Østre Toten municipality – €348,000 Fine (Norway, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Norway's Østre Toten municipality was fined for failing to protect personal data during a ransomware attack. Hackers accessed and encrypted sensitive information, which was later found for sale on the dark web. This incident highlights the importance of strong cybersecurity measures for organizations handling personal data.
What happened
Østre Toten municipality suffered a ransomware attack that led to the exposure and loss of sensitive personal data.
Who was affected
Residents and employees of Østre Toten municipality whose sensitive information was compromised.
What the authority found
The Norwegian DPA found that Østre Toten municipality failed to protect personal data adequately, violating GDPR's security requirements.
Why this matters
This case underscores the critical need for robust data protection measures, such as two-factor authentication and secure backups, to prevent data breaches. Organizations should ensure they have strong security protocols to protect personal data from cyberattacks.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
In early 2021, a Norwegian municipality (Østre Toten kommune) realized they had been exposed to a serious ransomware attack that locked employees out of key IT systems. Data had been encrypted and backups deleted. About 30,000 documents were affected by the breach, including information about ethnic origin, political opinion, religious belief, trade union membership, sex life/sexual orientation, health, pedagogical diagnosis, birth number, electronic ID and bank account. About 2,000 documents were later discovered up for sale on the dark web. In total, about 160 GB of data was extracted and a large amount of data was irreparably lost. The technical investigation revealed that the municipality had severe deficiencies in their IT systems and processes, including unsecured back-ups and the lack of two-factor authentication and proper log management. The criminals had likely gained access to the infrastructure through remote access solutions, combined with stolen login credentials which were likely obtained through phishing scams directed at the municipality's employees (about ten email addresses and passwords belonging to employees were discovered during the investigation). The municipality notified the DPA about the breach and kept their inhabitants continuously informed. They also initiated a comprehensive work to establish routines for processing personal data and for data breach management. The Norwegian DPA found that the municipality had neither protected personal data sufficiently, nor had proper internal controls in place, in breach of Articles 5(1)(f), 24 and 32, cf. the [https://lovdata.no/dokument/NL/lov/2018-06-15-38 Personal Data Act § 26(1)]. For this, the Norwegian DPA fined the municipality €409,768 (NOK 4,000,000). In addition, the DPA instructed the municipality to establish and implement an appropriate information security management system, and to conduct (and document) risk assessments for all key systems in their infrastructure with the aim of i
Related Enforcement Actions (2)
Other enforcement actions involving Østre Toten municipality in NO
Fine
€348K
Details
Fine Date
18 October 2021
Authority
Datatilsynet (Norway)
Fine Amount
€348,000
4,000,000 NOK
GDPRhub ID
gdprhub-4287About this data
Cite as: Cookie Fines. Østre Toten municipality - Norway (2021). Retrieved from cookiefines.eu
Last updated: