SIA "ZZ Dats" suffered a municipal data breach in late 2024, where unauthorized individuals accessed the Unified Municipal Information System between October 29 and November 2. The breach exposed personal data of municipal employees (names, surnames, positions, emails, phone numbers) and residents (names, surnames, personal ID numbers, registered addresses), along with metadata from municipal documents. The incident affected 42 Latvian municipalities, excluding Riga. The company downplayed risks, claiming no passwords or banking data were stolen, but experts warned that leaked core personal data (IDs, addresses) enables full identification, posing significant privacy and fraud risks. The Data State Inspectorate (DVI) fined ZZ Dats €300,000 for GDPR violations (Article 32), citing failure to secure data as a processor. Municipalities (data controllers) also received reprimands for inadequate oversight. ZZ Dats appealed the fine, but the breach highlighted systemic GDPR non-compliance in data protection protocols.
TPRM report: https://www.rankiteo.com/company/zz-dats
"id": "zz-1633016102425",
"linkid": "zz-dats",
"type": "Breach",
"date": "6/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '42 Latvian municipalities '
'(excluding Riga)',
'industry': 'IT services (municipal data management)',
'location': 'Latvia',
'name': "SIA 'ZZ Dats'",
'type': 'data processor'},
{'customers_affected': 'municipal employees and '
'residents (number unspecified)',
'industry': 'government/local administration',
'location': 'Latvia',
'name': '42 Latvian municipalities (excluding Riga)',
'type': 'data controllers (public sector)'}],
'attack_vector': 'Exploitation of a vulnerable search index in the Unified '
'Municipal Information System',
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['search index duplicates',
'document metadata'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (enables full identification of '
'individuals)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'employment records',
'metadata']},
'date_detected': '2024-11-02',
'description': 'Unauthorized access to the Unified Municipal Information '
"System managed by SIA 'ZZ Dats' resulted in the exposure of "
'personal data of municipal employees and residents across 42 '
'Latvian municipalities (excluding Riga). The breach occurred '
"between October 29 and November 2, 2024, when 'certain "
"individuals' accessed a search index containing duplicated "
'data, including names, personal ID numbers, addresses, and '
'metadata. The Latvian Data State Inspectorate (DVI) fined ZZ '
'Dats €300,000 for GDPR violations (Article 32), which the '
'company has appealed. Municipalities involved received '
'reprimands.',
'impact': {'brand_reputation_impact': 'Significant (publicized breach, GDPR '
'fine, legal appeal)',
'data_compromised': ['municipal employee data (names, surnames, '
'organizational unit, position, email, phone)',
'municipal resident data (names, surnames, '
'personal ID numbers, registered addresses)',
'metadata (file descriptions) of records '
'management documents'],
'identity_theft_risk': 'High (personal ID numbers, names, '
'addresses exposed)',
'legal_liabilities': ['€300,000 GDPR fine (appealed)',
'reprimands for 42 municipalities'],
'payment_information_risk': 'None (no banking/password data '
'compromised)',
'systems_affected': ['Unified Municipal Information System (search '
'index)']},
'investigation_status': 'DVI investigation completed; fine appealed in Riga '
'City Court',
'lessons_learned': ['GDPR compliance requires active breach management and '
'impact assessment.',
'Data processors and controllers share responsibility for '
'security standards.',
"Downplaying risks (e.g., claiming 'no direct "
"consequences') can undermine trust and compliance.",
'Municipalities must ensure Data Protection Officers '
'(DPOs) are meaningfully involved.'],
'post_incident_analysis': {'corrective_actions': ['System security '
'reconfiguration '
'(post-breach).',
'Legal appeal of GDPR fine.',
'Public reprimands for '
'municipalities to improve '
'compliance.'],
'root_causes': ['Inadequate security controls for '
'duplicated data in search '
'indices.',
'Failure to fulfill GDPR processor '
'obligations (Article 32).',
'Lack of proactive breach impact '
'assessment by controllers '
'(municipalities).']},
'recommendations': ['Implement stricter access controls for search indices '
'and duplicated data.',
'Conduct regular GDPR compliance audits for data '
'processors/controllers.',
'Enhance transparency in breach communications to avoid '
'understating risks.',
'Mandate DPO oversight for all municipal data processing '
'activities.'],
'references': [{'source': 'LETA news agency'},
{'source': 'Association of Certified Personal Data Protection '
'Specialists of Latvia'},
{'source': 'Firmas.lv (company registration data)'}],
'regulatory_compliance': {'fines_imposed': '€300,000 (appealed in Riga City '
'Court)',
'legal_actions': ['administrative penalty',
'municipal reprimands'],
'regulations_violated': ['GDPR Article 32 '
'(processor obligations)'],
'regulatory_notifications': ['Latvian Data State '
'Inspectorate (DVI) '
'investigation']},
'response': {'communication_strategy': 'Public statements via LETA; '
'downplayed risks (criticized by data '
'protection specialists)',
'containment_measures': ['reconfiguration of system security'],
'incident_response_plan_activated': True},
'threat_actor': 'certain individuals (unknown)',
'title': "Municipal Data Breach at SIA 'ZZ Dats' Leading to €300,000 GDPR "
'Fine',
'type': ['data breach', 'unauthorized access']}