School IT systems supplier fined in Iceland
Iceland’s Data Protection Supervisory Authority has fined InfoMentor €23,100 for failing to adopt adequate security and data protection measures for the data used in the Mentor program, a computer system for schools and other entities that target children.
The vulnerability in the computer system that led to the security breach was the following: in the URL of one of the Mentor system pages, the number assigned by the system to each user was visible, so that unauthorized persons had access to the national identification numbers (equivalent to the CNP) and avatars of more than 400 children. Although the vulnerability was detected by the operator and technically remedied, due to human error the technical solution was not fully implemented until after the security breach.
In an attempt to manage the security breach, InfoMentor notified the supervisory authority and inadvertently forwarded the list of national identification numbers of the affected pupils to other schools and data protection officers other than those concerned.
Although there was no evidence that children’s rights or interests were affected by the breach, the decision to impose the fine was mainly based on the following elements:
- The number of data subjects directly affected and potentially affected by the breach
- The fact that the data subjects were children, who are considered vulnerable persons in light of the GDPR, who enjoy higher protection than other data subjects
- The fact that InfoMentor’s core business is the development of an IT system for schools and other entities that work with children.
Detailed information can be found on the website of the Icelandic Supervisory Authority and the full text of the sanctioning decision can be found here: https://www.personuvernd.is/information-in-english/greinar/personal-data-breach-in-the-information-system-mentor-administrative-fine