On 18 May 2020, the Hungarian Data Protection Authority („HDPA” or „Authority”) has imposed a fine of HUF 100 000 000 on DIGI Távközlési és Szolgáltató Korlátolt Felelősségű Társaság („Digi” or „Company”).
The decision has been published by the Authority today, which is by far the highest amount imposed since the GDPR’s entry into force and the existence of the HDPA. The facts leading to the fine and the subsequent decision of the Authority are summarized as follows:
Facts of the case
1. Due to a prior loss of data, Digi created a test database for the purposes of mitigating errors, which the Company filled with existing personal data. The test database was originally available on the Company’s website only with appropriate authorization.
2. The content management system (‘CMS’) applied by the Company had a vulnerability, which has been detected more than 9 years ago. This vulnerability can also be detected and amended automatically by adequate tools and applications. Through this vulnerability, anyone could view the test database without access authorization.
3. Exploiting this vulnerability, an ethical hacker gained access to the test database, where the personal data of a significant number of clients were stored in plain text without any encryption. These data included all personal identifying data, ID card numbers, and in some cases personal identification numbers, e-mail addresses, telephone numbers and bank account numbers were also included.
4. In addition to the above, data of newsletter subscribers and full access system administrators were also accessible through the vulnerability, which could have been used by an attacker to take over complete control of the website and access any personal data or trade secret available on the website.
Findings of the HDPA
• The categories of personal data involved made identity theft possible for a potential attacker.
• It is also an aggravating circumstance that the number of people affected by the data protection incident is significant, even in relation to the entire population of Hungary, the Company’s market position would have justified the application of more serious data security measures.
• The vulnerability in the open source content management system has been known for a long time, and a fix is available to fix this vulnerability for free.
• Lack of encryption increased the risk of the incident, even though the Company would also have had the opportunity to encrypt its data for an insignificant cost.
• Leaking access credentials for full system administrators severely increases security risk.
• The maintenance of the test database violated the principles of the GDPR, as the test database should have been permanently deleted once its purpose has been fulfilled.
• The Company has also violated the provisions of its own internal regulations.
In light of all of the above, the Authority considered that the warning would not have had sufficient deterrent effect and that a fine, the exceptionally high amount of which was explained by a number of aggravating circumstances, was justified.