Lithuanian Data Protection Authority issues fine for poor security and failure to report a breach

Updated: Apr 14, 2020

The state data protection Inspectorate has imposed an administrative fine of EUR 61,500 for the breaches of GDPR.

The sanctions have been imposed on MisterTango UAB for the breaches of Articles 5, 32 and 33 of GDPR.

A personal data breach in the payment initiation service system which, among other things, was not reported to the supervisory authority. In the opinion of the Inspectorate, the start of imposing fines under GDPR should be a significant signal to other corporations which only declaratively comply with the provisions of the legal acts.

The source of this article can be found here

The state data protection Inspectorate (Inspectorate) performed an investigation and imposed a fine considering the obtained information on the personal data of bank customers which was made public and the possibly committed personal data breach at MisterTango UAB. The organisation operates across the world and provides payment services to the citizens and companies of Lithuania and foreign citizens and companies. It has established a department in Latvia, provided services in other nations. The Lithuanian supervisory authority which has coordinated its decision with the Latvian personal data protection supervisory institution according to the provisions of GDPR had the opportunity to receive a confirmation of the correctness of the made conclusions from its colleagues. This case also shows that companies should pay greater interest to the management of data breaches and cooperation with the supervisory authority in the course of the investigations.

Having carried out the investigation, the Inspectorate has determined that the company breached the requirements of the GDPR as it improperly processed personal data in screenshots (SS), made personal data publicly available and failed to report the personal data breach to the personal data protection supervisory authority.

Within the light of the information amassed during the investigation and the provided clarifications, it has been determined that MisterTango UAB processes (accesses, collects) more personal data than it indicates as necessary for effecting of the payment initiated by the payer itself. The Inspectorate considers that, for implementation of the data minimisation principle, only such data as the name, surname and, if the payer wishes, his/her identification code, bank account number, currency and balance, purpose of the payment/payment code necessary for effecting the payment should be collected. However, in addition to the data mentioned above, the organisation also accumulated such data as dates of provision of not reviewed electronic invoices, names of the senders and amounts; dates, topics of submission of not read notifications and a part of the text of the notification; purposes, types, amounts of the loans; names of the pension funds, accumulated units, value thereof, accumulated amounts; types of credits (e.g. mortgage credit), due balances, amounts and dates of other payments, numbers of the issued payment cards and amounts in such payment cards which should be considered as superfluous data. Furthermore, it has been determined that the company stores such data longer than it has established and indicated as necessary by itself, i.e. the data provided during the investigation indicates that the data was stored for 216 days instead of 10 minutes. According to Article 5 of the GDPR, the corporation shall be responsible for and be able to demonstrate compliance with the principle of accountability; nevertheless, the company didn’t provide sufficient proof to the supervisory authority during the investigation.

During the investigation, it’s been determined than the website with the list of payments processed by MisterTango UAB were visible for more than two days (9-10 July 2018). The payments made by the customers of different bank institutions through the payment initiation service system of MisterTango UAB and personal statistics of such customers have been made public. Besides, greater than 9,000 SSs with the pages of details of the payment sessions of the customers of 12 different banks in different countries were made publicly available. Furthermore, it’s been determined that management, installation and maintenance of the IT infrastructure (hardware and software) of MisterTango UAB were carried out by one employee.

One employee fulfilled the contradictory functions. Consequently, proper minimisation of possible unauthorised or unintentional modifications and implementation of proper personal data protection policy was not ensured. Thus, MisterTango UAB has failed to choose the appropriate technical or organisational measures which could help to ensure a level of security appropriate to the risk, including protection against unlawful processing, disclosure, thus, breaching Articles 5 and 32 of the GDPR.

According to the GDPR, an incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, private data transmitted, stored or otherwise processed will be a personal statistics breach. From the point of view of the Inspectorate, the afore-noted incident where unauthorised persons were granted access to private data in the internet for two days should be considered as a data breach which must be reported to the supervisory authority. Therefore, MisterTango UAB was obliged to without undue delay and, wherein viable, not later than 72 hours after having become aware of the personal data breach, notify the personal data breach to the Inspectorate. As MisterTango has failed to notify the Inspectorate of the breach, it breached Article 33 of the GDPR.

While choosing the amount of the administrative fine, the Inspectorate took into account all circumstances relevant to extending liability to MisterTango UAB, for example, that the organisation processed the personal data in a non-transparent manner, to a greater extent and longer than necessary for the achievement of the purpose of the processing; the unlawful processing was done systematically; it failed to ensure the security of the personal data at the moment of the personal data breach, failed to report the personal data breach which has occurred and which had an impact at the personal data allowing to identify the data subject to the supervisory authority directly; furthermore, the information constituted the banking secrecy and became processed without encryption and during the period of the personal data breach the data was processed without ensuring control of access to such data. When imposing the administrative fine for EUR 61,500 on the company, the total annual worldwide turnover of the company was taken into account. The decision of the Inspectorate is not effective and may be appealed against to the court.

According to the data available to the Inspectorate, France, Spain, Germany, Poland, Austria, Bulgaria, Cyprus, Malta have already imposed significant fines under the GDPR.