City of Bergen was fined 170 000€
The data protection authority Datatylsinet fined the Norwegian town Bergen for 160.000 norwegian crowns (€ 170 000,-). The town neglected the data security for their school platform. Even multiple warnings from the authorities and a “Whistleblower” didn’t change their mind.
Attackers used weaknesses in the system to steal over 35 000 user accounts. They belonged to teachers, students and personal associated with local schools. Most of the stolen data belonged to children. This is especially troublesome, as the GDPR sees children as an endangered group. Their data needs to be especially well protected.
The attackers were able to log into the various systems and steal personal data, including names, passwords, birthdates, addresses, the associated schools of the users. They were also able to log onto the learning platform and steal the grades of the children.
Why Norway punishes people for breaking GDPR is explained here: Norway Personal Data Act
The city of Bergen had to pay a fine because their computer system did not fulfil the state-of-the-art. Which measures are necessary to reach the state-of-the-art needs a lot of expert knowledge. With easyGDPR you benefit from our long lasting expert knowledge in IT and data protection. Part of every GDPR license is the Quickcheck. To complete the Quickcheck you only need a few minutes. After finishing you will receive a detailed report of the current status of your company. It shows you which parts of your company fulfill the GDPR already and which not. Beside that, easyGDPR Quickcheck gives you recommendations to meet the requirements of the GDPR. Quickcheck cover both technical and organisational measures.
Type of Issue:
Theft of Data
Number of involved data records:
Special category of data involved:
Violation of GDPR Paragraph:
32. Security of processing