On November 29, 2021, the Lithuanian data protection authority (VDAI) imposed a fine of EUR 110 000 on UAB Prime Leasing, which manages the short-term car rental platform “CityBee” (Company). VDAI found that it had failed to ensure the security of the processing of personal data.
Case details
An investigation initiated by VDAI had been carried out after information was received that personal data of the Company’s customers, including personal identification codes, had been leaked and published on RaidForums.com website.
The following factual circumstances were identified:
- the published data were accessed from an unsecured backup copy of the Companies database, with the creation date of 2018-02-27;
- data of 110,302 Company’s users have been disclosed and made public, of which 433 users have provided addresses in EEA or other EU countries;
- personal data were stored in plain text in the file. They contained users’ names, surnames, addresses, telephone numbers, e-mails, postal addresses, personal identification numbers, driving license numbers, type of payment card, and the last 4 digits of its number, the date of validity of the payment card, and the user’s identifier (token) in the Braintree system.
Identified breaches against data protection regulation
The main findings of the investigation concerning lack of proper management and control of the of personal data security:
- a qualified person responsible for security and risk management had not been appointed;
- the Company did not separate the duties and responsibilities in the field of IT development and maintenance from the duties and responsibilities in the area of cyber security;
- the Company failed to ensure the recording and accumulation of access to the log files of the files;
- the file itself was stored unencrypted;
- information within it was stored in clear text, unprotected by hash or encryption algorithms;
- the passwords protecting the file were encrypted using a weak and relatively insecure algorithm.
Based on the findings of the investigation, the fine was issued in accordance with Article 83(4) a) based on the Company’s total annual worldwide turnover for the preceding financial year (2020) and an assessment of the circumstances of the case.
What should we learn from this?
With the increase in cyber threats, ensuring your company has strong cyber security should be a priority of anyone with access to personal data. Some suggestions are provided below:
- files containing collected personal data must be secured before any data processing takes place. These files should be stored after an encryption key is generated.
- access to files containing personal data must be registered. Each data controller and processor must keep a technical logbook. It is an essential safety requirement that allows identifying and tracking user actions (related to personal data processing), thus ensuring accountability in the event of unauthorized disclosure, modification, or deletion of personal data. The register shall be reviewed continually to establish potential internal or external attempts to compromise the system’s security. Guidelines for the upkeep of technical log entries can be accessed here;
- sensitive data such as personal code number shall be processed in accordance with the principle of data minimization. This principle implies that processing (including storing) of data is allowed only to the extent necessary for processing.
- personal data should be stored so that data subjects cannot be related to their personal data. To achieve this, personal data should be encrypted. In case of a breach, the unauthorized person should not be able to identify which personal data belongs to which person;
- carry out data protection impact assessments (DPIA). DPIA is a process to help you identify and minimise the data protection risks of a project. DPIA is obligatory for processing that is likely to result in a high risk to individuals. This includes some specified types of processing;
- conduct data mapping, a process of discovering and classifying data. GDPR requires data controllers and processors to be able to demonstrate compliance in the management of personal data. To achieve this, one must conduct data mapping to identify what data is personal and what data is sensitive;
- ensure your company has a risk management procedure in place. Each employee with access to personal data should be introduced to the procedure.
- when processing huge scopes or special categories of personal data, companies shall ensure that IT specialist with necessary qualifications is appointed. Roles and responsibilities of the appointed personnel must be separated;
- ensure your company has a register of IT resources. IT resource register helps to prevent unprotected IT loopholes, by ensuring all the devices used for processing or storing personal data are known and protected. Such register allows to control the means of data processing;
- in case of a personal data security breach, communicate with the supervisory authority. The hacker attacks, data leaks, and similar issues are a real test of stress for each organization. It is clear that the trust of your customers could only be regained with transparent communication and an immediately noticeable improvement in IT security, as well as transparent and timely communication with data supervisory authority.
The content of this article is intended to provide a general guide to the subject matter. The expert should be consulted for the assessment of the specific situation.
If you need assistance in matters regarding security of personal data or any other issues related personal data protection, please consult the experts of ECOVIS ProventusLaw.
The article published by VDAI can be accessed here. The text is available in Lithuanian only.
The review was prepared by ECOVIS ProventusLaw data protection group’s experts.
Newsletter Subscription
Get in touch