Salling Group – Violation Found (Denmark, 2022)

Salling Group (the controller) is Denmark's largest retail group which serves 11 million customers per week. In 2021, they implemented a system allowing customers to shop on its websites (namely Føtex, Bilka, Netto, Salling and Carl Junior) using the same username and password (Salling Group profile). The controller also established a monitoring tool to record incidents and events about customers' access to the websites. However, in May 2022, the controller found that the monitoring system's log file stored customers' usernames and unencrypted passwords for the website "hjem.foetex.dk" by mistake. As a result, 146 people employed by the controller had technical access to the data. If an unauthorised person used the login credentials, they could access the customer's name, address, email address, telephone number, masked card information and purchase history. The controller reported the breach to the DPA. The DPA held that in systems with confidential information about a large number of users, higher requirements must be placed on the controller to prevent unauthorised access to the data. In particular, the controller must store passwords in irreversible encrypted form at all times and in a way that ensures that they are not immediately readable and that it is not possible to recreate the password in a readable format. The DPA also emphasised that storing passwords in plain text poses a high risk to data subjects because they can be misused internally and because shopping platforms are known to be a common target of cyberattacks. Therefore, storing passwords in a readable format in a log file violates Article 32(1) GDPR. Consequently, the DPA reprimanded the Salling Group for the violation and ordered it to notify affected data subjects about the breach by 1 August 2022.