Background information
The company operates in the field of rental, real estate sales and property management. In the course of these activities data should be forwarded to a partner organization. For this purpose, the company has used a FTP server. The partner organizations were able to retrieve (download) the required data via this.
Originally, this FTP server had been used to transfer photographs of real estate. For the new data transmission the intended use was changed. The server was configured with the help of guides from the Microsoft homepage. However, LVPL forgot to disable anonymous authentication. Therefore, each user could log on to the server with the user name “anonymous” and no password, and browse the folders. Many FTP programs perform this login attempt automatically, which is why the files were de facto unsecured on the Internet.
The following information contained the 18,610 records:
- First and Last Name
- e-mail address
- phone numbers
- Postal address (current and previous)
- Date of birth
- Income of the person
- Information about the current profession (company, position, salary, contact information, etc.)
- Name and contact details of the accountant
- Photocopy of the passport
- Photocopy of the driver’s license
- Tax office information
- account numbers
- Bills with information on household consumption (gas, electricity, water)
Due to the abundance of available information, there is a high risk for those affected. Due to the numerous data, identity theft is easy for a criminal to perform.
The data was freely available for about two years. The situation was discovered in February 2017 by LVLP itself. The company reacted immediately and secured the data. A notice to the data protection authority did not take place.
Since all accesses were logged automatically, it was found that a total of 511,912 times the data was accessed anonymously. The access was made from 1,213 different IP addresses. Many requests were made at regular intervals, so it can be assumed that these accesses were automated.
In October 2017, the company was contacted by a person who accessed this data and demanded a ransom. Otherwise, the data would be published. The person was able to gain access by submitting collected records to LVLP. Only now a notice was sent to the British Data Protection Authority (ICO).
Investigation of the data protection authority
ICO initiated an official investigation into the incident. The entire process was analyzed until 2015. Due to the above circumstances, the agency made the company fully responsible for the data theft.
According to ICO, LVLP invested heavily in improving internal IT in 2016 and 2017. In the course of this work, the unsecured FTP server was also noticed.
Furthermore, a complaint from a customer was reported. This alleged that his credit card was misused, which is why his credit rating was downgraded. This incident occurred a few days after the customer was added to the LVLP customer file. The company was unable to connect this complaint to their FTP share at this time. The incident occurred in April 2017 and thus before the discovery of the data leak.
Another key aspect is that the Data Protection Authority has made it clear that data processing in principle did not conform to the state of the art. If anonymous access had not been activated, data transmission via the unencrypted FTP protocol would still be unsuitable for personal data. An encrypted connection would have been absolutely necessary, as is the case with the two successor protocols SFTP and FTPS, for example.
Upon completion of the investigation, the authority imposed a fine of £ 80,000 (approximately € 90,000). The long period of data breach, the high amount of stolen data and the fact that they were misused were the deciding factors for the high punishment. At the same time, the notification to the data protection authority was delayed. The General Data Protection Regulation requires companies to notify the relevant data protection authority no later than 72 hours after detection of a data breach.
Conclusion
Life at Parliament View Limited made several mistakes. On the one hand, the technology used was configured incorrectly, on the other hand, an outdated technology was used.
Once again it shows that the GDPR requirement to perform state-of-the-art processing is a major challenge for companies. The security systems must be constantly updated and the software used must be checked regularly. Especially for small companies without their own IT department, these requirements are difficult to implement. It needs a reliable partner who keeps the systems up to date.
This case was summarized by Easy GDPR.