Record breaking GDPR fine imposed in Hungary as a result of a website security vulnerability

The data controller subject to the investigation was Digi Zrt. (Digi), a provider of various electronic communications services and television to more than 800,000 households.

KEY FACTS OF THE CASE

In September 2019, an ethical hacker reported a security vulnerability to Digi. The vulnerability concerned their website running on an popular open source content management platform and in particular two databases. The first was a test database of subscribers, which was created for troubleshooting purposes years before. This database also contained identification data on system administrators, which resulted in additional security risks. The second database contained the name and email addresses of subscribers to Digi’s e-mail newsletter.

The test database contained, i.a., identification data, e-mail addresses, telephone numbers, and bank account numbers. The personal data in the database was not encrypted. The authority concluded that the data could have been used for identity theft.

The NAIH’s enforcement decision does not reveal the exact number of data subjects affected by the incident, as this information was flagged as a trade secret, but it does mention that the vulnerability allowed potential unauthorised access to a large number of data subjects. The decision hints that this figure was significant even in relation to the total Hungarian population.

Digi reported that there were no signs of actual unauthorised access to the data other than access by the ethical hacker. The ethical hacker only downloaded one line from the database to prove the existence of the vulnerability in her report. The authority did not dispute this fact.

The vulnerability was in the open source content management system of Digi’s website. According to the decision, the issue was known and there were patches available for fixing it. Digi also stated these were not part of official patches and this was the reason why these were not deployed on the site.

Digi itself reported the personal data breach to the authority within the 72-hour deadline, and terminated the vulnerability by installing the relevant patch and deleting the test database.

The NAIH conducted an investigation between October 2019 and December 2019. The authority involved an outside IT expert.
The administrative fine of HUF 100 million (approx. EUR 290,000) equals approx. 0.2% of Digi’s annual turnover of the preceding financial year. Digi has the right to appeal the decision.

TAKEAWAYS FROM THE ENFORCEMENT DECISION

• GDPR compliance is not solely a documentation exercise. It is clear from the decision that Digi had robust internal data compliance documentation in place, including bylaws on information security. These theoretically would have been sufficient to avoid the personal data breach. However, it seems that the practical implementation of these bylaws was not sufficient. The conclusions of the decision and the amount of the fine underpin that having policies without actual implementation cannot save data controllers from administrative fines.
  
  
• The decision’s effect on bug bounty programs. It is also clear from the decision that even if there is no actual theft or leak of personal data a serious vulnerability alone can result in a high administrative fine. The authority did not dispute that there were no signs of data theft or any unauthorised access to the data. Based on the reported facts the ethical hacker only accessed one line of the database to prove the existence of the vulnerability in her report sent to Digi. However, the authority did not take this into account as a mitigating factor when imposing the fine. The decision does not indicate that Digi had a bug bounty program in place, which means that the ethical hacker acted on her own initiative. Nevertheless, it remains unclear whether the existence of an official bug bounty program would have made any difference.
  
  
• Operators of highly visited, customer facing websites must implement strict technical and organisational measures to ensure a level of security compliant with the GDPR. The NAIH clarified in its decision that for highly visited, customer facing websites the operator needs to apply a higher security standard. Digi stressed that the patches, which were available, were not part of official updates to the open source content management platform. Nevertheless, the NAIH found that Digi breached its obligation by not identifying the vulnerability taking into account the fact that the website is frequently used by customers, the state of the art, and the costs of implementing a sufficient system to avoid such vulnerability.
  
  
• Proper processing and reporting the data breach to the supervisory authority was not a mitigating factor. It seems that the NAIH does not consider the timely reporting of the breach and full cooperation with the authority as a mitigating factor when it determines the amount of the fine. According the enforcement decision, complying with the provisions of the GDPR on incident reporting cannot be considered as a mitigating factor in itself. On the one hand, other data controllers might consider not reporting incidents proactively. On the other hand, if the supervisory authority discovers the incident then it is highly likely that this factor will be among the first items on the list of aggravating circumstances.

Bird & Bird did not advise Digi in the subject matter. This report is based on publicly available information.