Since the beginning of the GDPR era, no company or organization has been fined as much by the National Data Protection and Freedom of Information Authority (NAIH) as it is now by DIGI: Two companies with a wide range of customer data due to inadequate data protection background measures database also became available, and although DIGI reported the incident as soon as it became aware of it and cooperated with the authority throughout, the case ended with the largest fine ever imposed on NAIH, a fine of one hundred million forints.
SLEEPING TEST DATABASE According to the reasons for the decision, which was posted on the NAIH website on May 18, but has only just been made public, DIGI learned last September that an open source content management software running at www.digi.hu exploited a subscriber data. test database and a name and email address
The test database included the names, mother's name, place and time of birth, home address, ID number (sometimes personal number), e-mail address, landline and mobile phone numbers of the subjects. Following the data protection incident, DIGI reported the fact to NAIH within the framework of the law, which initiated an official inspection in October 2019, as the data provided in the notification were not sufficient to assess whether DIGI fully complied with the general data protection policy.
During the inspection, the authority revealed that the incident could have led to multiple failures by DIGI. Thus, among other things, the service provider could not clearly identify and reconstruct the exact reason and purpose for which it created the test database, which the company would otherwise have had to delete after closing the troubleshooting process – this fact can be considered infringing in itself.
The vulnerability used in the attack was known for 9 years, and the patch was available, but DIGI did not install it because
was not part of the official patch packages for the software.
The decision did not reveal exactly what content management software was used on the DIGI website or which module contained the vulnerability that the attacker used to gain access to the databases involved in the incident. The investigation also revealed that none of the databases concerned were encrypted, although the database engine (which also comes from an unspecified supplier) basically provides an opportunity to do so. However, according to DIGI, encryption was not necessary, as
the protection of personal data is in principle ensured by restricting access and appropriate allocation of rights, and the use of such encryption can cause problems in the applicability and operation of databases.
When imposing the fine, NAIH assessed the aggravating circumstance, inter alia, that DIGI 's systems could be attacked through a long – standing and easily detectable security vulnerability, the size of the customer base involved and the market position of the service provider, the lack of encryption. It was a mitigating circumstance that the service provider had not previously been fined for data protection or that the company had acknowledged that it should have deleted the test database earlier.
Although DIGI deleted the affected test database and installed the test database within 72 hours of becoming aware of the incident. NAIH did not find this a mitigating circumstance, as the company said that the company did not comply with its legal obligations.
Gellert is Technology Editor at Counting News Media and contributor at other major tech publications. Her interests includes testing new gadgets and reading.