Updated: Apr 15
The NAIH (National Authority for Data Protection and Freedom of Information in Hungary) received a public notice concerning a webpage http://web.dkp.hu operated via a Hungarian parliamentary party, Democratic Coalition (DK).
In the public notice, the NAIH was informed by a Hungarian citizen, that the database containing personal data of the party’s supporters is openly reachable through an anonymous hacker forum.
The database carries the users’ e-mail addresses, users’ full names, their login names and the weakly encrypted (MD5) passwords. The database became accessible on the hacker forum when an unknown attacker due to SQL vulnerability of the website reached it, and then he uploaded the data on the internet.
DK was aware of the data breach because the hacker informed them as well. The party yet did not notice the NAIH of the breach, nor informed the data subjects, according to Article 33-34 of the GDPR.
The decision of the NAIH is available in Hungarian at https://www.naih.hu/files/NAIH-2019-2668-hatarozat.pdf
The source of this article can be found here
The NAIH launched an administrative control procedure, which led into a data protection administrative procedure regarding Article 9 (1) and Article 33 (1) of the GDPR and the Hungarian Privacy Act section 60 (1).
DK was on the opinion during the whole procedure that they’re not obliged to inform the supervisory authority and the data subjects, because the leaked database contained only out-of-date personal data of the members and sympathisers of the party which has not been updated for years.
NAIH pointed out in its resolution that it is irrelevant regarding the risk of the data breach that the leaked data has not been updated for a long time. The breach is still considered as a high-risk incident because it affected data of real natural persons who are / could be still members or sympathisers of the political party. Therefore the NAIH was taken into consideration as aggravating circumstance regarding the risk of the breach that the concerned data are special categories of personal data revealing political opinions of data subjects. Moreover, DK used an out-of-date encryption technology (MD5) regarding the passwords that can also cause a serious risk to the rights and freedoms of individuals, because the public availability of such information can lead to different breaches of online services used by the data subject.
NAIH issued an administrative fine of 11 million HUF (~ 35000 €) to DK for violating the provisions Article 33-34 of the GDPR because DK did not notify the high-risk personal data breach to the supervisory authority and did not communicate it to the approximately 6000 data subjects despite being aware of it.