Istituto Nazionale Previdenza Sociale – Violation Found (Italy, 2024)
The Italian DPA found that Istituto Nazionale Previdenza Sociale allowed unauthorized access to personal data due to a technical error. This is important because it shows that even large organizations can make mistakes that compromise user privacy. Companies should regularly check their systems to prevent such breaches.
What happened
Istituto Nazionale Previdenza Sociale experienced caching errors that allowed unauthorized access to personal data for about 30 minutes.
Who was affected
Users of the INPS portal whose personal information was exposed during the caching error.
What the authority found
The Italian DPA identified that the organization failed to secure personal data properly, leading to unauthorized access.
Why this matters
This incident emphasizes the need for robust technical safeguards in online systems. Organizations should prioritize security to protect user data from breaches.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On March 31, 2020, INPS changed it CDN technology (Content Delivery Network is a system that uses servers located in different places to deliver web content quickly to users around the world) to handle a large number of people accessing its website at the same time, especially important during the high-demand times caused by the COVID-19 pandemic benefits. However, during the setup, it led to caching errors that allowed unauthorized access to personal data for about 30 minutes. Instead of just showing users their own information, the system ended up showing some user's personal information to others if they visited the website during that time period. This happened because some pages that contained sensitive information were not excluded from caching. On April 1, 2020, the new system went live, and almost immediately, it was discovered that the system allowed unauthorized access to claims applications. On the same day, INPS notified Garante regarding the CDN data breaches that occurred because of incorrect caching configurations that led to unauthorized access to personal data by displaying cached personal data to other users. This data breach involved personal details displayed on the INPS portal, such as tax codes, names, addresses, and email contacts, among other information. On April 2, 2020, another breach happened in the context of emergency measures during the pandemic, specifically around the application process for a babysitting service bonus that began on April 1, 2020. Due to the hurried implementation and simplified access measures (like a simplified PIN system), the application procedure did not adequately differentiate between different user types. As a result, some users were wrongly granted access levels typically reserved for authorized intermediaries (like patronages), allowing them to view, modify, or submit applications that contained personal data. On April 3, 2020, INPS published a notice about the data breach on their homepage and set up a de
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Istituto Nazionale Previdenza Sociale in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Decision Date
17 July 2024
Authority
Garante per la protezione dei dati personali
GDPRhub ID
gdprhub-8497About this data
Cite as: Cookie Fines. Istituto Nazionale Previdenza Sociale - Italy (2024). Retrieved from cookiefines.eu
Last updated: