Sensitive data of more than 130,000 people was not sufficiently secured in the state application

One Slovak IT company pointed out the insufficient security of the state application under the name - Moje eZdravie ("My eHealth"). The data in this application was not sufficiently protected, and the data could be stolen. This application was developed in connection with the corona pandemic. The operator of this application is the Slovak Republic.

What data was vulnerable to attacks?

The information that could be stolen was personal data and could be assigned to specific individuals. These were data such as: name, surname, birth number or test result for COVID-19.

Sufficient security should not be underestimated

The data in the application was in unencrypted form, ie it was insufficiently protected. Based on the available information, we can conclude that in this case, the safety information standards were not observed or the personal data of the persons concerned were not secured.

GDPR legislation strictly requires sufficient security measures, whether specific or standard, depending on the context, nature, purpose and scope of the processing. In this case, it is possible to secure the data in several ways, such as encrypting it. There is so-called ethical hacking, which companies use to identify shortcomings in applications, for example. They pay for an expert and he tests the vulnerability of the system. Errors found will be recorded and corrected.

GDPR refers to data encryption as one of the security features of data security. The question is, why wasn't the data in the application encrypted? In this case, we can talk about a privacy violation. The state may be sanctioned for this mistake and may even be fined.

The fine for a breach of the GDPR Regulation can rise up to millions of euros

Violation of the regulation can result in a massive fine. The amount of the fine may be calculated at up to EUR 20 000 000 or 4% of the total turnover for the previous year, whichever is the greater. The amount of the fine depends on the gravity and individual nature of the infringement. If the personal data of this application were misused and legal proceedings were introduced, the amount could climb up to hundreds of thousands of euros.

GDPR legislation and cyber security

This particular case falls into the category of cyber security incident and personal data breach. State regulations and public administration bodies are subject to special regulations, such as Act no. 69/2018 Coll. on Cyber ​​Security or Act no. 95/2019 Coll. on Information Technology in public administration. It is no exception that public authorities and public authorities forget about security. The reasons can be varied. Lack of experts, little funding to provide or insufficient knowledge of the issue can lead to serious mistakes.

Personal data with the GDPR regulation have been given a higher level of protection, while security standards such as ISO must be observed as well.