The company was aware of a vulnerability affecting its system (Mentor) and a solution had already been created. However, due to human error, the solution was not fully implemented into the System until the data breach occurred
When estimating the amount of the fine (circa €23.000) the DPA, among others, considered:
(+)The fact that the data subjects were children, whose personal data is afforded special protection under national law
(-) Lack of evidence of any harm suffered by the children affected by the data breach:
—- only limited data became accessible, national identification numbers and photos (avatars)
—- no evidence this data was misused or manipulated in any way
—- the #databreach was the result of actions of a logged-in user of the system and not an outside attack (the #personaldata could not have been accessed or misused by a third party without an account within the System)
0 comentarios