BRAbank ASA, formerly Easybank ASA, has accepted our notice of fine in its entirety, and the Data Protection Authority has therefore issued a fine in accordance with the notice.
Background
This matter began with a notice of a personal data breach on 6 September 2019 from what was then Easybank ASA. According to the notice, some customers were able to see loan information about other customers when they launched “My Page” for a small selection of customers. “My Page” is a solution where customers can view information about their loan agreements.
If the customer followed a link to verify contact information, they would get access to the contact information of other customers. This information was not necessarily connected to the loan to which they had access. Some customers also gained access to another customer’s address information, and some gained access to the wrong loan information. The incident occurred during a period when “My Page” had been rolled out to a selection of 500 of the bank’s customers.
The customers potentially affected by the incident have been notified by BRAbank.
Inadequate risk assessment and testing
Upon reviewing the matter, the Data Protection Authority has concluded that the bank did not meet the requirements of the GDPR for risk assessment and appropriate technical measures (testing) in connection with the launch of the customer portal. The Data Protection Authority’s assessment is that the personal data breach could have been prevented had the bank carried out the appropriate risk assessment and testing as required by the law.
The GDPR requires that the data controller carry out risk assessments and implement technical measures, such as testing, as appropriate in light of the risk its services entail for the data subjects.
Data of a private nature
In this case, the Norwegian DPA have deemed it an aggravating factor that the bank is processing its customers’ financial data, a type of personal data many individuals deem especially private. This is particularly true for information concerning consumer loans and refinancing. The private nature of this data affects the technical and organisational measures the data controller has a duty to implement to protect personal data security.
As opposed to information about income, financial information is not publicly available.