Penalty against Life at Parliament View Limited
A British company called Life at Parliament View Limited (LVPL) was ordered to pay a fine of £80,000 (about €90,000).
Background information
The company operates in the field of rental, real estate sales and property management. In the course of these activities, data should be forwarded to a partner organization. For this purpose, the company has used an FTP server. The partner organizations were able to retrieve (download) the required data via this.
Originally, this FTP server was used to transfer photographs of real estate. For the new data transmission, the purpose was changed. The server was configured using guides from the Microsoft homepage. However, LVPL forgot to disable anonymous authentication. Therefore, any user with the username “anonymous” and no password could log in to the server and browse the folders. Many FTP programs perform this login attempt automatically, which is why the files were de facto available unsecured on the Internet.
The following information was contained in the 18,610 records:
- First and last name
- E-Mail Adresse
- Phone numbers
- Postal address (current and previous)
- Date of birth
- Income of the person
- Information about current job (company, position, salary, contact information, etc.)
- Name and contact details of the accountant
- Photocopy of passport
- Photocopy of the driver’s license
- Tax Office Information
- Account numbers
- Bills with information on household consumption (gas, electricity, water)
Because of the wealth of information available, there is a great deal of risk for those affected. With so much data, identity theft is easy for a criminal to pull off.
The data were freely available for about two years. The circumstance was discovered in February 2017 by LVLP itself. The company reacted immediately and secured the data. No notification was made to the data protection authority.
Since all accesses were automatically logged, it was possible to determine that the data was accessed anonymously a total of 511,912 times. The access took place from 1,213 different IP addresses. Many accesses occurred at regular intervals, so it can be assumed that these accesses were automated.
In October 2017, the company was contacted by a person who had accessed this data and demanded a ransom. Otherwise, the data would be made public. The individual was able to prove access by submitting tapped records to LVLP. Only now has the notification been made to the UK’s data protection authority (ICO).
Investigation by the data protection authority
ICO launched an official investigation as a result of the incidents. The entire process up to the year 2015 was analyzed. Due to the above circumstances, the authority held the company fully responsible for the data theft.
According to ICO, in 2016 and 2017, LVLP invested a large amount in improving its internal IT. In the course of this work, the unsecured FTP server was also noticed.
Furthermore, a complaint from a customer was reported. The latter stated that his credit card had been misused, which is why his credit rating was downgraded. This incident occurred a few days after the customer was added to LVLP’s customer file. However, the company was unable to establish a connection at that time. The incident occurred in April 2017, before the data leak was discovered.
Another essential aspect is that the data protection authority has clarified that the data processing was fundamentally not state of the art. If anonymous access had not been enabled, then data transfer via the unencrypted FTP protocol would still be unsuitable for personal data. An encrypted connection would have been mandatory, as is the case with the two successor protocols SFTP and FTPS, for example.
Upon completion of the investigation, the authority imposed a fine of £80,000 (approximately €90,000). The long period of the data breach, the high number of data stolen and the fact that they were misused were decisive for the high penalty. At the same time, the notification to the data protection authority was late. The General Data Protection Regulation stipulates that companies must submit a notification to the competent data protection authority within 72 hours of discovering a data protection breach.
Conclusion
The company Life at Parliament View Limited made several mistakes at once. On the one hand, the technology used was configured incorrectly, and on the other hand, an outdated technology was used.
Once again, it becomes clear that the GDPR requirement to perform state of the art processing is a major challenge for companies. The security systems must be kept up to date and the programs used must be checked regularly. Especially for small companies without their own IT department, these requirements are difficult to implement. It needs a reliable partner to maintain the systems and keep them up to date.
As a certified Sophos partner, we can offer you a customized solution to secure your IT systems in the best possible way. Thanks to the unique Synchronized Security, threats can be averted faster and in a more targeted manner. Thanks to neural networks, even the latest threats are detected immediately and all systems are warned automatically.
Sophos security solutions are part of our data protection and data security package.
Entscheidungsdatum:
19.07.2019
Land:
Great Britain
Art des Verstoßes:
Theft of Data
Betroffene Datensätze:
18610
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 90,000,-
Violation of GDPR Paragraph:
32. Security of processing
33. Notification of a personal data breach to the supervisory authority
Quelle:
Decision of the British data protection authority ICO (English)