Personal data breach in the information system Mentor – Administrative fine

On April 29 2021, the Icelandic Data Protection Authority (the DPA) took the decision to impose an administrative fine on the company InfoMentor in a case relating to a data breach that occurred in February 2019. Due to a vulnerability within the online information system Mentor (the System), two unauthorised third parties, one in Iceland and one in Sweden, gained access to the national identification numbers (I. kennitala) and avatars of a total of 424 children. The vulnerability consisted in each student‘s six-digit system number, a random number unrelated to their national identification number, being visible in the URL for a particular page within the System. To exploit the vulnerability, it would have been sufficient to change the numbers in the URL address of the page in question.

Human error at the root of the data breach

InfoMentor conceded that the company had been aware of the vulnerability and that a solution had already been created. Due to human error, the solution was not fully implemented into the System until after the data breach occurred. The DPA concluded that the data breach could have been prevented with sufficient follow-up and testing of security measures within the System. Accordingly, the DPA concluded that InfoMentor did not comply with the requirements of Art. 32 (1) (b) and (d) of the Regulation and Act No. 90/2018, on Personal Data and the Processing of Personal Data, cf. Art. 5 (1) (f) of Regulation (EU) 2016/679 and Art. 8 (1) (6) of Act No. 90/2018, as regards the data breach.

The DPA also concluded that InfoMentor did not ensure proper security of the personal data of the data subjects affected by the data breach when the company mistakenly sent national identification numbers to the wrong schools and data protection officer, and therefore did not comply with Art. 5 (1) (f) of the Regulation and Art. 8 (1) (6) of Act No. 90/2018 in these instances.

Factors in determining the administrative fine

In determining the amount of the administrative fine, the DPA considered the number of data subjects directly affected by the data breach and of those potentially affected by it, given the number of the System's users. The fact that the data subjects were children, whose personal data is afforded special protection in Act No. 90/2018 and the Regulation, was also a significant factor. The DPA then concluded that InfoMentor should be held to a high standard as a processor given that the company's main business activity is the development and operation of a system specifically intended for the processing of the personal data of children. On the other hand, there was no evidence of any harm suffered by the data subjects affected by the data breach. Additionally, InfoMentor presented documents and information showing numerous steps the company has taken to increase security within the System. Based on the aforementioned, the DPA concluded that an administrative fine of ISK 3.500.000 should be imposed upon InfoMentor.

Cross-border element of the case

In light of the fact that the data breach affected one data subject in Sweden, the DPA notified supervisory authorities within the European Economic Area (EEA) of the data breach on August 12, 2019. The Icelandic Data Protection Authority was the lead supervisory authority for the case and the Swedish supervisory authority, Integritetsskyddsmyndigheten (formerly Datainspektionen) a concerned supervisory authority, as defined by Recital 124 and Art. 4 (1) (22) of the Regulation, respectively. As provided for in Art. 60 (3) of the Regulation, the DPA sent Integritetsskyddsmyndigheten a draft of the decision. No objections were expressed within the four-week timeframe provided for in Art. 60 (4). The DPA notes that this decision is the first decision regarding cross-border processing it takes after Act. No. 90/2018 and the Regulation entered into force.