Bergen municipality – €139,200 Fine (Norway, 2019)

In May 2018 a pupil at a school in Bergen notified the ICT helpdesk of a folder he had found online, containing several files with usernames and passwords of over 35,000 users. However, the school management did not follow up on the notice. In August, the pupil logged onto the learning management system as the school's principal and sent a message to several people. He expressed later that he did so because the school had failed to take his first notice seriously. When the school discovered this, it notified the police, who found out that the pupil sent the notification. He admitted he had simply guessed the principal's password. The municipality failed to first notify the Norwegian DPA (Datatilsynet) of the breaches, who discovered these initially after being contacted by several media outlets (after the municipality sent out a press release the same day). The DPA's investigation revealed that the school had failed to enable two-factor authentication, despite a campaign the DPA conducted in 2013-2014 in the education sector. At the time, the DPA instructed all municipalities in Norway to enable strong authentication on their learning management systems and other administrative systems. Thus, the DPA argues that it is beyond doubt that Bergen municipality was well aware of this security requirement. Following this incident, the municipality reset all passwords and enabled two-factor authentication. The DPA first instructed Bergen municipality to enable two-factor authentication in their systems, cf. Article 5(1)(f) GDPR, cf. Article 32(1)(b). Second, the DPA fined the municipality about €158,315 (NOK 1,600,000) for the lack of sufficient technical and organisational measures required by Article 5(1)(f) and Article 32(1)(a) and Article 32(1)(b).