Education Agency for Oslo municipality – €104,400 Fine (Norway, 2019)

The case concerned vulnerabilities in the mobile app “Skolemelding”. In the application, pupils and guardians can communicate with teachers and administration at the school. There was a security issue with the application, where unauthorized users could access the application as authorized users and thus gaining access to the personal data of students. More than 63 000 pupils were included in the data breach. In the application it was also possible to register special categories of data concerning the pupil in a “free-text” format, for example when sending the school information about why the pupil was too sick to attend school. The fine was issued on the basis of a lack of security surrounding the log-in function, a breach of Article 32(1)(b). In addition, the application was launched without proper security testing, and included security flaws well known to the security community, a breach of Article 32(1)(d). Finally, launching the application with an unacceptable vulnerability, which the municipality did not conduct proper steps to close, and a lack of control with the supplier (CGI) regarding the results of the security testing, was a breach of the principle of accountability following Article 5(2) in conjunction with Article 5(1)(f). The issued fine was NOK 1,200,000 (approximately €120,000), which was lower than the initially suggested fine of NOK 2,000,000 (approximately €200,000). The fine was lowered in part due to the quick action by the municipality to address the flaws and secure the personal data, and in part due to cooperation with the DPA, showing a will to fix the security flaws. The municipality did not contest the evaluation by the DPA regarding the scope of the security breach.