Data breach in 42 Latvian municipalities DVI imposes 300000 euro fine on ZZ Dats Baltic News Network

pThe Data State Inspectorate DVI has imposed a 300000 euro fine on SIA ZZ Dats in connection with last years municipal data breach the company has appealed the decision in court the LETA news agency reportsppAccording to the Inspectorate the data were stored in an information system maintained by ZZ Dats Upon receiving information about a possible violation the Inspectorate opened an investigation and found the company guilty of failing to fulfill the processors obligations in accordance with Article 32 of the General Data Protection Regulation GDPRppFor the violation identified the company received an administrative penaltya 300000 fine ZZ Dats has appealed the decision to Riga City CourtppIn relation to the breach decisions were also made regarding the municipalities involvedthey received reprimands the DVI saidppAs previously reported certain individuals managed to gain unauthorized access to certain data from the Unified Municipal Information System between October 29 and November 2 2024ppAfter the incident ZZ Dats director Edžus Žeiris informed LETA that these individuals had managed to access a search index that contained a duplicated subset of data from the Unified Municipal Information SystemppThe incident directly affected 42 Latvian municipalities excluding RigappAnalysis by security specialists indicates that certain individuals accessed data on some municipal employeesincluding names surnames organizational unit position email address and phone number data on municipal residents natural personsincluding names surnames personal ID numbers and registered addresses as well as metadata file descriptions of records management documents from certain municipalitiesppAfter the problem was identified on November 2 the necessary actions were taken to reconfigure system security and to prevent further unauthorized access the company explainedppAt the time representatives of the Association of Certified Personal Data Protection Specialists of Latvia told LETA that responsibility for the municipal data breach should be assessed in the plural They stressed that the system developer ZZ Dats is only a data processor and under the GDPR municipalities controllers are responsible for choosing cooperation partners and setting standards to ensure the secure processing of personal datappThey also noted that ZZ Dats communicationstating that the incident did not have direct consequences for residents because no passwords or banking information were copieddownplayed significant risks since names surnames personal ID numbers and addresses were leaked This information constitutes core personal data enabling full identification The purposes of the data acquirers and possible uses of the data are unknown the association cautionedppThe association also reminded that every municipality must appoint a Data Protection Officer DPOppUnder the GDPR a DPO monitors the controllers compliance with data processing requirements The GDPR also stipulates that the controller is responsible for the DPOs meaningful involvement in data processing activitiesppThe association further stated that based on publicly available information the communication around the breach suggests GDPR requirements were not properly followed The GDPR obliges controllers to actively manage a data breach including adequately assessing its impact on the rights and freedoms of data subjectsppIn 2024 ZZ Dats had a turnover of 117662 million and a profit of 3495 millionppZZ Dats was registered in 1995 with share capital of 40000 according to Firmaslv The company is owned by Māris Zieme 40 Inga Ziema 35 and Edžus Žeiris 25ppRead also A stain of shame or sovereignty Parliament moves forward with withdrawal from the Istanbul ConventionppFollow us on Facebook and Xpp BNNLVp