Rules Navigator

Lyngby-Taarbæk municipality fined for personal data failures

Man sitting in chair with his laptop.
Photo: Getty Images

Martina Lindberg

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

At least 1,000 former employees continued to access a system with personal data after their employment ended.

Lyngby-Taarbæk municipality in Denmark has been fined DKr 350,000 – 400,000 ($49,439 – $56,501) for failing to comply with its obligation as data controller to implement proper security measures in several cases. Most seriously it failed to delete access for former employees to its system, which contained personal data of about 30,000 citizens.

Datatilsynet, the Danish Data Protection Authority, first learned about the failures when the municipality reported a breach of personal data security regarding unauthorized access to personal data. After investigations, Datatilsynet discovered that Lyngby-Taarbæk lacked guidelines and procedures to terminate user access within the IT system KMD Nexus, and did not have regular control of these steps.

Ex employees abused the systems

The insufficient security meant at least 1,000 former employees continued to have access to the system even though they had left the company. It was also found that one former employee abused the system and accessed information on 1,022 citizens.

Another unauthorized person was also found misusing the login information from one of the municipality’s employees, which gave access to the employee’s Office services, such as Outlook, OneNote and SharePoint – which contained information about 5,000 citizens, employees and business partners.

That was possible because the system also lacked any multi-factor authentication. Only username and password were needed to gain access.

“Appropriate checks must also be carried out to ensure that user access has actually been terminated correctly and in a timely manner when employees change their work function or stop.”

Vibeke Dyssemark, chief consultant, Datatilsynet

The missing security features are believed to have occurred after the Microsoft services and KMD Nexus were installed in 2016 and 2018.

“When you give employees access to IT systems with personal data directly from the Internet, the risk increases that unauthorized persons – for example hackers – get access to the information and can misuse it. If access is granted to information worthy of protection, it has long been a requirement that multi-factor authentication be implemented to ensure an adequate level of protection,” said Vibeke Dyssemark, chief consultant at Datatilsynet.

Duty to erase access

Dyssemark also stressed that it’s data controllers’ duty to ensure that personal data is not processed or accessed by unauthorized persons, and to terminate access when employees leave an organisation. Which she pointed out had been required for “many years” as a “part of the very basic security measures.”

“However, errors can occur in these processes, and therefore appropriate checks must also be carried out to ensure that user access has actually been terminated correctly and in a timely manner when employees change their work function or stop.”

, , , , , , ,

You may also like