Tuesday, May 24

Million fine to the Storting’s administration after data breach in 2020

Alerts NOK 2 million in fees after the data breach in 2020. The introduction of two-factor authentication could have stopped the data attack, the Data Inspectorate believes.

Last year, director Marianne Andreassen had to inform the press about new IT attacks against the Storting. The Storting’s administration has now been notified of a fine for lack of IT security by the Norwegian Data Protection Authority.

– The Data Inspectorate takes a serious view that the Storting had not implemented good enough technical measures that could have averted the violation, for example through the use of two-factor authentication, says the Data Inspectorate’s director Bjørn Erik Thon in a press release.

The data breach in August 2020 was related to unauthorized login to the e-mail accounts of an unknown number of parliamentary representatives and employees in the administration and group secretariats.

Aftenposten has revealed that the then Storting director Ida Børresen and Storting president Olemic Thommessen stopped the Office of the Auditor General’s attempt to investigate IT security in the Storting in 2017.

At that time, Norway’s leading elected representatives lacked a graded network, there was no classification of information and no risk analysis of the IT services in the Storting had been carried out.

The Norwegian Data Protection Authority has now issued a so-called notification of a decision on a violation fee. This means that the decision is not final. The Storting’s administration has the right to respond to criticism from the Norwegian Data Protection Authority before a final decision is made.

Criticism for lack of IT security

As Aftenposten reported last autumn, the Office of the Auditor General discovered several security holes in the Storting in 2017. However, the Office of the Auditor General’s report was never completed and never formally submitted to the Storting. Instead, the Office of the Auditor General was stopped by the Storting.

When Aftenposten demanded access to the investigations last autumn, several of the security holes still became known to the public.

One of the findings made by the Office of the Auditor General was that the party groups in the Storting were most exposed to hacking. In February last year, parliamentary representative Michael Tetzschner had 4,000 e-mails stolen after a hacking attack.

The Storting administration’s lack of IT security for politicians is central to the Data Inspectorate’s criticism:

“The Data Inspectorate considers it very serious that the Storting’s administration has shown an inability to implement necessary security measures that the administration itself has identified the need for in mapping the risk of processing personal data,” the Data Inspectorate writes in the notification of decisions.

The Data Inspectorate believes that the routines should be stricter, so that both employees and party groups could receive mandatory training and sanction options for breaches of data security.

“The Data Inspectorate assumes that the Storting must be regarded as an attractive target for computer attacks, and that based on a risk assessment, a significantly stricter security regime should have been used as a basis,” the Data Inspectorate writes.

– Should have introduced two-factor authentication earlier

During the data breach in 2020, attackers downloaded data from several e-mail accounts, with information about both elected representatives and the Storting’s employees. This includes bank and account information, birth numbers and health information.

“Possible consequences for those affected by the attack could be misuse of identity, misuse of payment cards and use of information for extortion,” the Data Inspectorate states.

– The Data Inspectorate believes that if two-factor authentication had been carried out at an earlier stage, the chance of a successful attack would have been considerably smaller, says Thon.

On Monday, the Data Inspectorate therefore notified an infringement fee of NOK 2 million to the Storting’s administration for not having implemented appropriate technical and organizational measures to achieve a sufficient level of security.

The Data Inspectorate now expects the Storting administration to clean up:
«We assume that the Storting’s administration has a vested interest in setting up the Storting’s computer systems in line with recommendations from national professional authorities. It is the administration that is responsible for the operation of these systems, and the responsibility for introducing the security measures that are necessary to make the systems robust, in accordance with the requirements of the law “, writes the Data Inspectorate.


Leave a Reply

Your email address will not be published.