epicenter.works discovered a data leak in the Austrian Federal Ministry for Digital and Economic Affairs (BMDW). They claim that the BMDW published addresses of more than a million individuals on http://www.ersb.gv.at/. The site is offline, now.
What kind of data was processed?
In 2009 the Austrian government introduced the “Bürgerkarte” (citizen card) as a means to automate eGovernment. As part of this program, a unique ID is needed for each individual and legal entity. For each individual, these IDs are mapped with the register of residents and an auxiliary register (Ergänzungsregister natürliche Personen ,ERnP) for non-residents. This data is well protected and access is logged (by law). For organisations, the ID is mapped with the Public registry of commerce, the public register of associations as well as another auxiliary register (Ergänzungsregister für sonstige Betroffene, ERsB).
auxiliary register (Ergänzungsregister für sonstige Betroffene, ERsB)
The Auxillary Register (ERsB) is supposed to hold only data not stored in any of the other registers mentioned above. Literally no Austria Citiscen should appear here (unless in very sepcial circumstances on his own request). The BNDW Website suggests this register for Chruches, Communities and working groups. The law (Ergänzungsregisterverordnung 2009,§ 14) requires the EfsB as a public internet service.
Was it legal to pubish personal data on the ERsB Portal?
It is legal and intended to give the general Public access to this register. However the Portal delivered data that should not be stored in this system.
Epicenter.Works published blacked out statements from the ErsB including data about our President. Since the President is a Citizen his data should definitely not be in this register – especially not including his private address. We noticed that the Federal Ministry for Finance published the unexpected data.
The Law The law (Ergänzungsregisterverordnung 2009,§ 10) allows data in this registry only
- if requested by the person herself
- Institutions can register them and proxies
- a public organisation needing the data for a processing activity
How did the Data Leak in the Austrian Federal Ministry happen?
It seems as if the Ministry for finance did publish data to the register without realising that this data is published automatically. Individuals living in Austria should never be in this register since they are already in the register of residents.
We assume there is a bug on one of the Applications in the Federal Ministry of Finance synchronising data with the wrong register. It’s easy to mix up both auxiliary registers (ERsB and ERnP).
What can we learn from this incident?
This incident shows how a correctly working system can trigger a huge scandal – whilst the incident was triggered by another system by a tiny mistake. It’s easy to overlook that the software creates entries in the wrong register while everything is working as expected. It seems the DPIA was not thorough enough to discover the potential impact of using two similar auxiliary registers.
If you live in Austria we sugges to file a GDPR Right of Access Request to know if your data was involved, too.
Schindler IT Solutions GmbH developed easyGDPR, a Governance Platform. This platform simplifies GDPR management, automates Subject Access Requests and Analysis unstructured data.