Since the GPDR became applicable in 2018, the Hungarian Data Protection Authority (NAIH) has seemed reluctant to impose high administrative fines. Until now the highest fine amount was approx. EUR 87,000. This has become history as recently the NAIH imposed a fine of approx. EUR 290,000 on an electronic communications provider. The reason for this was a known vulnerability in the website which was not fixed for years, and allowed an ethical hacker to access, i.a., a test database created several years ago containing various categories of personal data of subscribers.
The data controller subject to the investigation was Digi Zrt. (Digi), a provider of various electronic communications services and television to more than 800,000 households.
KEY FACTS OF THE CASE
In September 2019, an ethical hacker reported a security vulnerability to Digi. The vulnerability concerned their website running on an popular open source content management platform and in particular two databases. The first was a test database of subscribers, which was created for troubleshooting purposes years before. This database also contained identification data on system administrators, which resulted in additional security risks. The second database contained the name and email addresses of subscribers to Digi’s e-mail newsletter.
The test database contained, i.a., identification data, e-mail addresses, telephone numbers, and bank account numbers. The personal data in the database was not encrypted. The authority concluded that the data could have been used for identity theft.
The NAIH’s enforcement decision does not reveal the exact number of data subjects affected by the incident, as this information was flagged as a trade secret, but it does mention that the vulnerability allowed potential unauthorised access to a large number of data subjects. The decision hints that this figure was significant even in relation to the total Hungarian population.
Digi reported that there were no signs of actual unauthorised access to the data other than access by the ethical hacker. The ethical hacker only downloaded one line from the database to prove the existence of the vulnerability in her report. The authority did not dispute this fact.
The vulnerability was in the open source content management system of Digi’s website. According to the decision, the issue was known and there were patches available for fixing it. Digi also stated these were not part of official patches and this was the reason why these were not deployed on the site.
Digi itself reported the personal data breach to the authority within the 72-hour deadline, and terminated the vulnerability by installing the relevant patch and deleting the test database.
The NAIH conducted an investigation between October 2019 and December 2019. The authority involved an outside IT expert.
The administrative fine of HUF 100 million (approx. EUR 290,000) equals approx. 0.2% of Digi’s annual turnover of the preceding financial year. Digi has the right to appeal the decision.
TAKEAWAYS FROM THE ENFORCEMENT DECISION
Bird & Bird did not advise Digi in the subject matter. This report is based on publicly available information.