Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
DANISH SUPERVISORY AUTHORITY: new decision – personal data protection breach at Dantherm

DANISH SUPERVISORY AUTHORITY: new decision – personal data protection breach at Dantherm

The Data Protection Authority has criticized Dantherm for not having implemented adequate security. The company has failed to demonstrate that the processing has been compliant.

The Data Protection Authority has ruled in a case in which Dantherm had notified a personal data breach to the Supervisory Authority.

Dantherm was the victim of a ransomware attack in which hackers gained access to Dantherm’s IT environment, from which the hackers leaked information about current and former employees on the dark web.

The hackers probably gained access via the user “AV” who had administrator rights. The account user had previously been used from an external consultant who must not have had access at the time of the attack. The hackers have deleted most of the log files. Dantherm could not answer whether the “AV” account had been deactivated or activated.

The Data Protection Authority has stated that administrative rights would have to allow access only to the relevant limited resources (computers, active devices, applications, services or similar) and would have to ensure the registration of all uses of the rights. Log files have to be stored in such a way that users with administrative rights cannot switch off, cancel or modify the log.

Lack of security measures

The Data Protection Authority has revealed that Dantherm’s processing of personal data has not met adequate security standards.

In its assessment, the Authority has underlined that the Danthem has not ensured that users with administrative rights could not delete or modify log files.

Furthermore, the Authority has revealed that Dantherm had not complied with the requirement that the controller has to be able to demonstrate adequate security for the processing of personal data. In this context, the Authority has underlined that Dantherm was not able to document the periods in which the “AV” account was active.

In this context, the Authority has found reasons to criticise Dantherm for not having processed personal data in compliance with data protection rules.

The case has affected the said cross-border processing of personal data, as also employees in Germany, Poland and the United Kingdom, among others, have been concerned by the breach. The Data Protection Authority has taken a decision as lead supervisory authority in the framework of the “one-stop-shop” mechanism.

SOURCE: DANISH DATA PROTECTION AUTHORITY

Recommended to you

Advanced Research