The Hungarian Data Protection Authority (NAIH) has imposed a record-breaking financial penalty under the General Data Protection Regulation (GDPR) on an electronic communication provider over an unaddressed website vulnerability.
Digi Zrt. (Digi) provides television and electronic communication services to around 800,000 households in Hungary. Several years ago, the company created a test database which was discovered by an ethical hacker in September 2019. The hacker reported to Digi that a security vulnerability on the website allowed the database to be accessed.
The website had been created using an open source content management platform. A known vulnerability in the platform had not been patched and, as a result, the hacker was able to gain access to two unencrypted databases through the website. One of the databases contained information about subscribers and identification data about system administrators. Data included names, addresses, email addresses, telephone numbers, and bank account information. The other database contained the names and email addresses of Digi’s email newsletter subscribers.
NAIH investigated the breach and determined that the types of data that had been exposed could potentially have been used for identity theft. It is unclear how many individuals had their personal and private information exposed, but NAIH said a large number of individuals were affected.
Digi’s investigation uncovered no evidence to suggest the vulnerability had been exploited by anyone other than the ethical hacker who reported the vulnerability to Digi. She had not downloaded the data from the website, only one line to show that the vulnerability existed.
After being alerted about the flaw, a patch was installed to correct the vulnerability, the test database was removed, and the data breach was reported to NAIH within 72 hours; however, that was not sufficient to prevent a financial penalty.
NAIH imposed a fine of HUF 100 million – approximately EUR 290,000 – on Digi for the exposure of the personal information of EU data subjects. The fine could have been substantially higher. That fine represents 0.2% of Digi’s annual turnover for the previous fiscal year. GDPR permits fines to be imposed of up to 4% of global annual turnover.
Digi said that while patches were available to correct the flaw in the open source platform, none were official patches which is why they were not applied.