In Lithuania the administrative fine in the amount of EUR 110 000 was imposed on UAB Prime Leasing, the operator of the carsharing platform CityBee, on 29 November 2021 for breach of Article 32(1)(a), (b), (d) of GDPR, which governs the obligation to ensure the security of processing of personal data. In so far it is the highest fine ever imposed by SA in Lithuania for GDPR violations.
The abovementioned fine was a result of company’s customers personal data breach (PDB), when the sensitive personal data (full name, personal identification number, driving licence number, address, telephone number, e-mail address, some details of payment card and the user identifier (token) in Braintree) of 110,302 CityBee users, stored in unprotected database backup BACPAC file (DB file) in plain text, was disclosed and made public (published in CSV files on the website RaidForums.com). SA has concluded that this PDB lasted from 27 February 2018 to 16 February 2021.
The investigation performed by SA revealed that the company failed to ensure adequate personal data management and control, such as:
not appointing the competent security and risk management specialist;
not separating the duties and responsibilities in the field of IT development and maintenance from the duties and responsibilities in the field of cyber security;
not ensuring access to the DB file logs to record and store entries;
not ensuring that actions performed on DB files are recorded, monitored and evaluated;
not encrypting the DB file;
encrypting the passwords in the DB file with the weak and relatively insecure hashing algorithm SHA 1;
enabling users to use a password that did not comply the requirements for the creation of passwords set out in the company’s IT security policy.
The SA also concluded that the company did not assess, manage and could not manage the risks associated with the loss of confidentiality of personal data contained in this DB file (with appropriate organizational and technical security measures) as, according to the company, it was not aware of the existence of this DB file in the IT infrastructure it managed. This has led directly to the personal data breach and created the conditions for it to occur (sooner or later).
Also, 433 users who had provided their residential address in other countries of the EU and/or the EEA were identified, so the decision was also agreed with SA of Ireland, Germany, Austria, Italy, Portugal, Estonia, Belgium, Denmark, the Netherlands, Spain, Latvia, Sweden, Luxembourg, France, Norway, Finland, Slovakia and Slovenia.
The deadline to lodge the appeal to the court regarding this SA decision has already ended and the appeal hasn’t been lodged, so the abovementioned decision of SA is final and enforceable.