• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
easy GDPR - we make compliance with GDPR easy

easyGDPR

We make implementing General Data Protection Regulation Easy

  • Home
  • Services
    • Software
      • Quick Check
      • Starter
      • Standard
      • Data Subject Requests
      • Sophos
    • IT Security
    • network checkup
    • SME digitization funding
    • Data protection consulting
      • Data protection
      • Cybersecurity
    • Training
      • Data protection
      • Cybersecurity
  • Partner
    • Resellerprogramm
    • Affiliate programm
  • GDPR
    • GDPR News
    • FAQ
    • GDPR Decisions
    • GDPR Fines
    • GDPR legal text
  • Shop
  • Contact
    • Contact
    • Newsletter registration
  • Login
    • Shop / Affiliate Program
    • easyGDPR Software
  • German
  • English

Fine against Life at Parliament View Limited

22/07/2019 by

Fine against Life at Parliament View Limited

A British company named Life at Parliament View Limited (LVPL) was fined £ 80,000 (approximately € 90,000).

Background information

The company operates in the field of rental, real estate sales and property management. In the course of these activities data should be forwarded to a partner organization. For this purpose, the company has used a FTP server. The partner organizations were able to retrieve (download) the required data via this.

Originally, this FTP server had been used to transfer photographs of real estate. For the new data transmission the intended use was changed. The server was configured with the help of guides from the Microsoft homepage. However, LVPL forgot to disable anonymous authentication. Therefore, each user could log on to the server with the user name “anonymous” and no password, and browse the folders. Many FTP programs perform this login attempt automatically, which is why the files were de facto unsecured on the Internet.

The following information contained the 18,610 records:

  •     First and Last Name
  •     e-mail address
  •     phone numbers
  •     Postal address (current and previous)
  •     Date of birth
  •     Income of the person
  •     Information about the current profession (company, position, salary, contact information, etc.)
  •     Name and contact details of the accountant
  •     Photocopy of the passport
  •     Photocopy of the driver’s license
  •     Tax office information
  •     account numbers
  •     Bills with information on household consumption (gas, electricity, water)

Due to the abundance of available information, there is a high risk for those affected. Due to the numerous data, identity theft is easy for a criminal to perform.

The data was freely available for about two years. The situation was discovered in February 2017 by LVLP itself. The company reacted immediately and secured the data. A notice to the data protection authority did not take place.

Since all accesses were logged automatically, it was found that a total of 511,912 times the data was accessed anonymously. The access was made from 1,213 different IP addresses. Many requests were made at regular intervals, so it can be assumed that these accesses were automated.

In October 2017, the company was contacted by a person who accessed this data and demanded a ransom. Otherwise, the data would be published. The person was able to gain access by submitting collected records to LVLP. Only now a notice was sent to the British Data Protection Authority (ICO).

Investigation of the data protection authority

ICO initiated an official investigation into the incident. The entire process was analyzed until 2015. Due to the above circumstances, the agency made the company fully responsible for the data theft.

According to ICO, LVLP invested heavily in improving internal IT in 2016 and 2017. In the course of this work, the unsecured FTP server was also noticed.

Furthermore, a complaint from a customer was reported. This alleged that his credit card was misused, which is why his credit rating was downgraded. This incident occurred a few days after the customer was added to the LVLP customer file. The company was unable to connect this complaint to their FTP share at this time. The incident occurred in April 2017 and thus before the discovery of the data leak.

Another key aspect is that the Data Protection Authority has made it clear that data processing in principle did not conform to the state of the art. If anonymous access had not been activated, data transmission via the unencrypted FTP protocol would still be unsuitable for personal data. An encrypted connection would have been absolutely necessary, as is the case with the two successor protocols SFTP and FTPS, for example.

Upon completion of the investigation, the authority imposed a fine of £ 80,000 (approximately € 90,000). The long period of data breach, the high amount of stolen data and the fact that they were misused were the deciding factors for the high punishment. At the same time, the notification to the data protection authority was delayed. The General Data Protection Regulation requires companies to notify the relevant data protection authority no later than 72 hours after detection of a data breach.

Conclusion

Life at Parliament View Limited made several mistakes. On the one hand, the technology used was configured incorrectly, on the other hand, an outdated technology was used.

Once again it shows that the GDPR requirement to perform state-of-the-art processing is a major challenge for companies. The security systems must be constantly updated and the software used must be checked regularly. Especially for small companies without their own IT department, these requirements are difficult to implement. It needs a reliable partner who keeps the systems up to date.

As a certified Sophos partner, we can offer you a tailor-made solution to best secure your IT systems. With the unique Synchronized Security, threats can be fended off faster and more targeted. Thanks to neural networks, even the latest threats are immediately recognized and all systems automatically warned.

Sophos security solutions are part of our privacy and data protection package.

Source: ICO

Entscheidungsdatum:
19.07.2019

Land:
United Kingdom

Art des Verstoßes:
Theft of Data

Betroffene Datensätze:
18610

Waren sensible Daten betroffen?:
No

verhängte Geldstrafe:
€ 90,000,-

Violation of GDPR Paragraph:

32. Security of processing
33. Notification of a personal data breach to the supervisory authority

Quelle:

Category iconUncategorized

Primary Sidebar

IT-Security Whitepaper Downloaden
  • German
  • English
  • Data Protection Statement
  • Terms and Conditions
  • Imprint
  • Licence terms for easyGDPR
  • GDPR terms
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking "Accept", you consent to the use of ALL the cookies.
SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non Necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

functionality

Diese Art von Cookies erhöht die Benutzerfreundlichkeit unserer Website. Beispielsweise wird darin die von Ihnen ausgewählte Sprache gespeichert. Auch die Verfügbarkeit von Videostreams und sonstigem Inhalt kann von diesen Cookies abhängig sein. Wenn Sie diese Cookies ablehnen, ist die Benutzerfreundlichkeit eingeschränkt.

Save & Accept