of a total amount of 424 children without consent.
The weak point was that system number composed by six numbers of students were visible into the URL of a specific page into the Mentor system and that could have accessed to personal information included in it by simplifying modifying the relevant URL numbers.
InforMentor ehf. Has admitted that the human error means the correction of the weakness which has not been completed, despite it was given instructions in this sense. For this reason, a solution has been already developed, but not implemented into the system until the company did not understand the security flaw.
The Authority has considered that the security breach could have been prevented by an adequate follow-up and tests of the security measures.
The Authority’s conclusion was that Infomentor ehf. did not ensure the security of personal information within the Mentor system as required by paragraphs b and paragraph 1. Article 32 of Regulation (EU) 2016/679, cf. Paragraph 1 Article 27 Act No. 90/2018, on personal protection and processing of personal data, cf. also Article 8, Paragraph 1, point 6, of the Law and point f of the first paragraph. Article 5 of the Rules of Procedure.
The Infomentor ehf. did not ensure the adequate security of the personal information of the registered persons who were affected by the security breach when the company sent the ID numbers of the persons concerned in several cases to the school and to the privacy officer wrong. The treatment of Infomentors ehf. on the personal information of the persons concerned in this regard, therefore not in point 6, Paragraph 1, Article 8, Act No. 90/2018, Coll. paragraph 1, point f) Article 5 of the Rules of Procedure.
The decision on the administrative penalty took particular account of the number of registered persons who had been affected by the security breach and who could have been affected by the number of Mentor users. It was also of great importance that this was personal information of children who enjoy special protection under Law No. 90/2018 and the Regulation.
The Data Protection Supervisor also felt the need to make even more requests than Infomentors ehf. as a data controller in view of the fact that the main activity of the company is the development and operation of a web system specifically intended for the processing of personal information about minors.
On the other hand, there were no indications that the registered persons had suffered damage due to the security breach, apart from InfoMentor ehf. provided data demonstrating the various measures taken by the company with the aim of ensuring the security of personal information in the Mentor system.
The administrative penalty was therefore deemed to be adequately set at ISK 3.500.000.
In view of the fact that the security breach affected a person registered in Sweden, the Data Protection Authority warned the data protection authorities within the European Economic Area about the matter.
The Data Protection Authority is considered to be the main supervisory authority within the meaning of the preamble to Regulation (EU) 2016/679 and the Swedish Supervisory Authority, Integritetsskyddsmyndigheten (formerly Datainspektionen) is the relevant supervisory authority, pursuant to article 60 of the Regulation, the Data Protection Authority sent a draft decision to the Swedish Data Protection Authority.
No comments were received and the decision is therefore also considered binding on the Authority for the Protection of Integrity, cf. Article 60, Paragraph 6, of the Rules of Procedure. It should be noted that this is the first decision of the Personal Data Protection Authority after the entry into force of Regulation and Law n. 90/2018 on the processing of cross-border personal data.