Datatilsynet, the Danish Data Protection Authority, has contacted and questioned Netcompany after a leak of source code was uncovered in the Danish media. Since the breach was not reported to the authority, which is required under EU GDPR 33 if it involves personal data, Datatilsynet wants to clarify if the breach contravened GDPR and other relevant data protection rules.
Netcompany, which is a large IT company in Denmark, supplies a number of government IT systems which hold many types of sensitive data.
To get clarity on the possible data breach, Datatilsynet’ has sent an inquiry to Netcompany which includes questions on:
- whether Netcompany has knowledge of personal data in the compromised material;
- which systems the breach was connected to;
- if Netcompany has informed the affected data controllers of any risks for the data subjects (for example citizens); and
- whether the leaked information can be used to access personal data.
Datatilsynet has requested a response no later than March 6.
Stolen source code
Netcompany has confirmed that the breach included “one single incident involving a simple theft of Netcompany Denmark source code and user manuals”, and was not a ransomware attack.
The company also says that the theft has not affected customers nor their operations and services. However, its stock fell when the news of the attack became public.
“Since the simple theft was discovered, we have worked in close collaboration with authorities and have implemented additional mitigating actions to ensure a continued high level of security in our production systems landscape”, Netcompany said in a statement.
“We have taken necessary precautions that ensure the stolen files cannot be used to gain unauthorized access to any system.”
But Danish media reported that a group called Zyndicate has claimed responsibility for the attack against Netcompany, and that they have published several of the stolen files. The files are said to include, among other things, source codes, scripts and passwords for development programs.
A 34-year-old man has been charged with the alleged data theft, unauthorized access to public authorities and a private company’s data, and for trying disclose these and attempting to blackmail.
Fined for another data leak
In mid-January, Datatilsynet reported Netcompany to the police and recommended its largest fine to date of at least DKr15m ($2.2m) over data protection violations when launching their new digital mailbox mit.dk.
That included failing to discover an ‘inappropriate coding’ in the component that authenticated the users, and made it possible for users to access others’ digital mail and gain access to confidential and sensitive information. The authority said this led to “an unnecessarily high risk for all users of mit.dk”.