The NAIH received a public notice regarding a webpage http://web.dkp.hu operated by a Hungarian parliamentary party, Democratic Coalition (DK). In the public notice the NAIH was informed by a Hungarian citizen, that the database containing personal data of the party’s supporters is openly accessible via an anonymous hacker forum. The database contains the users’ e-mail addresses, users’ full names, their login names and the weakly encrypted (MD5) passwords. The database became accessible on the hacker forum, when an unknown attacker due to SQLi vulnerability of the webpage reached it, then he uploaded the data on the internet. DK was aware of the data breach, because the hacker informed them as well. The party yet did not notice the NAIH of the breach, nor informed the data subjects, pursuant to Article 33-34 of the GDPR.
The NAIH launched an administrative control procedure, which led into a data protection administrative procedure regarding to Article 9 (1) and Article 33 (1) of the GDPR and the Hungarian Privacy Act Section 60 (1).
DK was on the opinion during the whole procedure that they are not obliged to notify the supervisory authority and the data subjects, because the leaked database contained only out-of-date personal data of the members and sympathizers of the party which has not been updated for years.
NAIH pointed out in its resolution that it is irrelevant regarding the risk of the data breach that the leaked data has not been updated for a long time. The breach is still considered as a high risk incident, because it affected data of real natural persons who are / could be still members or sympathizers of the political party. Therefore the NAIH considered as aggravating circumstance regarding the risk of the breach that the concerned data are special categories of personal data revealing political opinions of data subjects. Moreover, DK used an out-of-date encryption technology (MD5) regarding the passwords that can cause also a serious risk to the rights and freedoms of individuals, because the public availability of such information can lead to other breaches of online services used by the data subject.
NAIH issued an administrative fine of 11 million HUF (~ 35 000 €) to DK for violating the provisions Article 33-34 of the GDPR because DK did not notify the high risk personal data breach to the supervisory authority and did not communicate it to the approximately 6000 data subjects despite being aware of it.
The decision of the NAIH is available in Hungarian at https://www.naih.hu/files/NAIH-2019-2668-hatarozat.pdf
For further information, please contact the NAIH directly: firstname.lastname@example.org
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.