Istituto Nazionale Previdenza Sociale – Violation Found (Italy, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Istituto Nazionale Previdenza Sociale (INPS) faced a violation finding after a technical error exposed personal data on its website for about 30 minutes. This incident is significant because it highlights the importance of proper data handling during system updates. Organizations should ensure their systems are secure to protect user information.
What happened
INPS experienced a data breach that allowed unauthorized access to personal data due to caching errors during a system update.
Who was affected
Users who accessed the INPS website during the incident were affected, as their personal information was exposed.
What the authority found
The Italian DPA found that INPS did not adequately protect personal data during a system change, violating GDPR requirements for data security.
Why this matters
This situation underscores the need for organizations to thoroughly test and secure their systems before implementing changes to prevent data breaches.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On March 31, 2020, INPS changed it CDN technology (Content Delivery Network is a system that uses servers located in different places to deliver web content quickly to users around the world) to handle a large number of people accessing its website at the same time, especially important during the high-demand times caused by the COVID-19 pandemic benefits. However, during the setup, it led to caching errors that allowed unauthorized access to personal data for about 30 minutes. Instead of just showing users their own information, the system ended up showing some user's personal information to others if they visited the website during that time period. This happened because some pages that contained sensitive information were not excluded from caching. On April 1, 2020, the new system went live, and almost immediately, it was discovered that the system allowed unauthorized access to claims applications. On the same day, INPS notified Garante regarding the CDN data breaches that occurred because of incorrect caching configurations that led to unauthorized access to personal data by displaying cached personal data to other users. This data breach involved personal details displayed on the INPS portal, such as tax codes, names, addresses, and email contacts, among other information. On April 2, 2020, another breach happened in the context of emergency measures during the pandemic, specifically around the application process for a babysitting service bonus that began on April 1, 2020. Due to the hurried implementation and simplified access measures (like a simplified PIN system), the application procedure did not adequately differentiate between different user types. As a result, some users were wrongly granted access levels typically reserved for authorized intermediaries (like patronages), allowing them to view, modify, or submit applications that contained personal data. On April 3, 2020, INPS published a notice about the data breach on their homepage and set up a de
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Istituto Nazionale Previdenza Sociale in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Decision Date
17 July 2024
Authority
Garante per la protezione dei dati personali
GDPRhub ID
gdprhub-8497About this data
Cite as: Cookie Fines. Istituto Nazionale Previdenza Sociale - Italy (2024). Retrieved from cookiefines.eu
Last updated: