Icelandic DPA issues fine to InfoMentor for inadequate protection of personal data

5 May 2021 Iceland

The Icelandic Data Protection Authority has fined the company InfoMentor ISK 3.500.000 (EUR 23.100) for not ensuring proper security of personal data within the system Mentor, an information system for schools and other parties working with children. 

Due to a vulnerability which led to the six-digit system number of each user being visible in the URL address of a particular page within the Mentor system, unathorised parties gained access to the national identification numbers and avatars of over 400 children. The incident was reported as a data breach in February 2019.  

Human error at the root of the data breach
InfoMentor conceded that the company had been aware of the vulnerability and that a solution had already been created. Due to human error, the solution was not fully implemented into the System until after the data breach occurred.

InfoMentor also mistakenly sent national identification numbers of students affected by the data breach to the wrong schools and data protection officer.

Number of data subjects potentially affected – personal data of children 
The most significant factors in determining the administrative fine were the number of data subjects directly and potentially affected by the data breach, the fact that the data subjects are children and that InfoMentor‘s main activity is the development and operation of an information system intended for schools and other entities working with children. However, there was no evidence of harm suffered by the data subjects and InfoMentor has taken numerous steps to increase security of personal data within the system. 

You can read a more detailed summary (in English) on the the Icelandic DPA website here, with the final decision published (in English) here.

For further information, please contact the Icelandic DPA:
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.