Accessible personnel files resulted in a data breach
An emergency management company reported a data breach to the Danish Data Protection Agency. The breach was triggered by all 194 users of an internal system having access to current and former employees' personal data. The data breach resulted in criticism from the Danish Data Protection Agency.
For almost seven months, employees with standard system access had insight into information about almost 2029 current and former colleagues. Personal data that was accessible included full names, social security numbers, and addresses – also protected addresses. The data was used by the HR department in connection with employee matters.
It notified the Danish Data Protection Agency that, by mistake, system access was not granted based on work-related needs. Neither the company nor the system supplier had been aware of properly organizing the system access rights. An internal investigation revealed that six users without work-related needs had accessed the data in the folder.
Out of sight, out of mind
The Danish Data Protection Agency issued criticism and emphasized that only employees in the HR department needed access to the system. Therefore, the company had breached its obligation to ensure the necessary security measures were in place before processing the data.
Consequently, the company was responsible for identifying any risks triggered as part of its processing activities. The company was also responsible for ensuring the appropriate security level. The Danish Data Protection Agency emphasized that, as a clear starting point, access rights should always be limited to the work-related needs of the users.
IUNO's opinion
Various examples show that data breaches often occur simply due to a lack of basic technical and organizational measures. That could be something as simple as a software update, as it was here, or a failure to have the appropriate procedures in place, as it was here.
IUNO recommends that companies ensure the necessary focus on security measures through design and default settings. In this connection, one of several measures may include continuously clarifying what systems are used internally and why. Also, it should always be clear who is responsible for what systems and personal data – and how the systems work.
[The Danish Data Protection Agency's decision of 22 March 2023 in case no. 2022-442-21566]
For almost seven months, employees with standard system access had insight into information about almost 2029 current and former colleagues. Personal data that was accessible included full names, social security numbers, and addresses – also protected addresses. The data was used by the HR department in connection with employee matters.
It notified the Danish Data Protection Agency that, by mistake, system access was not granted based on work-related needs. Neither the company nor the system supplier had been aware of properly organizing the system access rights. An internal investigation revealed that six users without work-related needs had accessed the data in the folder.
Out of sight, out of mind
The Danish Data Protection Agency issued criticism and emphasized that only employees in the HR department needed access to the system. Therefore, the company had breached its obligation to ensure the necessary security measures were in place before processing the data.
Consequently, the company was responsible for identifying any risks triggered as part of its processing activities. The company was also responsible for ensuring the appropriate security level. The Danish Data Protection Agency emphasized that, as a clear starting point, access rights should always be limited to the work-related needs of the users.
IUNO's opinion
Various examples show that data breaches often occur simply due to a lack of basic technical and organizational measures. That could be something as simple as a software update, as it was here, or a failure to have the appropriate procedures in place, as it was here.
IUNO recommends that companies ensure the necessary focus on security measures through design and default settings. In this connection, one of several measures may include continuously clarifying what systems are used internally and why. Also, it should always be clear who is responsible for what systems and personal data – and how the systems work.
[The Danish Data Protection Agency's decision of 22 March 2023 in case no. 2022-442-21566]
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing
Promises are made to be kept