Dantherm A/S – Violation Found (Denmark, 2021)

Personal data about a company's employees was spread on the dark web following a ransomware attack. The attackers had most likely gained access through an administrator account that was no longer in use. However, it was difficult to exactly determine the dynamic of the attack since the attackers had deleted relevant log files. The controller reported the breach to the Danish DPA. The Danish DPA found that the controller had failed to implement appropriate technical and organisational security measures in light of the risks for the rights and freedoms of natural persons per Article 32(1) GDPR. The DPA highlighted that administrator rights should only be given to employees in need of such rights. The rights should be given on a temporary basis and should be revoked when the need is no longer present. Furthermore, log files should be hidden from all accounts, including those with administrator rights. Users with administrator rights should not be able to delete or alternate the log files. The DPA also held that the controller had breached Article 24(1) GDPR by not being able to demonstrate the implementation of appropriate measures. Because the log files had been deleted, the controller could not demonstrate how the attackers had gained access or when the suspected administrator account had been active. As a consequence, the Danish DPA decided to issue criticism of the controllers processing of personal data.