UAB Prime Leasing – €110,000 Fine (Lithuania, 2021)

The Lithuanian DPA has fined UAB Prime Leasing, the operator of the short-term car rental platform CityBee, EUR 110,000. The DPA conducted the investigation on its own initiative after information about a possible personal data breach (Art. 33 GDPR) of the company's customers became public in February 2021. According to the company, they learned about the security breach from another cybersecurity service provider who informed them that the customer data of 110,302 CityBee users had been published on the website of the hacking forum RaidForums.com. This included data such as names, addresses, phone numbers, email addresses, personal identification numbers, driver's license numbers, type of payment card and the last four digits of the card number of the data subjects. The DPA's investigation revealed that the published data originated from an unsecured backup copy of a database. The DPA found that the data breach occurred due to the company's failure to comply with its obligation to implement technical and organizational measures to ensure a level of security appropriate to the risk to data subjects. The company had, for example, failed to appoint a person with appropriate competence to be responsible for security and risk management. It had also failed to ensure that accesses to database files were logged and evaluated. In addition, the company had stored the database unencrypted, so that a person with technical knowledge could have had full access to the data in the file after downloading it. The personal codes in the database were furthermore stored unprotected and the passwords in the database were only encrypted with an encryption algorithm that was considered insecure.