Arbeids- og velferdsdirektoratet

Arbeids- og velferdsetaten faces a fine of EUR 1.7 million (USD $1.85 million) as a result of enforcement action launched by the Norwegian Supervisory Authority.

The Controller failed to put in place the proper organisational and technical safeguards to secure personal data, according to the DPA's findings.

A disproportionate amount of workers also had access to private information, sometimes even highly sensitive information. The controller also neglected to implement methodical controls on staff members' use of IT systems throughout that period. Because the data had been handled insecurely for a long time, the DPA considered this factor when determining the appropriate penalties.

Source: https://www.databreaches.net/norwegian-labor-and-welfare-administration-fined-for-data-protection-failures/

TPRM report: https://scoringcyber.rankiteo.com/company/arbeids--og-velferdsdirektoratet

"id": "arb184931223",
"linkid": "arbeids--og-velferdsdirektoratet",
"type": "Data Leak",
"date": "12/2023",
"severity": "100",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"

{'affected_entities': [{'industry': 'Public Sector',
                        'location': 'Norway',
                        'name': 'Arbeids- og velferdsetaten',
                        'type': 'Government Agency'}],
 'data_breach': {'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Highly sensitive personal '
                                             'information'},
 'description': 'Arbeids- og velferdsetaten faces a fine of EUR 1.7 million '
                '(USD $1.85 million) as a result of enforcement action '
                'launched by the Norwegian Supervisory Authority. The '
                'Controller failed to put in place the proper organisational '
                'and technical safeguards to secure personal data, according '
                "to the DPA's findings. A disproportionate amount of workers "
                'also had access to private information, sometimes even highly '
                'sensitive information. The controller also neglected to '
                "implement methodical controls on staff members' use of IT "
                'systems throughout that period. Because the data had been '
                'handled insecurely for a long time, the DPA considered this '
                'factor when determining the appropriate penalties.',
 'impact': {'data_compromised': 'Highly sensitive personal information',
            'financial_loss': 'EUR 1.7 million (USD $1.85 million)'},
 'lessons_learned': 'Proper organisational and technical safeguards are '
                    'essential for securing personal data. Methodical controls '
                    "on staff members' use of IT systems are crucial.",
 'post_incident_analysis': {'root_causes': 'Lack of proper organisational and '
                                           'technical safeguards, improper '
                                           'access controls'},
 'references': [{'source': 'Norwegian Supervisory Authority'}],
 'regulatory_compliance': {'fines_imposed': 'EUR 1.7 million (USD $1.85 '
                                            'million)',
                           'regulations_violated': 'GDPR'},
 'title': 'Arbeids- og velferdsetaten Faces Fine for Data Security Failures',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Improper access controls and lack of technical '
                            'safeguards'}