According to “c’t”, the data leak appeared in relation to Badencard, which is required to go to the recycling center. From the beginning of the year, an online solution was offered to extend or pay for this service. Finally, in March, the insecure file “meldeamt.dbf” was discovered by an IT specialist via its own path to a web server, as reported by “c’t”. “Surname, first name, address, gender, date of birth and information whether this is a primary or secondary residence, extended to 33,483 lines.” Other personal data were also located.
When asked by the APA, the Municipality of Baden acknowledged that personal data could be viewed with appropriate expertise. At the same time, it was also emphasized that action was taken expeditiously after the knowledge was acquired.
leak fixed after a day
On 8 March, the data protection officer of the Baden city administration was faced with the findings. The next day, the leak was temporarily sealed, and after a while there was no access to the entire server, according to the magazine.
“It is true that due to a configuration error in the server – but only when the exact web address is known – personal data can be viewed. Immediately after becoming aware of this, we disabled the online service and allowed access to the web server.” analyzed the existing log files,” the municipality said in a written statement.
This led to an inspection. “The online service was enabled only if, following a configuration change, it was assumed that external data access would no longer be possible. The elimination of the problem was confirmed by a third, independent body.”
Data Protection Authority proceedings underway
The incident was reported to the Data Protection Authority, with which the municipality is “currently in ongoing correspondence”. No further details were given as to the reason for the ongoing proceedings. In any case, there are no plans to implement more such online services. “If this happens in the future, additional security checks will be carried out to ensure the highest safety standards,” it said.
The Data Protection Authority confirmed that it was notified in accordance with Article 33 of the General Data Protection Regulation (GDPR) on March 11. A process is going on. With regard to the possible consequences for the Municipality, it was emphasized that the “imposition of administrative penalties against officials” is “prohibited” by Section 30 Paragraph 5 of the Data Protection Act (DSG).
Freelance twitter maven. Infuriatingly humble coffee aficionado. Amateur gamer. Typical beer fan. Avid music scholar. Alcohol nerd.