In a country of 1.3 million inhabitants, we registered 115 infractions of data protection regulations in 2019. Most of these incidents could be considered non-significant. But even non-significant events have the potential to benefit cyber criminals.
The Data Protection Regulation requires notifying the Estonian inspectorate whenever unauthorised persons have gained access to personal data. This could be access to a server, computer, or paper documents. If the processor of data were to discover illegal downloading, copying, or
other processing of the personal data, it is an infraction which needs to be reported to the inspectorate within 72 hours.
The incidents recorded in 2019 can generally be divided into two categories. On the one hand there were incidents where the root cause could be identified as the software used. On the other hand – for the majority of the incidents last year – the root cause was human error. This could be an actual error, but also carelessness or negligence. In multiple instances, we were notified of mistakenly sending sensitive information to the wrong e-mail address. There were also reports of misconfiguration of databases, resulting in unauthorised access to this data. There were other incidents which were caused by insufficient attention to details or lack of knowledge regarding data protection. Just responding to phishing e-mails or entering your data there is an example.
Even though all data processors should be able to use elementary security protocols and technologies to keep phishing e-mails from getting
through to end users, basic DMARC protocols or STARTTLS encryption methods for secure e-mail exchange are still not widely in use.
The largest potential data leak could have come from a local bike-sharing initiative at an Estonian municipality, had it not been
for the prompt action taken by the owners of the service. The database behind the ride-sharing service had 20,000 names, contact information, user ID-s, use logs, and connections with other public transportation logs. Thanks to the quick reaction by the processor of the data following the
discovery of this vulnerability, there was no real threat of personal information being leaked and after an investigation into the matter, the Data Protection Inspectorate issued only a written reprimand regarding the case.There were some cases of infractions where the developers of a system did not pay enough attention to protecting personal data at an early phase of development.
This led to some incidents at online self-service environments where customers unintentionally saw the personal details of another customer. These types of incidents could have been prevented by using privacy-by-design policies at early product design phases. How services handle data protection and how well they know the rules behind data protection is becoming a question of competence and trust. The larger the potential damage to trust or sales from data leaks, the faster the processors of the data fix their services and databases.
Pille Lehis
Director of Data Protecion Inspectorate