The NAIH received a public notice regarding a webpage http://web.dkp.hu operated by a Hungarian parliamentary party, Democratic Coalition (DK). In the public notice the NAIH was informed by a Hungarian citizen, that the database containing personal data of the party’s supporters is openly accessible via an anonymous hacker forum. The database contains the users’ e-mail addresses, users’ full names, their login names and the weakly encrypted (MD5) passwords. The database became accessible on the hacker forum, when an unknown attacker due to SQLi vulnerability of the webpage reached it, then he uploaded the data on the internet. DK was aware of the data breach, because the hacker informed them as well. The party yet did not notice the NAIH of the breach, nor informed the data subjects, pursuant to Article 33-34 of the GDPR.
The NAIH launched an administrative control procedure, which led into a data protection administrative procedure regarding to Article 9 (1) and Article 33 (1) of the GDPR and the Hungarian Privacy Act Section 60 (1).
DK was on the opinion during the whole procedure that they are not obliged to notify the supervisory authority and the data subjects, because the leaked database contained only out-of-date personal data of the members and sympathizers of the party which has not been updated for years.
NAIH pointed out in its resolution that it is irrelevant regarding the risk of the data breach that the leaked data has not been updated for a long time. The breach is still considered as a high risk incident, because it affected data of real natural persons who are / could be still members or sympathizers of the political party. Therefore the NAIH considered as aggravating circumstance regarding the risk of the breach that the concerned data are special categories of personal data revealing political opinions of data subjects. Moreover, DK used an out-of-date encryption technology (MD5) regarding the passwords that can cause also a serious risk to the rights and freedoms of individuals, because the public availability of such information can lead to other breaches of online services used by the data subject.
NAIH issued an administrative fine of 11 million HUF (~ 35 000 €) to DK for violating the provisions Article 33-34 of the GDPR because DK did not notify the high risk personal data breach to the supervisory authority and did not communicate it to the approximately 6000 data subjects despite being aware of it.
The decision of the NAIH is available in Hungarian at https://www.naih.hu/files/NAIH-2019-2668-hatarozat.pdf
For further information, please contact the NAIH directly: firstname.lastname@example.org