Municipality of Østre Toten fined | Datatilsynet

Municipality of Østre Toten fined
The Norwegian Data Protection Authority has fined the municipality of Østre Toten NOK 4 million. The municipality has also been ordered to implement a suitable control system for information security and personal data protection.

Municipality of Østre Toten fined
The municipality was the target of a serious cyberattack in January of 2021. As a consequence of the attack, employees could no longer access most of the municipality’s IT systems, the municipality’s data was encrypted, and back-ups were erased. Ransom messages were found in a number of locations. In March of 2021, it was established that parts of the data had been published on the dark web. The municipality has estimated that approximately 30,000 documents were affected by the attack. These documents contained in part highly sensitive information about the municipality’s residents and employees.

- The Data Protection Authority has concluded that the personal data security of the Municipality of Østre Toten was severely and fundamentally flawed, Director General Bjørn Erik Thon says.

Fundamental flaws
These flaws include logs and log analytics, backup protection and lack of two-factor authentication or similar security measures. The firewall was sparsely configured in terms of logging, and much of the internal traffic was never logged. Servers were not configured to send logs to a central log centre, and also failed to log significant events. Furthermore, the municipality had failed to protect backups from intentional and accidental erasure, manipulation or reading.

- We find this cyberattack to be especially serious, as it has affected a significant share of municipal data, control of the personal data has been lost entirely, and data has been shared on the dark web to an extent we do not know, Thon says.

Has emphasized several aspects
The Data Protection Authority has therefore decided to fine the Municipality of Østre Toten NOK 4,000,000 and order the municipality to implement satisfactory personal data protection.

As a result of the cyberattack, the municipality has had to spend considerable amounts of money restoring a functional IT system and ensure satisfactory information security. The municipality’s economy has been considered in our calculation of the fine. We have also taken into account that the municipality has worked closely with supervisory authorities, law enforcement, the local community and municipal employees since the discrepancy was discovered.

- Without this effort, the fine would likely have been significantly higher, Thon concludes.