Highest GDPR-fine in Hungary: 290.000 EUR due to weak fragile website security 

Without a doubt, the breach of website security can be extremely expensive: Hungarian telecommunications company Digi just got fined a record breaking GDPR-penalty of 290.000 EUR – the highest fine imposed by the Hungarian Data Protection Authority (NAIH) thus far.

What happened?

An Ethical Hacker gained access to two of Digi’s databases containing various categories of personal data of subscribers – via a known vulnerability in the website which had not been fixed for years. One of the databases of the company storing personal data of customers (as many as 800.00 households in Hungary) was not encrypted and could have been used for identity theft, according to the NAIH. The exact amount of data subjects affected by the incident was not released by the authority. Nonetheless, according to the enforcement decision, it seems to have been rather significant.

Bernulius / shutterstock.com

In the case of Digi, their 100 million HUF fine (approx. 290.000 EUR) corresponds to about 0.2% of Digi’s annual turnover of the previous fiscal year. As a general rule, violations of GDPR are punishable with up to 4% of the worldwide annual turnover.

See all fines and penalties data protection authorities within the EU have imposed under the GDPR in the Enforcement Tracker. 

Bear in mind: It doesn’t take an incident for your company to be in trouble with the law. The sole possibility of your data being stolen due to your company’s lax security measures, or someone identifying your company is storing information about users which should not be stored, is enough to consider a privacy breach and be forced to pay hefty fines. 

Besides, the pure existence of a security gap is already a sufficient reason to get you fined for not being GDPR-compliant.

⇨ First, check which data is stored by your company and for what purpose – and above all, on what legal basis. To be on the safe side, it might be effective to create several different databases that are clearly separated for each purpose. For more information on designing a GDPR-compliant customer journey click here.

It doesn’t take a “professional hacker” to identify a data leak. Some GDPR-violations can easily be detected by your users or competitors with very little technical knowledge. 

Once you get reported, don’t expect authorities to grant you mitigating circumstances. Even if you fully cooperate, they won’t let you off the hook or allow you to pay less. 

E.g., In the case of Digi, the company itself reported the data breach to the authorities within the 72-hour-deadline and fixed the leakage, as well as deleted the data that was obtained inadequately. Despite that, it still did not prevent them from getting fined the full amount.  

⇨ So better be safe than sorry! Get your system checked – if possible, by experts outside of your company. Since they were not involved in setting up your database and might have a more objective view of it all.

If you want to collect user data, store it and use it for marketing purposes, you need to obtain consent from your users first – in accordance with the law. 

⇨ An easy and particularly compliant way to do so is via a so called “Consent Management Platform (CMP)”.  

Want to learn more about the Usercentrics CMP? Get in touch with us – we are happy to help!