Background information
- Date of final decision: 07 January 2022
- Cross-border case or national case: National Case
- Controller: The Municipality of Østre Toten
- Legal Reference: Security of processing (Article 32), Responsibility of the controller (Article 24)
- Decision: Infringement of the GDPR, Order to comply
- Key words: Cyber attack, Ransomware, Dark Web, Special Categories of Data
Summary of the Decision
Origin of the case
The municipality was the target of a serious cyberattack in January of 2021. As a consequence of the attack, employees could no longer access to most of the municipality’s IT systems, the municipality’s data was encrypted, and back-ups were erased. Ransom messages were found in a number of locations. In March of 2021, it was established that parts of the data had been published on the dark web.
Key Findings
The municipality has estimated that approximately 30,000 documents were affected by the attack. These documents contained in part highly sensitive information about the municipality’s residents and employees.
The Norwegian Supervisory Authority concluded that the personal data security of the Municipality of Østre Toten was severely and fundamentally flawed.
These flaws include logs and log analytics, backup protection and lack of two-factor authentication or similar security measures. The firewall was sparsely configured in terms of logging, and much of the internal traffic was never logged. Servers were not configured to send logs to a central log centre, and also failed to log significant events. Furthermore, the municipality had failed to protect backups from intentional and accidental erasure, manipulation or reading.
Decision
The Norwegian Supervisory Authority has fined the municipality of Østre Toten NOK 4 million (EUR 400,000). The municipality has also been ordered to implement a suitable control system for information security and personal data protection.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.