The Italian data protection authority has issued its first GDPR fine. This one is interesting, for multiple reasons:
- The platform in question was fueling the populist 5-star movement – that ended with the movement ending up in Italy’s coalition government
- The privacy regulator’s investigations started after numerous hacks and malfunctions of web services – leading to a privacy complaint being sent to the regulator
- The fine was issued primarily based on deficiencies in technical security controls in the Rosseau platform -things like weak cryptographic controls and lack of audit logging of database transactions
The Rosseau platform can be found at
https://rousseau.movimento5stelle.it/ . It describes itself as follows:
rosseau.movimento5stelle.it (English translation by Google)
Rousseau is the operating system of the 5 Star Movement.
Its objectives are the management of the various elective components (Italian and European parliaments, regional and municipal councils) and the participation of members in the life of the 5-star Movement. On Rousseau it is possible to propose a law, to vote for the choice of electoral lists or to define the political positions of the 5-Star Movement with respect to specific topics.
In other words – the platform probably should care about security, considering its stated purpose.
Reasons for the fine
The following list of security weaknesses that was the reason for the fine have been taken from the description of the regulator found here.
- The Rosseau platform used an outdated CMS (content management system), for which it no longer could receive updates. The CMS in question was Movable Type 4, reaching end of life in 2013. If this seems a bit harsh, a simple search on the NVD shows that the Rosseau system was practically open to anyone wishing to hack it:
- The application had several authentication related weaknesses, including unsalted hashes and weak passwords. They had essentially been fixed within a deadline given by the regulator.
- The application had weaknesses in audit logging, especially of administrative access, as well as deficiencies in tamper protection for logs.
There were also other issues, such as failure to comply with best practices for e-voting systems.
Securing personal data
This clearly demonstrates that managing consent and DSAR requests is not enough. You actually have to care about the personal data you process – and this means managing information security. I am on purpose not calling it “securing the data” because information security goes far beyond that. When we talk about securing data people tend to think about requiring strong passwords and using encryption – and those are definitely important aspects of good information security. But it is far from the whole story – and regulators also know this, as exemplified by the criticism of lack of logging of administrative actions on the database in the 5-star movement case.
Where should you start if you are processing personal data but you do not have a robust information security program in place? Here are some pointers:
- Make sure security initiatives are backed from the top. The CEO has to care about security and ensure it is built into the way the organization does business. Security is not a technical add-on, it is a core part of the business processes.
- Have a set of rules and practices you want to follow. Don’t over-do it but create an information security policy that works for your business and that the CEO is happy to sign.
- The organization is not stronger than its weakest link. Because of this, security training and motivation for security is important in every department, for every role. Just make sure the expectations fit the people – don’t try to teach the receptionist the details of secure key exchange – but perhaps it is useful for the receptionist to know how to recognize phishing e-mails and discover when a caller is trying to elicit information about decision makers? A combination of security topics integrated into staff meetings, security in day-to-day work and brief e-learning bites is a solid approach to delivering effective security awareness.
- Perform risk assessments that take security incidents into account. A good risk assessment makes it possible to create a risk reduction plan and turn goals into action. Read more about how that should work in our recent blog post on this.
- Make sure you know how the threats to your business change over time and update your risk assessments accordingly. When criminals are betting on ransomware it doesn’t help to have the greatest DDoS protection in the world. Threat intelligence keeps your security priorities in line with the evolving threat landscape; security is a moving target.
- Review your security work regularly – from how you work on awareness training, to configurations of firewalls, to risk assessments and incident response. Make it part of your normal quality assurance work – in projects, in internal auditing, in management meetings. The Plan – Do – Check – Adjust cycle for continuous improvement applies to information security just the same way it applies to HSE or sales strategies.
Need help with getting your security in shape – or tools to support the process? Let us know, we are here to help.
We are preparing to release a new kind of threat modeling tool called RiskTool – where the goal is to make it easy to create top-notch risk assessments. We’d appreciate it greatly if you would share your insights on what is easy and not in a typical risk assessment process with us in this very brief survey: https://forms.gle/tFRNwAGVrj9kuRVYA.